Understanding Azure Deny Assignments
The purpose of a deny assignment is to attach a set of deny actions to a user, group, or service principal at a particular scope similar to a role assignment, for denying access. The Azure Deny assignments are used to prevent users from doing particular Azure resource operations, even if a role assignment permits them access.
Overview of Azure Deny Assignments
In Azure, “deny assignments” are a type of access control feature that allows you to restrict access to certain resources in your Azure environment. Deny assignments are used to prevent specific users or groups from accessing a particular resource or resource group, even if they have been granted permission to do so through other means, such as an allow assignment.
Deny assignments work by specifying a set of deny rules that apply to a particular resource or resource group. These rules can be based on a variety of criteria, including user or group membership, IP address, or other attributes. When a user or group attempts to access a resource that is covered by a deny rule, the access request is automatically denied, regardless of any other permissions they may have.
Deny assignments can be useful in a variety of scenarios, such as when you need to restrict access to sensitive data or resources, or when you want to enforce compliance with regulatory requirements or company policies. They can also be used in conjunction with allow assignments to create a more fine-grained access control strategy.
One important thing to keep in mind when working with deny assignments is that they can be complex to manage and troubleshoot, particularly when you are dealing with multiple rules or overlapping permissions. It is therefore important to carefully plan your access control strategy and regularly review your deny assignments to ensure that they are still meeting your needs.
Steps to Create Deny Assignments
Here are the steps to create deny assignments in Azure:
- Identify the resource or resource group that you want to restrict access to.
- Navigate to the Access Control (IAM) tab for that resource or resource group in the Azure portal.
- Click the “Add” button to add a new role assignment.
- Select the role that you want to assign. This can be a built-in Azure role or a custom role that you have created.
- In the “Assign access to” section, select the user or group that you want to assign the role to. This can be a specific user or group, or you can use a service principal.
- In the “Add a condition” section, click “Add” to add a new deny assignment.
- Select the type of condition that you want to add. This can include things like IP address range, user or group membership, or specific tags.
- Specify the details of the condition, such as the IP address range or the name of the user or group.
- Click “Add” to add the deny assignment to the role assignment.
- Review the details of the role assignment and click “Create” to save the changes.
Once you have created the deny assignment, it will take effect immediately and users or groups that match the conditions of the deny rule will be prevented from accessing the specified resource or resource group. You can modify or remove the deny assignment at any time by navigating to the Access Control (IAM) tab for the resource or resource group and editing the role assignment.
All Principals
All Principals is a system-defined principal introduced to support deny assignments. The All Principal represents all users, groups, service principals, and managed identities in an Azure AD directory. Therefore, if the principal ID is a zero GUID 00000000-0000-0000-0000-000000000000 and the principal type is SystemDefined, then the principal represents all principals. Note, we can combine All Principals with ExcludePrincipals to deny all principals except some users.
Limitation of All Principals –
- Can be used only in Principals and cannot be used in ExcludePrincipals.
- Principals[i].Type must be set to SystemDefined.
Properties of Deny Assignments
| Property | Required | Type | Explanation |
| DenyAssignmentName | Yes | String | Displays name of the deny assignment. Such names must be unique for a given scope. |
| Description | No | String | The description of the deny assignment. |
| Permissions.Actions | At least one Actions or one DataActions | String[] | An array of strings that specify the management operations to which the deny assignment blocks access. |
| Permissions.NotActions | No | String[] | An array of strings that specify the management operations to exclude from the deny assignment. |
| Permissions.DataActions | At least one Actions or one DataActions | String[] | An array of strings that specify the data operations to which the deny assignment blocks access. |
| Permissions.NotDataActions | No | String[] | An array of strings that specify the data operations to exclude from the deny assignment. |
| Scope | No | String | A string that specifies the scope that the deny assignment applies to. |
| DoNotApplyToChildScopes | No | Boolean | Specifies whether the deny assignment applies to child scopes. Default value is false. |
| Principals[i].Id | Yes | String[] | An array of Azure AD principal object IDs (user, group, service principal, or managed identity) to which the deny assignment applies. Set to an empty GUID 00000000-0000-0000-0000-000000000000 to represent all principals. |
| Principals[i].Type | No | String[] | An array of object types represented by Principals[i].Id. Set to SystemDefined to represent all principals. |
| ExcludePrincipals[i].Id | No | String[] | An array of Azure AD principal object IDs (user, group, service principal, or managed identity) to which the deny assignment does not apply. |
| ExcludePrincipals[i].Type | No | String[] | An array of object types represented by ExcludePrincipals[i].Id. |
| IsSystemProtected | No | Boolean | Specifies whether this deny assignment was created by Azure and cannot be edited or deleted. Currently, all deny assignments are system protected. |
AZ-104 Exam Practice Questions
Question: You are a cloud administrator for a company and want to ensure that a specific group of users cannot create new resources in a specific resource group in Azure. Which Azure feature can you use to achieve this?
A) Azure Resource Locks
B) Azure Policy
C) Azure Role-Based Access Control (RBAC) with Deny Assignments
D) Azure Blueprint
Answer: C) Azure Role-Based Access Control (RBAC) with Deny Assignments. Deny Assignments allow you to block specific actions on a specific scope, such as a resource group, which is what is needed in this scenario.
Question: You have an Azure subscription that is used by multiple departments in your organization. You want to ensure that one particular department cannot deploy resources with a specific tag. Which Azure feature can you use to achieve this?
A) Azure Resource Locks
B) Azure Policy with Deny Assignments
C) Azure Role-Based Access Control (RBAC)
D) Azure Blueprint
Answer: B) Azure Policy with Deny Assignments. Azure Policy allows you to define and enforce policies that can help you meet organizational or regulatory compliance goals. Deny Assignments can be used in conjunction with policies to prevent certain actions, such as deploying resources with a specific tag.
Question: You are a security analyst for a company and need to ensure that all virtual machines in your Azure environment are encrypted using Azure Disk Encryption. However, you want to make sure that the owner of a virtual machine can still access the disk if necessary. Which Azure feature can you use to achieve this?
A) Azure Resource Locks
B) Azure Policy
C) Azure Role-Based Access Control (RBAC)
D) Azure Deny Assignments
Answer: D) Azure Deny Assignments. Deny Assignments can be used to prevent unauthorized access to virtual machine disks while still allowing the owner to access them. By creating a Deny Assignment that denies the “Microsoft.Compute/virtualMachines/encrypt/action” action for everyone except the owner of the virtual machine, only the owner can encrypt or decrypt the virtual machine disk, but others are denied access.
Question: You are a cloud administrator for a company and need to ensure that certain users cannot access a particular Azure resource. Which Azure feature can you use to achieve this?
A) Azure Resource Locks
B) Azure Policy with Deny Assignments
C) Azure Role-Based Access Control (RBAC) with Deny Assignments
D) Azure Blueprint
Answer: C) Azure Role-Based Access Control (RBAC) with Deny Assignments. Deny Assignments can be used in conjunction with RBAC to prevent certain users from accessing a particular Azure resource by denying the “Microsoft.Authorization/*/read” action for the group of users.
Question: You have a critical Azure resource that should never be deleted accidentally. Which Azure feature can you use to prevent deletion of this resource?
A) Azure Resource Locks
B) Azure Policy
C) Azure Role-Based Access Control (RBAC)
D) Azure Deny Assignments
Answer: A) Azure Resource Locks. Resource Locks allow you to lock a resource to prevent accidental deletion or modification. By applying a lock to the critical Azure resource, it cannot be deleted accidentally, even by authorized users.
Reference: Microsoft Documentation