Adding RBAC constrained delegation parameters and guidance in the roleAssignment modules (#816)

* add rbac constrained delegation guidance * Refactor role assignment condition code generation * Generate Parameter Markdowns [sebassem/cfa6355d] * update parameters files * Refactor role assignment condition code generation * Generate Parameter Markdowns [sebassem/cfa6355d] * Refactor role assignment condition code generation * reduce condition parameter description * Generate Parameter Markdowns [sebassem/cfa6355d] * Refactor role assignment condition code generation * Generate Parameter Markdowns [sebassem/cfa6355d] --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
2024-08-01 18:55:51 +03:00 · 2024-08-01 18:55:51 +03:00 · 2a32d0b051
--- a/infra-as-code/bicep/modules/roleAssignments/README.md
+++ b/infra-as-code/bicep/modules/roleAssignments/README.md
@ -183,3 +183,38 @@ New-AzManagementGroupDeployment @inputObject
 ### Many Resource Group Role Assignments

 ![Bicep Visualizer - Many Resource Group Role Assignments](media/bicepVisualizerSubMany.png "Bicep Visualizer - Many Resource Group Role Assignments")
+
+## Role assignment delegation
+
+For each module, you can add a role assignment condition to securely delegate role assignments to others. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: (Owner, User Access Administrator and Role Based Access Control Administrator). To generate the condition code:
+
+- Create a role assignemnt with a condition from the portal for the privileged role that will be assigned.
+- Select the code view from the advanced editor and copy the condition's code.
+- Remove all newlines from the condition code.
+- Escape any single quote using a backslash (only in Bicep, no need in JSON parameters file).
+
+Example:
+
+```json
+"parRoleAssignmentNameGuid": {
+    "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+},
+"parRoleDefinitionId": {
+    "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+},
+"parAssigneePrincipalType": {
+    "value": "ServicePrincipal"
+},
+"parAssigneeObjectId": {
+    "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+},
+"parRoleAssignmentCondition": {
+    "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+},
+"parRoleAssignmentConditionVersion": {
+    "value": "2.0"
+},
+"parTelemetryOptOut": {
+    "value": false
+}
+```
--- a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroup.bicep.md
+++ b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroup.bicep.md
@ -11,6 +11,8 @@ parRoleDefinitionId | Yes      | Role Definition Id (i.e. GUID, Reader Role Defi
 parAssigneePrincipalType | Yes      | Principal type of the assignee.  Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity)
 parAssigneeObjectId | Yes      | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID
 parTelemetryOptOut | No       | Set Parameter to true to Opt-out of deployment telemetry.
+parRoleAssignmentCondition | No       | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+parRoleAssignmentConditionVersion | No       | Role assignment condition version. Currently the only accepted value is '2.0'

 ### parRoleAssignmentNameGuid

@ -48,6 +50,20 @@ Set Parameter to true to Opt-out of deployment telemetry.

 - Default value: `False`

+### parRoleAssignmentCondition
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+
+### parRoleAssignmentConditionVersion
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Role assignment condition version. Currently the only accepted value is '2.0'
+
+- Default value: `2.0`
+
 ## Snippets

 ### Parameter file
@ -74,6 +90,12 @@ Set Parameter to true to Opt-out of deployment telemetry.
        },
        "parTelemetryOptOut": {
            "value": false
+        },
+        "parRoleAssignmentCondition": {
+            "value": ""
+        },
+        "parRoleAssignmentConditionVersion": {
+            "value": "2.0"
        }
    }
 }
--- a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroupMany.bicep.md
+++ b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroupMany.bicep.md
@ -11,6 +11,8 @@ parRoleDefinitionId | Yes      | Role Definition Id (i.e. GUID, Reader Role Defi
 parAssigneePrincipalType | Yes      | Principal type of the assignee.  Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity)
 parAssigneeObjectId | Yes      | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID
 parTelemetryOptOut | No       | Set Parameter to true to Opt-out of deployment telemetry
+parRoleAssignmentCondition | No       | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+parRoleAssignmentConditionVersion | No       | Role assignment condition version. Currently the only accepted value is '2.0'

