Is it possible to remove inherited permission for a storage account

Mattias Jorstedt 20 Reputation points


I have a subscription <my-subscription> in that subscription I have a few owners and some contributors. I would like to create a new storage account that only the owners of the subscription and two defined ad-groups (one read, one write) have access to.

I cannot find a way to remove the inherited accesses of the contributors. I have looked in to deny assignments but that does not seem to be right for me. Is there a way to remove access to the new storage account for the roles who are not owners.

Best regards,

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,679 questions
0 comments No comments
{count} votes

Accepted answer
  1. Harpreet Singh Matharoo 7,476 Reputation points Microsoft Employee

    Hello @Mattias Jorstedt

    Thank you for reaching out. I would like to confirm that following points:

    • in case of RBAC, any role that is assigned to the Subscription or Resource Group, that flows down and gets inherited to all the resources, that comes under that specific Subscription or Resource Group.
    • I don't think there is any way available to block this inheritance as this is by design and RBAC roles will flow down from the top to bottom level based on where the RBAC role is applied.
    • For more details on Scope and Hierarchical structure for Azure Resources you can review following document: Understand scope for Azure RBAC.
    • Only way you can block certain users is by using "Deny Assignments", where you can specify certain users not to perform certain tasks on a particular resource.
    • You can read more on Deny Assignments on following article: List Azure deny assignments using the Azure portal.

    I hope this answer helps to resolve your issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful