Create the policy at the root level to lock or unlock an Azure account. As an Azure administrator, lock an Azure subscription, resource group, or resource to avoid accidental deletions and modifications.
手順
-
Sign in to the Azure organization.
-
Search for and select Users.
-
Under the user name list, select a user.
-
From the navigation pane, select Assigned roles.
-
Under the Administrative roles, add the Global Administrator role by selecting Add Assignments.
-
Enter Microsoft Entra ID in the search box and select .
-
Under Access Management for Azure resources, set the toggle to Yes.
Using this option, you can manage access to all Azure subscriptions and management groups in this tenant.
-
Search for and select Policy.
-
Select + Policy definition.
-
Enter the following:
- Select the tenant root group using the ellipsis on Definition location.
You can select either a management group or a subscription. If you select the tenant root group, all child
subscriptions can also be managed.
- Enter the name of the policy definition. For example, LockAccount_policy.
- The description of what the policy definition is intended to do.
- Under POLICY RULE, copy the following JSON code:
{
"properties": {
"displayName": "CAM_LockAccount_Policy",
"policyType": "Custom",
"mode": "All",
"description": "Blocks the creation of resources and configurations that fall under Azure Policy enforcement.",
"parameters": {
"allowedResourceTypes": {
"type": "Array",
"metadata": {
"displayName": "Allowed Resource Types",
"description": "List of resource types that are allowed for creation. Any resource type not listed here will be blocked.",
"strongType": "resourceTypes"
},
"defaultValue": []
},
"allowedLocations": {
"type": "Array",
"metadata": {
"displayName": "Allowed Locations",
"description": "List of allowed Azure regions for resource creation."
},
"defaultValue": []
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "The effect determines what happens when the policy rule is evaluated to match"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
}
},
"policyRule": {
"if": {
"anyOf": [
{
"not": {
"field": "type",
"in": "[parameters('allowedResourceTypes')]"
}
},
{
"not": {
"field": "location",
"in": "[parameters('allowedLocations')]"
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}
}
- Select Save.
注: To verify if the policy is created, go to PolicyDefinitions. Change the filter Scope and Policy type to find the policy.
- Select the policy name and copy the Definition ID.