@Stephen Wartel Thanks for reaching here!
To add more on above response-
To grant temporary access to an outside developer/engineer to access a new Azure App Service Laravel App including MySQL Flexible Database server so they can help set it up, configure it (environment variables, SSH nginx scripts, etc.), you can create a custom role with the minimum permissions required for them to perform the necessary tasks.
Here are the steps to create a custom role:
- In the Azure portal, go to the "Access control (IAM)" tab for your subscription or resource group.
- Click on the "Add" button and select "Add custom role".
- Give the role a name, such as "App Service Configurator".
- Under "Permissions", select the minimum set of permissions required for the developer/engineer to perform the necessary tasks. For example, you can select the "Microsoft.Web/sites/config/" permission to allow them to configure the App Service app, and the "Microsoft.DBforMySQL/flexibleServers/" permission to allow them to configure the MySQL Flexible Database server.
- Under "Assignments", select the scope of the role assignment. For example, you can select the resource group that contains the App Service app and MySQL Flexible Database server.
- Click on the "Review + create" button and then "Create" to create the custom role.
Once the custom role is created, you can assign it to the developer/engineer by going to the "Access control (IAM)" tab for the resource group that contains the App Service app and MySQL Flexible Database server, clicking on the "Add" button, and selecting "Add role assignment". Then, select the custom role you created and enter the email address of the developer/engineer.
With this custom role, the developer/engineer will have the minimum permissions required to access and configure the App Service app and MySQL Flexible Database server, without having access to your account billing or security profile/settings/data.
Create or update Azure custom roles using the Azure portal
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Hope this helps-