I have subscription , in the subscription there are so many users with contributor access , i want to give access to see the state file to only one spn user how can we do that?

Tamil Selvan M 5 Reputation points

i have azure subsciption , i have contributor role for multiple users in the subscription leval , i have one storage account , in the storage account one state file is there, it only visisble for one particular spn user other then all the contributor users can't able to view how can we do that in azure?

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,530 questions
Azure VMware Solution
Azure VMware Solution
An Azure service that runs native VMware workloads on Azure.
337 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
715 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,338 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,497 questions
{count} votes

1 answer

Sort by: Most helpful
  1. kobulloc-MSFT 26,131 Reputation points Microsoft Employee

    Hello, @Tamil Selvan M !

    How do I block access to only a single resource group?

    You can grant access to users using Role Based Access Control (RBAC) at 4 different scopes:

    • Management group
    • Subscription
    • Resource Group
    • Resource

    Diagram that shows scope levels for Azure RBAC.

    The issue with this is that if access is granted at a higher scope (like the subscription), then access is inherited at lower scopes (like a resource group).

    One way to do this is to grant access at the resource group level (granting access to resource group A but not resource group B) but this becomes difficult to manage if you are trying to deny access to a single resource group out of possibly dozens or more resource groups.

    Other options:

    • Remove role assignments: Would have to be done at a lower scope (every resource group) or else you would run into an inherited role assignments cannot be removed error.
    • Deny assignments can remove an ability but has drawbacks as well.
    • Locking resources can work for some scenarios like delete, but would still allow read only.
    • Azure Blueprints offers additional options but doesn't directly address this issue.

    Here I agree with the blog by Jussi Roine who recommends creating a separate subscription and moving the single resource group there so that you have isolation at equal scopes:


    Additional reading:

    I hope this has been helpful! Your feedback is important so please take a moment to accept answers.

    If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

    User's image