 ### parManagementGroupIds

@ -46,6 +48,20 @@ Set Parameter to true to Opt-out of deployment telemetry

 - Default value: `False`

+### parRoleAssignmentCondition
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+
+### parRoleAssignmentConditionVersion
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Role assignment condition version. Currently the only accepted value is '2.0'
+
+- Default value: `2.0`
+
 ## Snippets

 ### Parameter file
@ -72,6 +88,12 @@ Set Parameter to true to Opt-out of deployment telemetry
        },
        "parTelemetryOptOut": {
            "value": false
+        },
+        "parRoleAssignmentCondition": {
+            "value": ""
+        },
+        "parRoleAssignmentConditionVersion": {
+            "value": "2.0"
        }
    }
 }
--- a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroup.bicep.md
+++ b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroup.bicep.md
@ -11,6 +11,8 @@ parRoleDefinitionId | Yes      | Role Definition Id (i.e. GUID, Reader Role Defi
 parAssigneePrincipalType | Yes      | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity)
 parAssigneeObjectId | Yes      | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID
 parTelemetryOptOut | No       | Set Parameter to true to Opt-out of deployment telemetry.
+parRoleAssignmentCondition | No       | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+parRoleAssignmentConditionVersion | No       | Role assignment condition version. Currently the only accepted value is '2.0'

 ### parRoleAssignmentNameGuid

@ -48,6 +50,20 @@ Set Parameter to true to Opt-out of deployment telemetry.

 - Default value: `False`

+### parRoleAssignmentCondition
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+
+### parRoleAssignmentConditionVersion
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Role assignment condition version. Currently the only accepted value is '2.0'
+
+- Default value: `2.0`
+
 ## Snippets

 ### Parameter file
@ -74,6 +90,12 @@ Set Parameter to true to Opt-out of deployment telemetry.
        },
        "parTelemetryOptOut": {
            "value": false
+        },
+        "parRoleAssignmentCondition": {
+            "value": ""
+        },
+        "parRoleAssignmentConditionVersion": {
+            "value": "2.0"
        }
    }
 }
--- a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroupMany.bicep.md
+++ b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroupMany.bicep.md
@ -11,6 +11,8 @@ parRoleDefinitionId | Yes      | Role Definition Id (i.e. GUID, Reader Role Defi
 parAssigneePrincipalType | Yes      | Principal type of the assignee.  Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity)
 parAssigneeObjectId | Yes      | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID
 parTelemetryOptOut | No       | Set Parameter to true to Opt-out of deployment telemetry
+parRoleAssignmentCondition | No       | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+parRoleAssignmentConditionVersion | No       | Role assignment condition version. Currently the only accepted value is '2.0'

 ### parResourceGroupIds

@ -46,6 +48,20 @@ Set Parameter to true to Opt-out of deployment telemetry

 - Default value: `False`

+### parRoleAssignmentCondition
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+
+### parRoleAssignmentConditionVersion
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Role assignment condition version. Currently the only accepted value is '2.0'
+
+- Default value: `2.0`
+
 ## Snippets

 ### Parameter file
@ -72,6 +88,12 @@ Set Parameter to true to Opt-out of deployment telemetry
        },
        "parTelemetryOptOut": {
            "value": false
+        },
+        "parRoleAssignmentCondition": {
+            "value": ""
+        },
+        "parRoleAssignmentConditionVersion": {
+            "value": "2.0"
        }
    }
 }
--- a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscription.bicep.md
+++ b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscription.bicep.md
@ -11,6 +11,8 @@ parRoleDefinitionId | Yes      | Role Definition Id (i.e. GUID, Reader Role Defi
 parAssigneePrincipalType | Yes      | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity)
 parAssigneeObjectId | Yes      | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID
 parTelemetryOptOut | No       | Set Parameter to true to Opt-out of deployment telemetry.
+parRoleAssignmentCondition | No       | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+parRoleAssignmentConditionVersion | No       | Role assignment condition version. Currently the only accepted value is '2.0'

 ### parRoleAssignmentNameGuid

@ -48,6 +50,20 @@ Set Parameter to true to Opt-out of deployment telemetry.

