Hi @박은수
Thank you for posting your question on Microsoft Q&A.
I understand that the issue you are facing is that other team members using another subscription in the same tenant can attach the managed identity.
This is because managed identities are service principals registered to the tenant, not to a specific subscription. Therefore, any user or application with sufficient permissions can attach the managed identity to a resource in any subscription within the same tenant.
To restrict the managed identity to be attached only in your subscription, you can define a separate management group with policy assignments or Azure role assignments that are more suited to your subscription. By default, a subscription that you add in a tenant becomes a member of the root management group. If you assign policy assignments, Azure RBAC, and other governance constructs to the root management group, they immediately affect these new subscriptions.
Configuring hierarchy settings requires Microsoft.Management/managementgroups/settings/write
and Microsoft.Management/managementgroups/settings/read
on the root management group.
To configure this setting in the Azure portal, follow these steps:
1.Use the search bar to search for and select 'Management groups'.
2.On the root management group, select details next to the name of the management group.
3.Under Settings, select Hierarchy settings.
4.Select the Change default management group button.
5.Create a new management group and add your subscription to it.
6.Assign the managed identity to the new management group.
For more information, you can refer to the following documentation: https://learn.microsoft.com/en-us/azure/governance/management-groups/how-to/protect-resource-hierarchy
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya.
If this answers your query, do click Accept Answer
and Yes
for was this answer helpful. And, if you have any further query do let us know.