How can I grant consultants access to my Azure Portal (Dev Subscription) without giving them access to current objects?

Question

How can I grant consultants access to my Azure Portal (Dev Subscription) without giving them access to current objects?

Pat Breslin 0

Our project requires the assistance of consultants who need access to our Azure Portal to create new resources for the project. However, they should not have access to any current objects in the Dev subscription as it is not necessary for their work. How can we grant them access to the Dev subscription while restricting access to current objects?

Pat Breslin 0 Reputation points

2024-08-20T12:53:18.9766667+00:00

Sina,

Thank you so much for getting back to me! We are working on trying to get this setup fairly quick for our Consultants.

I have looked at the custom roles and set one up at the subscription level.

The issue I found was that it inherited down which makes sense but I could not find a way to accurately remove access to the current resources without manually removing that new custom role from each resource. This would not be ideal as it would leave room for error as new resources are made, someone may forget to go into IAM and remove the custom role.

I only want them to have access to the subscription as if nothing were there but they can go make and delete whatever THEY make and see (or at least cant access) anything else. I did look through the custom role and could not find anything and google search didn't yield anything for me which is why I am here. Am I missing something?
Pat Breslin 0 Reputation points

2024-08-20T12:59:37.7566667+00:00

Sina,

Thank you so much for getting back to me! We are working on trying to get this setup fairly quick for our Consultants.

I have looked at the custom roles and set one up at the subscription level.

The issue I found was that it inherited down which makes sense but I could not find a way to accurately remove access to the current resources without manually removing that new custom role from each resource. This would not be ideal as it would leave room for error as new resources are made, someone may forget to go into IAM and remove the custom role.

I only want them to have access to the subscription as if nothing were there but they can go make and delete whatever THEY make and see (or at least cant access) anything else. I did look through the custom role and could not find anything and google search didn't yield anything for me which is why I am here. Am I missing something?
Pat Breslin 0 Reputation points

2024-08-20T13:04:04.7133333+00:00

Sina,

Thank you so much for getting back to me! We are working on trying to get this setup fairly quick for our Consultants.

I have looked at the custom roles and set one up at the subscription level.

The issue I found was that it inherited down which makes sense but I could not find a way to accurately remove access to the current resources without manually removing that new custom role from each resource. This would not be ideal as it would leave room for error as new resources are made, someone may forget to go into IAM and remove the custom role.

I only want them to have access to the subscription as if nothing were there but they can go make and delete whatever THEY make and see (or at least cant access) anything else. I did look through the custom role and could not find anything and google search didn't yield anything for me which is why I am here. Am I missing something?
Pat Breslin 0 Reputation points

2024-08-20T13:45:18.56+00:00

Sina,

Thank you so much for getting back to me! We are working on trying to get this setup fairly quick for our Consultants.

I have looked at the custom roles and set one up at the subscription level.

The issue I found was that it inherited down which makes sense but I could not find a way to accurately remove access to the current resources without manually removing that new custom role from each resource. This would not be ideal as it would leave room for error as new resources are made, someone may forget to go into IAM and remove the custom role.

I only want them to have access to the subscription as if nothing were there but they can go make and delete whatever THEY make and see (or at least cant access) anything else. I did look through the custom role and could not find anything and google search didn't yield anything for me which is why I am here. Am I missing something?
Pat Breslin 0 Reputation points

2024-08-20T13:46:45.2233333+00:00

Sina,

Thank you so much for getting back to me! We are working on trying to get this setup fairly quick for our Consultants.

I have looked at the custom roles and set one up at the subscription level.

The issue I found was that it inherited down which makes sense but I could not find a way to accurately remove access to the current resources without manually removing that new custom role from each resource. This would not be ideal as it would leave room for error as new resources are made, someone may forget to go into IAM and remove the custom role.

I only want them to have access to the subscription as if nothing were there but they can go make and delete whatever THEY make and see (or at least cant access) anything else. I did look through the custom role and could not find anything and google search didn't yield anything for me which is why I am here. Am I missing something?
Pat Breslin 0 Reputation points

2024-08-20T17:42:58.6633333+00:00

I have tried to setup a custom role but the inheritance creates an issue...

Is there a way to do this where I do not have to manually remove the custom role from each resource and any new resources made that they should not have access to?

I will also mention I made a resource group within my Dev Subscription and made a custom role at the resource group level there.... Would that work?

2 answers

Your answer

Pat Breslin 0 Reputation points

2024-08-20T12:53:18.9766667+00:00

Sina,

Thank you so much for getting back to me! We are working on trying to get this setup fairly quick for our Consultants.

I have looked at the custom roles and set one up at the subscription level.

The issue I found was that it inherited down which makes sense but I could not find a way to accurately remove access to the current resources without manually removing that new custom role from each resource. This would not be ideal as it would leave room for error as new resources are made, someone may forget to go into IAM and remove the custom role.

