Block user from being able to create Azure resources

Question

Block user from being able to create Azure resources

Peter Calvache 0

Through my administrator account I have created a new user via Azure Entra ID, intended for a new employee of our company. The problem is that this new user, when logging into Azure portal, is able to add resources to our Azure subscription (Azure Virtual Machines, etc.), and view the configuration of our Azure resources.

I have previously set up access control for the Azure subscription such that only my administrator account has Owner access to it -- no other account should have access. The new employee account should only be able to access their Azure virtual desktop (via Bastion), but should not be able to view or change anything through the Azure portal.

How can we set up the user in this manner, e.g. maximally restrictive access with only access to their Azure Virtual Desktop via Bastion? Thank you in advance for your help!

Mounika Reddy Anumandla 6,925 Reputation points Microsoft External Staff Moderator

2024-09-16T04:37:32.41+00:00

Hi Peter Calvache,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
Just checking in to see if the below answer provided by Luis Arias helped.

If this answers your query, do click **Answer** and **Upvote** for was this answer helpful. And, if you have any further query do let us know.

1 answer

Your answer

Mounika Reddy Anumandla 6,925 Reputation points Microsoft External Staff Moderator

2024-09-16T04:37:32.41+00:00

Hi Peter Calvache,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
Just checking in to see if the below answer provided by Luis Arias helped.

If this answers your query, do click **Answer** and **Upvote** for was this answer helpful. And, if you have any further query do let us know.

Answer 1

Hi Peter,

To restrict the new user’s access to only their Azure Virtual Desktop via Bastion, I can suggest you first to check current access role of this new user by using check permission on the subscription level. In Azure portal > go to subscription > click on your subscription > click on check access and write the user name.

User's image

Once you get the role assgiment of the user you can click on each role assigment and remove the user, except the reader role to keep the permission to only read the subscription.

Here more information if you want to dig into (https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-portal )

Now you can add the role Virtual Machine User Login to enable access remotly to the virtual machine:

Navigate to the specific Azure Virtual Desktop (the virtual machine).
Select Access control (IAM) > Add role assignment.
Choose the Virtual Machine User Login role and assign it to the new user. This role allows the user to log in to the virtual machine.

Additional references:

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

Regards,

Luis

Share via

Block user from being able to create Azure resources

1 answer

Your answer