Share via

Subscription level access change on individual azure resource

MyAzQuery 171 Reputation points
2022-09-14T09:41:49.33+00:00

in Azure, if a user has say contributor access over the subscription , then he will automatically have contributor access on all the resources in the subscription... but is it possible for us to remove contributor access only on 1 azure resource like for example on resource guard ?

How to achieve this ?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
979 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alistair Ross 7,466 Reputation points Microsoft Employee
    2022-09-14T11:07:26.513+00:00

    Hello

    Azure RBAC permissions are inherited and the combination of all permissions a user is assigned at a particular scope. You cannot exclude a specific permission at a lower scope (for example a resource).

    If you want to exclude access to particular resources, then create them in a different container which the user doesn't have that level of access to. (For example if the user has contributor permissions on the subscription, put the other resources in a different subscription). Further information can be found in our best practices.

    A better approach would be using the zero trust principals and not grant that user explicit write permissions to the subscription, instead add it as an eligible permission in Azure Privileged Identity Manager and enforce approvals for the requested scope. (For example they may be eligible for contributor at the subscription level, but request access at a resource group)

    kind regards

    Alistair Ross

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.