I only want them to have access to the subscription as if nothing were there but they can go make and delete whatever THEY make and see (or at least cant access) anything else. I did look through the custom role and could not find anything and google search didn't yield anything for me which is why I am here. Am I missing something?
Pat Breslin 0 Reputation points

2024-08-20T12:59:37.7566667+00:00

Sina,

Thank you so much for getting back to me! We are working on trying to get this setup fairly quick for our Consultants.

I have looked at the custom roles and set one up at the subscription level.

The issue I found was that it inherited down which makes sense but I could not find a way to accurately remove access to the current resources without manually removing that new custom role from each resource. This would not be ideal as it would leave room for error as new resources are made, someone may forget to go into IAM and remove the custom role.

I only want them to have access to the subscription as if nothing were there but they can go make and delete whatever THEY make and see (or at least cant access) anything else. I did look through the custom role and could not find anything and google search didn't yield anything for me which is why I am here. Am I missing something?
Pat Breslin 0 Reputation points

2024-08-20T13:04:04.7133333+00:00

Sina,

Thank you so much for getting back to me! We are working on trying to get this setup fairly quick for our Consultants.

I have looked at the custom roles and set one up at the subscription level.

The issue I found was that it inherited down which makes sense but I could not find a way to accurately remove access to the current resources without manually removing that new custom role from each resource. This would not be ideal as it would leave room for error as new resources are made, someone may forget to go into IAM and remove the custom role.

I only want them to have access to the subscription as if nothing were there but they can go make and delete whatever THEY make and see (or at least cant access) anything else. I did look through the custom role and could not find anything and google search didn't yield anything for me which is why I am here. Am I missing something?
Pat Breslin 0 Reputation points

2024-08-20T13:45:18.56+00:00

Sina,

Thank you so much for getting back to me! We are working on trying to get this setup fairly quick for our Consultants.

I have looked at the custom roles and set one up at the subscription level.

The issue I found was that it inherited down which makes sense but I could not find a way to accurately remove access to the current resources without manually removing that new custom role from each resource. This would not be ideal as it would leave room for error as new resources are made, someone may forget to go into IAM and remove the custom role.

I only want them to have access to the subscription as if nothing were there but they can go make and delete whatever THEY make and see (or at least cant access) anything else. I did look through the custom role and could not find anything and google search didn't yield anything for me which is why I am here. Am I missing something?
Pat Breslin 0 Reputation points

2024-08-20T13:46:45.2233333+00:00

Sina,

Thank you so much for getting back to me! We are working on trying to get this setup fairly quick for our Consultants.

I have looked at the custom roles and set one up at the subscription level.

The issue I found was that it inherited down which makes sense but I could not find a way to accurately remove access to the current resources without manually removing that new custom role from each resource. This would not be ideal as it would leave room for error as new resources are made, someone may forget to go into IAM and remove the custom role.

I only want them to have access to the subscription as if nothing were there but they can go make and delete whatever THEY make and see (or at least cant access) anything else. I did look through the custom role and could not find anything and google search didn't yield anything for me which is why I am here. Am I missing something?
Pat Breslin 0 Reputation points

2024-08-20T17:42:58.6633333+00:00

I have tried to setup a custom role but the inheritance creates an issue...

Is there a way to do this where I do not have to manually remove the custom role from each resource and any new resources made that they should not have access to?

I will also mention I made a resource group within my Dev Subscription and made a custom role at the resource group level there.... Would that work?

Answer 1

Sina Salam 22,031 Volunteer Moderator

Hello Pat Breslin,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you would like to grant access to your consultants' without giving them access to current objects.

To grant consultants access to your Azure Dev subscription while restricting access to current objects, there are a few things you might need to do to achieve the aim.

Create a custom role definition that allows the necessary permissions for creating new resources but excludes access to existing objects. For example, the permissions required for resource creation (e.g., Virtual Machine Contributor, Network Contributor, etc.). https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal
Assign the custom role to the consultants at the subscription level so that they will have the necessary permissions to create new resources without access to existing ones. https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
Apply resource locks to existing objects to prevent accidental deletion or modification. https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-locks

Accept Answer

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

Best Regards,

Sina Salam

Pat Breslin 0 Reputation points

2024-08-20T12:34:28.0266667+00:00
Sina,

Thank you so much for getting back to me!

I did create a custom role at the subscription level but the issue I ran into (and maybe you can assist with this part) is that the role inherited down which makes sense... but then that custom role now has access to all the current resources within my Dev Subscription. I do not want to manually go to each resource and remove that role for a few reasons;

thats a lot of work

and most importantly, if we ever add more resources, I don't want anyone to have to be concerned with needing to remember the step of checking IAM and removing the custom role

Am I missing some helpful feature within the Custom Role Setup that can handle blocking access to the current resources? I looked around and google searched but could not find anything
Pat Breslin 0 Reputation points

2024-08-20T12:51:25.0466667+00:00

Sina,

Thank you so much for getting back to me! We are working on trying to get this setup fairly quick for our Consultants.

