Azure Policy not denying Custom Role creation

Question

I am currently helping investigate adopting Azure for my organization\'s public cloud. One of the tasks I have been assigned is locking down accounts to prevent users from being

Answer 1

It looks like Azure CLI creates the role definition without populating the "type" field. The following policy will handle this:

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Authorization/roleDefinitions"
      },
      {
        "anyOf": [
          {
            "field": "Microsoft.Authorization/roleDefinitions/type",
            "equals": "CustomRole"
          },
          {
            "field": "Microsoft.Authorization/roleDefinitions/type",
            "exists": "false"
          }
        ]
      }
    ]
  },
  "then": {
    "effect": "Deny"
  }
}