We have an Azure EA model in place which consists of several different Departments managed by different teams, we need to delegate permissions to those teams to manage all the resources created under their Department
The people acting as Department admins need to setup RBAC and Azure Policy that are automatically inherited by every subscription created by any Account Owner in their Department, the problem is that:
- Department Admins get zero permissions automatically on any new subscription to apply this themselves
- Permissions at the Root level are inherited to new subscriptions but this applies to all subs in all departments
- There doesn't seem to any way to use a Department or even Account Owners as a scope (at least not that I've found)
We want to enable Account Owners who can create their own Subscriptions, Management Group structure etc but we also need to be able to enforce RBAC/Policy settings on every subscription they add
If the Account Owner, and anyone else that is given the Owner role, has to be instructed to manually move all their subscriptions to a Management Group where we've applied a Policy (and never move them out) to for those restrictions to actually apply it kind of defeats the purpose
How can we enable Department Admin to define RABC and Policies which can be applied to their scope?
Thanks
Regards,
Chris