Tag management on Azure

Sven Jauffred 6 Reputation points
2021-05-26T07:43:46.407+00:00

For a client I am attempting to build a tag manager role that allows only changing of tags on resources (add/remove/change from existing subscription tags), without being able to create new tags on the subscription. However, with the permissions set as below, the user is able to create/delete tags on the subscription level, even though the description of the notActions permissions explicitly describe roles that create tags on the subscription level.

Is the issue here that the permissions are hierarchical, with "Microsoft.Resources/tags/write" superceding "Microsoft.Resources/subscriptions/tagNames/write"?

Is it even possible to do what I want to do?

99791-image.png

Thanks in advance,
Sven

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
808 questions
{count} vote

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.