Hello Pat Breslin,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
I understand that you would like to grant access to your consultants' without giving them access to current objects.
To grant consultants access to your Azure Dev subscription while restricting access to current objects, there are a few things you might need to do to achieve the aim.
- Create a custom role definition that allows the necessary permissions for creating new resources but excludes access to existing objects. For example, the permissions required for resource creation (e.g., Virtual Machine Contributor, Network Contributor, etc.). https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal
- Assign the custom role to the consultants at the subscription level so that they will have the necessary permissions to create new resources without access to existing ones. https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
- Apply resource locks to existing objects to prevent accidental deletion or modification. https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-locks
Accept Answer
I hope this is helpful! Do not hesitate to let me know if you have any other questions.
** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.
Best Regards,
Sina Salam