Skip to content

Commit

Permalink
docs: Add explanation on User-Assigned Managed Identities in ALZ poli…
Browse files Browse the repository at this point in the history
…cies to FAQ (#1874)
  • Loading branch information
jtracey93 authored Dec 20, 2024
1 parent 27cc654 commit 1ef2893
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions docs/wiki/ALZ-Policies-FAQ.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,14 @@ We've had a number of issues and pull requests submitted specifically around the
The reason for this is that the policies and initiatives in this repo are intended to be used as part of the ALZ deployment process, and are used to generate the ARM templates that are deployed to Azure. The leading `[` character is required to support the generation of the ARM templates.

### Why does ALZ not promote the usage of User-Assigned Managed Identities for Policy Assignments?

Whilst User-Assigned Managed Identities for Policy Assignments are now supported, there are a number of reasons why ALZ does not promote the usage of them.

The primary risk is that the User-Assigned Managed Identity created and used for one or more policy assignments is an over-permissioned identity; both in terms of RBAC roles it has assigned to it and also the scope/s that it has been assigned to. With the focus on least privilege and zero trust security principles, we believe in ALZ that the use of a User-Assigned Managed Identity for policy assignments is not the best practice and instead you should continue to use the system-assigned managed identity for your Azure policy assignments.

Not only does using a system-assigned managed identity for policy assignments reduce the risk of over-permissioning, but it also reduces the complexity of managing the identity and its RBAC permissions and assignments as the lifecycle of the system-assigned managed identity is managed by Azure policy automatically with the lifecycle of the policy assignment it is associated with.

### Diagnostic Settings v2 (December 2023)

There are several issues raised around Diagnostic Settings, and we acknowledge that this is a complex area that is causing a lot of pain.
Expand Down

0 comments on commit 1ef2893

Please sign in to comment.