How can I grant consultants access to my Azure Portal (Dev Subscription) without giving them access to current objects?

Pat Breslin 0 Reputation points
2024-08-19T12:45:47.4566667+00:00

Our project requires the assistance of consultants who need access to our Azure Portal to create new resources for the project. However, they should not have access to any current objects in the Dev subscription as it is not necessary for their work. How can we grant them access to the Dev subscription while restricting access to current objects?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
982 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Sina Salam 22,031 Reputation points Volunteer Moderator
    2024-08-19T22:17:26.3133333+00:00

    Hello Pat Breslin,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you would like to grant access to your consultants' without giving them access to current objects.

    To grant consultants access to your Azure Dev subscription while restricting access to current objects, there are a few things you might need to do to achieve the aim.

    1. Create a custom role definition that allows the necessary permissions for creating new resources but excludes access to existing objects. For example, the permissions required for resource creation (e.g., Virtual Machine Contributor, Network Contributor, etc.). https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal
    2. Assign the custom role to the consultants at the subscription level so that they will have the necessary permissions to create new resources without access to existing ones. https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
    3. Apply resource locks to existing objects to prevent accidental deletion or modification. https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-locks

    Accept Answer

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

    Best Regards,

    Sina Salam


  2. Pat Breslin 0 Reputation points
    2024-08-20T13:47:02.3833333+00:00

    Sina,

    Thank you so much for getting back to me! We are working on trying to get this setup fairly quick for our Consultants.

    I have looked at the custom roles and set one up at the subscription level.

    The issue I found was that it inherited down which makes sense but I could not find a way to accurately remove access to the current resources without manually removing that new custom role from each resource. This would not be ideal as it would leave room for error as new resources are made, someone may forget to go into IAM and remove the custom role.

    I only want them to have access to the subscription as if nothing were there but they can go make and delete whatever THEY make and see (or at least cant access) anything else. I did look through the custom role and could not find anything and google search didn't yield anything for me which is why I am here. Am I missing something?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.