Access Control (IAM) - Subscription

Ricardo Rinaldi 20 Reputation points

Hello! When I assign a role in a subscription, it is inherited to all resources in the subscription. But if I want a particular resource to not have said permission that appears as inherited in the "Scope". Is it possible to do this?

Or is every role I assign in a subscription inherited to all resources in that subscription?

Thank you so much.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
520 questions
0 comments No comments
{count} votes

Accepted answer
  1. Michael Durkan 11,521 Reputation points MVP


    Any role that is assigned to the subscription, that flows down and gets inherited to all the resources, that comes under that subscription. Similarly, any role on a Resource Group, gets inherited to all the resources, within that Resource Groups. There is no way to block this inheritance as this is by design and RBAC roles will flow down from the top to bottom level based on where the RBAC role is applied.

    One thing that can be done is to use "Deny Assignments", where you can specify certain users not to perform certain tasks on a particular resource.

    Hope this helps,


    Michael Durkan

    • If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!
    0 comments No comments

0 additional answers

Sort by: Most helpful