 - Default value: `False`

+### parRoleAssignmentCondition
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+
+### parRoleAssignmentConditionVersion
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Role assignment condition version. Currently the only accepted value is '2.0'
+
+- Default value: `2.0`
+
 ## Snippets

 ### Parameter file
@ -74,6 +90,12 @@ Set Parameter to true to Opt-out of deployment telemetry.
        },
        "parTelemetryOptOut": {
            "value": false
+        },
+        "parRoleAssignmentCondition": {
+            "value": ""
+        },
+        "parRoleAssignmentConditionVersion": {
+            "value": "2.0"
        }
    }
 }
--- a/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscriptionMany.bicep.md
+++ b/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscriptionMany.bicep.md
@ -11,6 +11,8 @@ parRoleDefinitionId | Yes      | Role Definition Id (i.e. GUID, Reader Role Defi
 parAssigneePrincipalType | Yes      | Principal type of the assignee.  Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity)
 parAssigneeObjectId | Yes      | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID
 parTelemetryOptOut | No       | Set Parameter to true to Opt-out of deployment telemetry
+parRoleAssignmentCondition | No       | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+parRoleAssignmentConditionVersion | No       | Role assignment condition version. Currently the only accepted value is '2.0'

 ### parSubscriptionIds

@ -46,6 +48,20 @@ Set Parameter to true to Opt-out of deployment telemetry

 - Default value: `False`

+### parRoleAssignmentCondition
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+
+### parRoleAssignmentConditionVersion
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Role assignment condition version. Currently the only accepted value is '2.0'
+
+- Default value: `2.0`
+
 ## Snippets

