Hello @Mattias Jorstedt
Thank you for reaching out. I would like to confirm that following points:
- in case of RBAC, any role that is assigned to the Subscription or Resource Group, that flows down and gets inherited to all the resources, that comes under that specific Subscription or Resource Group.
- I don't think there is any way available to block this inheritance as this is by design and RBAC roles will flow down from the top to bottom level based on where the RBAC role is applied.
- For more details on Scope and Hierarchical structure for Azure Resources you can review following document: Understand scope for Azure RBAC.
- Only way you can block certain users is by using "Deny Assignments", where you can specify certain users not to perform certain tasks on a particular resource.
- You can read more on Deny Assignments on following article: List Azure deny assignments using the Azure portal.
I hope this answer helps to resolve your issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
I guess it is possible as per screenshot listed on following documentation: List deny assignments, however the question is would it block inherited access?
I assume the answer is no, since the Inherited access would flow from Parent resource to all child resources as that's the design, however you can try to create deny assignment for specific user 1st to check if it works.
From all the reading I have done I have found that it is not possible to use deny assignments in any configurable way. You can deploy resources with an Azure Blueprint and set do not delete or read only locking out other permissions but here is now way to construct a json or something else to block certain roles totally. You might be able to create a storage account using managed apps but that seems to be such a complicated workaround to stop inherited accesses.