Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you have a multi-subscription model and would like to know the best practice for fine-grained access management to Azure resources.
You must consider using Azure RBAC
Refer : How Azure RBAC works
Some resources in Azure does not support cross-subscription association.
Route table/NSGs are such resources.
- You must create individual resources in each subscription if you would like to use the resource.
- You can use a ARM template to create resources with same properties across subscriptions.
- What are ARM templates?
Wrt permissions,
- You can assign permissions to individual users or groups.
- Azure includes several built-in roles that you can use, or you can also create your own Azure custom roles.
- For e.g.,
- "IT" team can be given "Network Contributor" Role at the subscription or Resource Group level or the VNET Level
- "DevOps" can be given "Owner" or "Contributor" Role at the Resource Group level or the VNET Level
- "IT" team can be given "Network Contributor" Role at the subscription or Resource Group level or the VNET Level
Hope this helps.
Please let us know if we can be of any further assistance here.
Thanks,
Kapil
Please Accept an answer if correct.
Original posters help the community find answers faster by identifying the correct answer.