Hi
Any role that is assigned to the subscription, that flows down and gets inherited to all the resources, that comes under that subscription. Similarly, any role on a Resource Group, gets inherited to all the resources, within that Resource Groups. There is no way to block this inheritance as this is by design and RBAC roles will flow down from the top to bottom level based on where the RBAC role is applied.
One thing that can be done is to use "Deny Assignments", where you can specify certain users not to perform certain tasks on a particular resource.
Hope this helps,
Thanks
Michael Durkan
- If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!