Share via

Azure Account Access Best Practices

Dean Everhart 1,541 Reputation points
2023-05-24T16:11:36.58+00:00

What is the best way to give access to a vendor to work on Azure website account?
i.e. Is there a way of granting a vendor access apart from the account owner access?

Developer technologies ASP.NET ASP.NET Core
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,934 questions
Developer technologies ASP.NET Other
Accepted answer
  1. VenkateshDodda-MSFT 24,951 Reputation points Microsoft Employee Moderator
    2023-05-25T06:37:40.85+00:00

    @Dean Everhart Thanks for reaching out to Microsoft Q&A apologize for any incapacity caused on this.

    What is the best way to give access to a vendor to work on Azure website account? --> Do that mean giving access to the external customers to access App Service that is hosted on your subscription. If yes, you need to follow the below set of steps:

    1. Sign in to the Azure portal with your account owner credentials.
    2. Then need to add those vendors as guest user in your Azure Active directory by inviting them as mentioned here.
    3. Once those external vendors have accepted the invitation and you can navigate to the resource group or resources that the vendor needs access to.
    4. Click on the "Access control (IAM)" tab.
    5. Click on the "+ Add" button and select "Add role assignment"(If you want to add built-in RBAC) or select "Add Custom role" (If you want to add custom role).
    6. In the "Add role assignment" pane, select the role that you want to assign to the vendor.
    • For app service. we have built-in RBAC role Website Contributor which will allow the specific users to perform any of the below operations.

    enter image description here

    • Instead of giving contributor access, If you want to limit the access of user to either read/write/start/stop the webapp then you need to create custom roles by selecting appropriate resource provider operation listed here.

    7.In the "Assign access to" section, select "User, group, or service principal". 8. Enter the email address of the vendor's Microsoft account or the service principal's application ID. 9. Click on the "Save" button to assign the role to the vendor Feel free to reach back to me if you have any further questions on this.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sreeju Nair 12,666 Reputation points
    2023-05-25T11:49:08.7766667+00:00

    It is recommended to provide access to the Vendor to your Azure tenant as a guest user. See the below link to learn how to assign guest users in your account.

    https://learn.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal

    Once you add the guest users, you can give fine grained access control to that user. The following is a good read in this regard.

    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models

    I recommend you to keep the principle of giving least privileges while granting the permissions.

    Hope this helps

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.