 ### Parameter file
@ -72,6 +88,12 @@ Set Parameter to true to Opt-out of deployment telemetry
        },
        "parTelemetryOptOut": {
            "value": false
+        },
+        "parRoleAssignmentCondition": {
+            "value": ""
+        },
+        "parRoleAssignmentConditionVersion": {
+            "value": "2.0"
        }
    }
 }
--- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json
+++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json
@ -14,8 +14,14 @@
    "parAssigneeObjectId": {
      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    },
+    "parRoleAssignmentCondition": {
+      "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+    },
+    "parRoleAssignmentConditionVersion": {
+      "value": "2.0"
+    },
    "parTelemetryOptOut": {
      "value": false
    }
  }
-}
+}
--- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.all.json
+++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.all.json
@ -14,8 +14,14 @@
    "parAssigneeObjectId": {
      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    },
+    "parRoleAssignmentCondition": {
+      "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+    },
+    "parRoleAssignmentConditionVersion": {
+      "value": "2.0"
+    },
    "parTelemetryOptOut": {
      "value": false
    }
  }
-}
+}
--- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json
+++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json
@ -14,8 +14,14 @@
    "parAssigneeObjectId": {
      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    },
+    "parRoleAssignmentCondition": {
+      "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+    },
+    "parRoleAssignmentConditionVersion": {
+      "value": "2.0"
+    },
    "parTelemetryOptOut": {
      "value": false
    }
  }
-}
+}
--- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json
+++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json
@ -17,8 +17,14 @@
    "parAssigneeObjectId": {
      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    },
+    "parRoleAssignmentCondition": {
+      "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+    },
+    "parRoleAssignmentConditionVersion": {
+      "value": "2.0"
+    },
    "parTelemetryOptOut": {
      "value": false
    }
  }
-}
+}
--- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.all.json
+++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.all.json
@ -17,8 +17,14 @@
    "parAssigneeObjectId": {
      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    },
+    "parRoleAssignmentCondition": {
+      "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+    },
+    "parRoleAssignmentConditionVersion": {
+      "value": "2.0"
+    },
    "parTelemetryOptOut": {
      "value": false
    }
  }
-}
+}
--- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.all.json
+++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.all.json
@ -17,8 +17,14 @@
    "parAssigneeObjectId": {
      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    },
+    "parRoleAssignmentCondition": {
+      "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+    },
+    "parRoleAssignmentConditionVersion": {
+      "value": "2.0"
+    },
    "parTelemetryOptOut": {
      "value": false
    }
  }
-}
+}
--- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.managedIdentity.parameters.all.json
+++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.managedIdentity.parameters.all.json
@ -14,6 +14,12 @@
    "parAssigneeObjectId": {
      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    },
+    "parRoleAssignmentCondition": {
+      "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+    },
+    "parRoleAssignmentConditionVersion": {
+      "value": "2.0"
+    },
    "parTelemetryOptOut": {
      "value": false
    }
--- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.securityGroup.parameters.all.json
+++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.securityGroup.parameters.all.json
@ -14,6 +14,12 @@
    "parAssigneeObjectId": {
      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    },
+    "parRoleAssignmentCondition": {
+      "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+    },
+    "parRoleAssignmentConditionVersion": {
+      "value": "2.0"
+    },
    "parTelemetryOptOut": {
      "value": false
    }
--- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.servicePrincipal.parameters.all.json
+++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.servicePrincipal.parameters.all.json
@ -14,6 +14,12 @@
    "parAssigneeObjectId": {
      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    },
+    "parRoleAssignmentCondition": {
+      "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+    },
+    "parRoleAssignmentConditionVersion": {
+      "value": "2.0"
+    },
    "parTelemetryOptOut": {
      "value": false
    }
--- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.managedIdentity.parameters.all.json
+++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.managedIdentity.parameters.all.json
@ -17,6 +17,12 @@
    "parAssigneeObjectId": {
      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    },
+    "parRoleAssignmentCondition": {
+      "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+    },
+    "parRoleAssignmentConditionVersion": {
+      "value": "2.0"
+    },
    "parTelemetryOptOut": {
      "value": false
    }
--- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.securityGroup.parameters.all.json
+++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.securityGroup.parameters.all.json
@ -17,6 +17,12 @@
    "parAssigneeObjectId": {
      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    },
+    "parRoleAssignmentCondition": {
+      "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+    },
+    "parRoleAssignmentConditionVersion": {
+      "value": "2.0"
+    },
    "parTelemetryOptOut": {
      "value": false
    }
--- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.servicePrincipal.parameters.all.json
+++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.servicePrincipal.parameters.all.json
@ -17,6 +17,12 @@
    "parAssigneeObjectId": {
      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    },
+    "parRoleAssignmentCondition": {
+      "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+    },
+    "parRoleAssignmentConditionVersion": {
+      "value": "2.0"
+    },
    "parTelemetryOptOut": {
      "value": false
    }
--- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json
+++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json
@ -14,8 +14,14 @@
    "parAssigneeObjectId": {
      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    },
+    "parRoleAssignmentCondition": {
+      "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+    },
+    "parRoleAssignmentConditionVersion": {
+      "value": "2.0"
+    },
    "parTelemetryOptOut": {
      "value": false
    }
  }
-}
+}
--- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.all.json
+++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.all.json
@ -14,8 +14,14 @@
    "parAssigneeObjectId": {
      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    },
+    "parRoleAssignmentCondition": {
+      "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+    },
+    "parRoleAssignmentConditionVersion": {
+      "value": "2.0"
+    },
    "parTelemetryOptOut": {
      "value": false
    }
  }
-}
+}
--- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.all.json
+++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.all.json
@ -14,8 +14,14 @@
    "parAssigneeObjectId": {
      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    },
+    "parRoleAssignmentCondition": {
+      "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+    },
+    "parRoleAssignmentConditionVersion": {
+      "value": "2.0"
+    },
    "parTelemetryOptOut": {
      "value": false
    }
  }
-}
+}
--- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json
+++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json
@ -17,8 +17,14 @@
    "parAssigneeObjectId": {
      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    },
+    "parRoleAssignmentCondition": {
+      "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+    },
+    "parRoleAssignmentConditionVersion": {
+      "value": "2.0"
+    },
    "parTelemetryOptOut": {
      "value": false
    }
  }
-}
+}
--- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.all.json
+++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.all.json
@ -17,8 +17,14 @@
    "parAssigneeObjectId": {
      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    },
+    "parRoleAssignmentCondition": {
+      "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+    },
+    "parRoleAssignmentConditionVersion": {
+      "value": "2.0"
+    },
    "parTelemetryOptOut": {
      "value": false
    }
  }
-}
+}
--- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.all.json
+++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.all.json
@ -17,8 +17,14 @@
    "parAssigneeObjectId": {
      "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    },
+    "parRoleAssignmentCondition": {
+      "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+    },
+    "parRoleAssignmentConditionVersion": {
+      "value": "2.0"
+    },
    "parTelemetryOptOut": {
      "value": false
    }
  }
-}
+}
--- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep
+++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep
@ -22,6 +22,12 @@ param parAssigneeObjectId string
@sys.description('Set Parameter to true to Opt-out of deployment telemetry.')
 param parTelemetryOptOut bool = false

