How to prevent user from deploying Bicep file to Azure via CLI?

Architekt 70 Reputation points

I created a Bicep file that I intended to use only by myself or someone with say the right privileges that I explicitly granted. I login via the CLI: az login, choose my account, and deploy my script, in this case, via the command:

az deployment tenant create --name "redacted" --location eastus --template-file main.bicep --parameters main.parameters.json

Obviously, that works as I'm the global admin and gave myself Owner permission over the root tenant /.

However, I wanted to test out whether or not a "normal" user could do the same thing. The goal is to prevent say an employee or whatever person without the right permissions from being able to also deploy said file.

So, I logged out, then did an "az login" with my test user account that I created in MS365 for business (which creates a user account in Azure AD). When I chose the test account to login with, the response was "No subscriptions found for..." which makes sense. HOWEVER, to my dismay, I found I was able to actually execute the above deployment command. I verified that it deployed and succeeded via my admin account.

So how would I go about preventing certain users from being able to deploy in certain situations? Like in this case, I don't want them to be able to deploy, but maybe down the line they'll have a personal project that they should be able to deploy with? If I view the user in Azure AD, it doesn't show any assigned roles (which is good).

I currently am using Management Groups (in fact that's what the above file deploys is a base set of them) and use role access to limit what groups of users have what permissions to which MG and this test user is not part of any of them.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,854 questions
{count} votes