This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 77%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVE%3C/text%3E%3C/svg%3E)
I have created a storage account with hierarchical namespace enabled and by default it inherits the role assignments from subscription and resource group level. If User/Group is added to the subscription/resource group, they are automatically added to IAM of storage acccount. But we want to control this. Can you please let me know how we can disable this inheritance?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 70%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Hello @viji.e and welcome to Microsoft Q&A.
While you cannot "turn off" inheritance, you can use "Deny Assignments" to block it. Please read more about Deny Assignments here.
@MartinJaffer-MSFT , I had already gone through the link and didn't find it useful. It doesn't say how to create Azure Blueprints for Deny Assignments. Can you share the steps on how to create deny assignments using Azure Blueprint?
I agree @viji.e . Deny Assignments are a tease. Azure Blueprint is outside my area of focus, and I'm not certain it is the best answer.
A solution I do know to work, is create a custom role to assign the user to instead of subscription or resource group contributor/owner.
It is easier to grant permissions at a lower level than deny from a higher level. This is doubly so, as someone at the subscription level could just undo the Blueprint or grant themselves access as owner role of whatever resource they want.
Your situation is one I have run into, when trying to do tests on ACL in storage. I ended up created an extra account for testing permissions.
If you do want to go with Azure Blueprint, I will hand you off to my colleagues.