+@sys.description('The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.')
+param parRoleAssignmentCondition string = ''
+
+@sys.description('Role assignment condition version. Currently the only accepted value is \'2.0\'')
+param parRoleAssignmentConditionVersion string = '2.0'
+
 // Customer Usage Attribution Id
 var varCuaid = '59c2ac61-cd36-413b-b999-86a3e0d958fb'

@ -31,6 +37,8 @@ resource resRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01'
    roleDefinitionId: tenantResourceId('Microsoft.Authorization/roleDefinitions', parRoleDefinitionId)
    principalId: parAssigneeObjectId
    principalType: parAssigneePrincipalType
+    condition: !empty(parRoleAssignmentCondition) ? parRoleAssignmentCondition : null
+    conditionVersion: !empty(parRoleAssignmentCondition) ? parRoleAssignmentConditionVersion : null
  }
 }

--- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep
+++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep
@ -22,6 +22,12 @@ param parAssigneeObjectId string
@sys.description('Set Parameter to true to Opt-out of deployment telemetry')
 param parTelemetryOptOut bool = false

+@sys.description('The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.')
+param parRoleAssignmentCondition string = ''
+
+@sys.description('Role assignment condition version. Currently the only accepted value is \'2.0\'')
+param parRoleAssignmentConditionVersion string = '2.0'
+
 module modRoleAssignment 'roleAssignmentManagementGroup.bicep' = [for parManagementGroupId in parManagementGroupIds: {
  name: 'rbac-assign-${uniqueString(parManagementGroupId, parAssigneeObjectId, parRoleDefinitionId)}'
  scope: managementGroup(parManagementGroupId)
@ -31,5 +37,7 @@ module modRoleAssignment 'roleAssignmentManagementGroup.bicep' = [for parManagem
    parAssigneePrincipalType: parAssigneePrincipalType
    parRoleDefinitionId: parRoleDefinitionId
    parTelemetryOptOut: parTelemetryOptOut
+    parRoleAssignmentCondition: !empty(parRoleAssignmentCondition) ? parRoleAssignmentCondition : null
+    parRoleAssignmentConditionVersion: !empty(parRoleAssignmentCondition) ? parRoleAssignmentConditionVersion : null
  }
 }]
--- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.bicep
+++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.bicep
@ -20,6 +20,13 @@ param parAssigneeObjectId string
@sys.description('Set Parameter to true to Opt-out of deployment telemetry.')
 param parTelemetryOptOut bool = false

+@sys.description('The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.')
+param parRoleAssignmentCondition string = ''
+
+@sys.description('Role assignment condition version. Currently the only accepted value is \'2.0\'')
+param parRoleAssignmentConditionVersion string = '2.0'
+
+
 // Customer Usage Attribution Id
 var varCuaid = '59c2ac61-cd36-413b-b999-86a3e0d958fb'