I have looked at the custom roles and set one up at the subscription level.

The issue I found was that it inherited down which makes sense but I could not find a way to accurately remove access to the current resources without manually removing that new custom role from each resource. This would not be ideal as it would leave room for error as new resources are made, someone may forget to go into IAM and remove the custom role.

I only want them to have access to the subscription as if nothing were there but they can go make and delete whatever THEY make and see (or at least cant access) anything else.
I did look through the custom role and could not find anything and google search didn't yield anything for me which is why I am here.
Am I missing something?
Pat Breslin 0 Reputation points

2024-08-20T12:56:42.8333333+00:00

Sina,

Thank you so much for getting back to me! We are working on trying to get this setup fairly quick for our Consultants.

I have looked at the custom roles and set one up at the subscription level.

The issue I found was that it inherited down which makes sense but I could not find a way to accurately remove access to the current resources without manually removing that new custom role from each resource. This would not be ideal as it would leave room for error as new resources are made, someone may forget to go into IAM and remove the custom role.

I only want them to have access to the subscription as if nothing were there but they can go make and delete whatever THEY make and see (or at least cant access) anything else. I did look through the custom role and could not find anything and google search didn't yield anything for me which is why I am here. Am I missing something?
Pat Breslin 0 Reputation points

2024-08-20T12:57:09.4666667+00:00

Sina,

Thank you so much for getting back to me! We are working on trying to get this setup fairly quick for our Consultants.

I have looked at the custom roles and set one up at the subscription level.

The issue I found was that it inherited down which makes sense but I could not find a way to accurately remove access to the current resources without manually removing that new custom role from each resource. This would not be ideal as it would leave room for error as new resources are made, someone may forget to go into IAM and remove the custom role.

I only want them to have access to the subscription as if nothing were there but they can go make and delete whatever THEY make and see (or at least cant access) anything else. I did look through the custom role and could not find anything and google search didn't yield anything for me which is why I am here. Am I missing something?
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Pat Breslin 0 Reputation points

2024-08-20T13:03:52.12+00:00

Sina,

Thank you so much for getting back to me! We are working on trying to get this setup fairly quick for our Consultants.

I have looked at the custom roles and set one up at the subscription level.

The issue I found was that it inherited down which makes sense but I could not find a way to accurately remove access to the current resources without manually removing that new custom role from each resource. This would not be ideal as it would leave room for error as new resources are made, someone may forget to go into IAM and remove the custom role.

I only want them to have access to the subscription as if nothing were there but they can go make and delete whatever THEY make and see (or at least cant access) anything else. I did look through the custom role and could not find anything and google search didn't yield anything for me which is why I am here. Am I missing something?
Pat Breslin 0 Reputation points

2024-08-20T13:45:40.6+00:00

Sina,

Thank you so much for getting back to me! We are working on trying to get this setup fairly quick for our Consultants.

I have looked at the custom roles and set one up at the subscription level.

The issue I found was that it inherited down which makes sense but I could not find a way to accurately remove access to the current resources without manually removing that new custom role from each resource. This would not be ideal as it would leave room for error as new resources are made, someone may forget to go into IAM and remove the custom role.

I only want them to have access to the subscription as if nothing were there but they can go make and delete whatever THEY make and see (or at least cant access) anything else. I did look through the custom role and could not find anything and google search didn't yield anything for me which is why I am here. Am I missing something?

Answer 2

Pat Breslin 0

Sina,

Thank you so much for getting back to me! We are working on trying to get this setup fairly quick for our Consultants.

I have looked at the custom roles and set one up at the subscription level.

The issue I found was that it inherited down which makes sense but I could not find a way to accurately remove access to the current resources without manually removing that new custom role from each resource. This would not be ideal as it would leave room for error as new resources are made, someone may forget to go into IAM and remove the custom role.

I only want them to have access to the subscription as if nothing were there but they can go make and delete whatever THEY make and see (or at least cant access) anything else. I did look through the custom role and could not find anything and google search didn't yield anything for me which is why I am here. Am I missing something?

Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2024-08-24T12:43:10.84+00:00

Hi @Pat Breslin

This seems it require further troubleshooting could you please send us an email on azcommunity [at] microsoft [dot] com referencing this issue with a subject line "ATTN:akhilesh"
Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2024-08-27T13:44:30.5666667+00:00

Hi @Pat Breslin
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Share via

How can I grant consultants access to my Azure Portal (Dev Subscription) without giving them access to current objects?

2 answers

Your answer