Can we block or warn against all deployment attempts initiated via “Deploy to Azure” buttons or external ARM/Bicep templates

Hi Julius Holmberg,

Thanks for posting your question in Microsoft Q&A forum

Yes, you can restrict or warn against deployments initiated via the Deploy to Azure buttons or external ARM/Bicep templates using Azure Policy. It allows you to set rules to enforce compliance across Azure resources. For your specific scenario, you can use Azure Policy to restrict the deployment of resources through "Deploy to Azure" buttons or external templates while still allowing internal, portal-based deployments.

1.Utilize Azure Policy: Creating a custom Azure Policy can help you block those undesired deployment methods while permitting legitimate internal ones. Here's a high-level overview of the steps:

• Access Azure Policy: Go to the Azure portal and select Azure Policy from the services menu.
• Create a Custom Policy: Go to Definitions > Policy Definition. Input a Display Name (e.g., "Block External Deployments"). Set the Policy Type to Custom and Mode to Indexed.
• Define conditions in the Policy Rule section to specify which deployment methods to block. For instance, you may want to check the source of the deployment based on fields in the request.
• Here’s a sample policy rule

{
  "if": {
    "allOf": [
      { "field": "type", "equals": "Microsoft.Resources/deployments" },
      { "field": "source", "notEquals": "InternalPortal" } // Example condition
    ]
  },
  "then": {
    "effect": "Deny"
  }
}

Refer document: https://learn.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage

• Assign the Policy: After creating your policy, assign it to the relevant scope (subscription or resource group).
• Test and Monitor: Conduct tests to ensure the policy behaves as expected and adjust based on the results.

Refer:

https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-azure-button

https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/overview

I hope this helps do let me know if you have any questions on this

Thank you for your reply.

This solution doesn't work for us. It seems that the Buttons use regular deployment sources/types.

Therefor we cannot exclude any deployment method without causing negative consequences in other ways. We use all the same deployment methods as the buttons do, deploying from Code, Azure DevOps, Pipeline, PowerShell and so on. See all sources/types below.

Microsoft.Resources/deployments

• Portal – When the deployment is performed via the Azure Portal.
• InternalPortal – Internal processes within the portal (e.g., certain automated operations).
• Template – When the deployment is performed using an ARM template.
• Policy – When the deployment is triggered by an Azure Policy (remediation).
• DevOps – When the deployment is performed via an Azure DevOps pipeline.
• PowerShell – When the deployment is performed using Azure PowerShell.
• CLI – When the deployment is performed using Azure CLI.
• REST – When the deployment is performed via the REST API.
• Terraform – When the deployment is performed using Terraform (via AzAPI or ARM).
• Bicep – When the deployment is performed using Bicep (compiled to ARM but sometimes tracked separately).
• SDK – When the deployment is performed using an SDK (e.g., .NET, Python).

Hello Julius Holmberg, your observation is correct and highlights a key challenge in deployment governance with Azure. The fact that Deploy to Azure buttons, DevOps pipelines, portal deployments, PowerShell, CLI, REST API, Terraform, Bicep, SDK, and Policy-based remediations all generate deployments under the same umbrella Microsoft.Resources/deployments with only the deployment source type differing, makes it practically impossible to selectively block or warn on just certain external deployment methods like buttons without affecting many others.