@ -29,6 +36,8 @@ resource resRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01'
    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', parRoleDefinitionId)
    principalId: parAssigneeObjectId
    principalType: parAssigneePrincipalType
+    condition: !empty(parRoleAssignmentCondition) ? parRoleAssignmentCondition : null
+    conditionVersion: !empty(parRoleAssignmentCondition) ? parRoleAssignmentConditionVersion : null
  }
 }

--- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroupMany.bicep
+++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroupMany.bicep
@ -22,6 +22,12 @@ param parAssigneeObjectId string
@sys.description('Set Parameter to true to Opt-out of deployment telemetry')
 param parTelemetryOptOut bool = false

+@sys.description('The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.')
+param parRoleAssignmentCondition string = ''
+
+@sys.description('Role assignment condition version. Currently the only accepted value is \'2.0\'')
+param parRoleAssignmentConditionVersion string = '2.0'
+
 module modRoleAssignment 'roleAssignmentResourceGroup.bicep' = [for resourceGroupId in parResourceGroupIds: {
  name: 'rbac-assign-${uniqueString(resourceGroupId, parAssigneeObjectId, parRoleDefinitionId)}'
  scope: resourceGroup(split(resourceGroupId, '/')[0], split(resourceGroupId, '/')[1])
@ -31,5 +37,7 @@ module modRoleAssignment 'roleAssignmentResourceGroup.bicep' = [for resourceGrou
    parAssigneePrincipalType: parAssigneePrincipalType
    parRoleDefinitionId: parRoleDefinitionId
    parTelemetryOptOut: parTelemetryOptOut
+    parRoleAssignmentCondition: !empty(parRoleAssignmentCondition) ? parRoleAssignmentCondition : null
+    parRoleAssignmentConditionVersion: !empty(parRoleAssignmentCondition) ? parRoleAssignmentConditionVersion : null
  }
 }]
--- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep
+++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep
@ -22,6 +22,12 @@ param parAssigneeObjectId string
@sys.description('Set Parameter to true to Opt-out of deployment telemetry.')
 param parTelemetryOptOut bool = false

+@sys.description('The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.')
+param parRoleAssignmentCondition string = ''
+
+@sys.description('Role assignment condition version. Currently the only accepted value is \'2.0\'')
+param parRoleAssignmentConditionVersion string = '2.0'
+
 // Customer Usage Attribution Id
 var varCuaid = '59c2ac61-cd36-413b-b999-86a3e0d958fb'

@ -31,6 +37,8 @@ resource resRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01'
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', parRoleDefinitionId)
    principalId: parAssigneeObjectId
    principalType: parAssigneePrincipalType
+    condition: !empty(parRoleAssignmentCondition) ? parRoleAssignmentCondition : null
+    conditionVersion: !empty(parRoleAssignmentCondition) ? parRoleAssignmentConditionVersion : null
  }
 }

--- a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep
+++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep
@ -22,6 +22,12 @@ param parAssigneeObjectId string
@sys.description('Set Parameter to true to Opt-out of deployment telemetry')
 param parTelemetryOptOut bool = false

+@sys.description('The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.')
+param parRoleAssignmentCondition string = ''
+
+@sys.description('Role assignment condition version. Currently the only accepted value is \'2.0\'')
+param parRoleAssignmentConditionVersion string = '2.0'
+
 module modRoleAssignment 'roleAssignmentSubscription.bicep' = [for subscriptionId in parSubscriptionIds: {
  name: 'rbac-assign-${uniqueString(subscriptionId, parAssigneeObjectId, parRoleDefinitionId)}'
  scope: subscription(subscriptionId)
@ -31,5 +37,7 @@ module modRoleAssignment 'roleAssignmentSubscription.bicep' = [for subscriptionI
    parAssigneePrincipalType: parAssigneePrincipalType
    parRoleDefinitionId: parRoleDefinitionId
    parTelemetryOptOut: parTelemetryOptOut
+    parRoleAssignmentCondition: !empty(parRoleAssignmentCondition) ? parRoleAssignmentCondition : null
+    parRoleAssignmentConditionVersion: !empty(parRoleAssignmentCondition) ? parRoleAssignmentConditionVersion : null
  }
 }]