Share via

How to Limit Contributor Role But Allow Creation of New Resources

Christopher Davis 1 Reputation point
2022-12-05T15:43:41.15+00:00

I have a situation with contractors. As it stands right now, we give them the Contributor role over an entire subscription. This works for now so that they can create all the resources they need dynamically. However, long-term this seems like a fairly big security weakness.

My question is, how can I give these developers all of the Contributor actions but limit them to say a resource group?

Here's the problem though, these contractors will need the action to create a VM, disks, blobs etc.. on the fly. Such that any new resources they create will be auto added to the resource group they have contributor access over. Heres the other predicament, if they create a VM, perhaps they may need to create a managed identity for that VM that has certain permissions.

Does anyone have any idea how I could accomplish this?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
979 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2022-12-07T02:01:38.783+00:00

    Hi @Christopher Davis ,

    As a best practice, users should have the least-privileged access to Azure resource. This implies giving the least privileged role at the narrowest scope possible. If you still want to keep the contributor role assigned to your users, your solutions of assigning the role at the resource group scope is a good one.

    One option would be to assign Read permission at the Subscription level, so that all Resources/Resource Groups in that subscription are visible to the members of the group. Then you could grant Contributor permissions to the group at Resource/Resource Group level so that the group members can only update/change specific Resources/Resource Groups only. You could apply these permissions to multiple groups.

    Another option would be to create a custom RBAC role to provide read-only access to specific resources so that they would by default be able to update everything except the resources you want to restrict. https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles#custom-role-example

    Alternatively, we have the Azure Deny Assignments, that can be used to deny specific actions over specific Azure resources (Understand Azure deny assignments - Azure RBAC | Microsoft Learn). However, these need to be created through Azure Blueprints for resources deployed as part of the blueprint.

    Additional resources:

    Grant user access to resources
    Azure Resource Group Access
    Assign Contributor Role only to certain resource groups / resources

    -

    If the information helped you please Accept the answer. This will help us and other community members as well.

    1 person found this answer helpful.
    0 comments
  2. Rafal Kostrzynski 1 Reputation point
    2023-07-11T12:49:45.25+00:00

    Hi,
    I'm in need of creating a custom role with permissions allowing only the following operations within the subscription:

    • Create a new Resource Group
    • Create a new Key Vault
    • Create a new Application Insights

    Is it possible to limit the scope of the role to the above tasks?

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.