Is it possible to limit root user to access certain resource group or subscription

Yugesh KC 21 Reputation points
2022-11-25T01:47:59.523+00:00
  • An organization has a tenant account with a single subscription
  • They deploy a service separately to each of their client
  • After the handover of the project.
    • The org. could only access the deployed service after the approval of the client
    • The org. want’s to bill their client separately based on their usage(e.g. storage usage)

My question is

  1. Is it possible to limit the root user access to the certain subscription or RG
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
666 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alistair Ross 7,101 Reputation points Microsoft Employee
    2022-11-25T11:06:14.833+00:00

    Hi @Yugesh KC

    If a user is provided with access at a management group / subscription or resource group level, their permissions are inherited for all child objects underneath it. Therefore if a user is granted owner rights at the root management group, they have owner rights across everything.
    https://learn.microsoft.com/en-us/azure/role-based-access-control/overview

    Using this model assumes that you have granted people explicit permissions. One way around this is to build your access model using privileged identity management. Using this method you can build a granular permissions model that only allows a user or group of users permissions to perform actions over Azure AD or Azure Resources for a limited time and scope. Also you can extend this out, so people have to approve the permissions first, such as making the client a member of the approvers group.

    Depending on your business model, however you are being billed can be aggregated by management group, subscriptions, resources etc and you can work out the chargeback internally. There is also the Microsoft Partner agreement billing for multiple billing accounts which may suit your requirements. https://learn.microsoft.com/en-us/azure/cost-management-billing/understand/mpa-overview

    I hope this helps provide you with the information you need. If it does, please make sure to mark the question as answered so it helps other people in future.

    Kind regards

    Alistair