diff --git a/modules/iam/README.md b/modules/iam/README.md
index 850794d5..4d499679 100644
--- a/modules/iam/README.md
+++ b/modules/iam/README.md
@@ -23,6 +23,7 @@ No modules.
 | [azurerm_role_assignment.function_app_key_vault_secrets_user](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.function_app_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.function_app_scale_set_machine_owner](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.join_sg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.join_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.key_vault_set_secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.logic_app_standard_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
@@ -37,6 +38,7 @@ No modules.
 | [azurerm_role_assignment.storage_account_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.storage_blob_data_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.weka_tar_data_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_definition.join_sg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
 | [azurerm_role_definition.join_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
 | [azurerm_role_definition.key_vault_set_secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
 | [azurerm_user_assigned_identity.function_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
@@ -66,6 +68,7 @@ No modules.
 | <a name="input_obs_container_name"></a> [obs\_container\_name](#input\_obs\_container\_name) | The name of the container for the OBS. | `string` | n/a | yes |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | Prefix for all resources | `string` | n/a | yes |
 | <a name="input_rg_name"></a> [rg\_name](#input\_rg\_name) | A predefined resource group in the Azure subscription. | `string` | n/a | yes |
+| <a name="input_sg_id"></a> [sg\_id](#input\_sg\_id) | Security group id | `string` | `""` | no |
 | <a name="input_subnet_name"></a> [subnet\_name](#input\_subnet\_name) | The name of the subnet. | `string` | n/a | yes |
 | <a name="input_support_logic_app"></a> [support\_logic\_app](#input\_support\_logic\_app) | Enable support for logic app. | `bool` | `true` | no |
 | <a name="input_tiering_enable_obs_integration"></a> [tiering\_enable\_obs\_integration](#input\_tiering\_enable\_obs\_integration) | Enable OBS integration for tiering. | `bool` | n/a | yes |
diff --git a/modules/iam/function_app.tf b/modules/iam/function_app.tf
index e5d11571..4e229bae 100644
--- a/modules/iam/function_app.tf
+++ b/modules/iam/function_app.tf
@@ -121,3 +121,26 @@ resource "azurerm_role_assignment" "join_subnet" {
   role_definition_id = azurerm_role_definition.join_subnet[0].role_definition_resource_id
   principal_id       = azurerm_user_assigned_identity.function_app[0].principal_id
 }
+
+resource "azurerm_role_definition" "join_sg" {
+  count       = var.function_app_identity_name == "" && var.rg_name != var.vnet_rg_name && var.sg_id != "" ? 1 : 0
+  name        = "${var.prefix}-${var.cluster_name}-join-sg"
+  scope       = var.sg_id
+  description = "Can join security group"
+
+  permissions {
+    actions = [
+      "Microsoft.Network/networkSecurityGroups/join/action",
+    ]
+    not_actions = []
+  }
+
+  assignable_scopes = [var.sg_id]
+}
+
+resource "azurerm_role_assignment" "join_sg" {
+  count              = var.function_app_identity_name == "" && var.rg_name != var.vnet_rg_name && var.sg_id != "" ? 1 : 0
+  scope              = var.sg_id
+  role_definition_id = azurerm_role_definition.join_sg[0].role_definition_resource_id
+  principal_id       = azurerm_user_assigned_identity.function_app[0].principal_id
+}
diff --git a/modules/iam/variables.tf b/modules/iam/variables.tf
index b35652f6..bfb3cd0f 100644
--- a/modules/iam/variables.tf
+++ b/modules/iam/variables.tf
@@ -18,6 +18,12 @@ variable "subnet_name" {
   description = "The name of the subnet."
 }
 
+variable "sg_id" {
+  type        = string
+  description = "Security group id"
+  default     = ""
+}
+
 variable "prefix" {
   type        = string
   description = "Prefix for all resources"
diff --git a/prerequisites.tf b/prerequisites.tf
index d96e69d3..6dbe874d 100644
--- a/prerequisites.tf
+++ b/prerequisites.tf
@@ -28,6 +28,7 @@ module "iam" {
   vnet_rg_name                   = local.vnet_rg_name
   vnet_name                      = local.vnet_name
   subnet_name                    = local.subnet_name
+  sg_id                          = var.sg_id
   vmss_identity_name             = var.vmss_identity_name
   function_app_identity_name     = var.function_app_identity_name
   support_logic_app              = local.create_logic_app