Azure custom roles for dev team

Question

Hi,

In my subscription every user has owner role on subscription level. Also, few users have also app admin role on subscription level. I want to make specific defined roles for my development team (two people) in the production resource group where they can do all:
-deployment for VMs;
-deletion of VMs;
-creation of security groups etc.
Only those two users from our team should have access to do the actions mentioned above in our production resource group. No other user should have the role to access to see/modify/change the deployment environment in our production resource group. This is available for the production resource group only.
For the remaining users in the team, the dev team will deploy another resource group (a testing one) where we can also have the development access: we can deploy, create and modify objects.
Our scope is to protect the production resource group.
So we should have two resource groups in the end:

• one of production (where only two people in the team can have access and deploy/modify and the rest of the team cannot have access)
• second one for testing purposes where all colleagues in the team can deploy, create, modify objects

We need to do this while still keeping our app administrator roles active.
I understand that we need to change our roles from subscription level to resource group level. But how can I do that? Can you guide me through on how can I achieve the above?

Thank you very much!

Answer 1

@Carolina Zamisnicu
Thank you for your detailed post!

Current Roles:

• All users are Owners at the Subscription level
• A few users also have the Application Admin role assigned at the Subscription level

Production Resource Group:

• Two users will be allowed to perform all actions (i.e. create, delete, etc.) on this Resource Group
• No other users (besides the two) can see or modify this Resource Group.

Development Resource Group:

• All users will have access to deploy or modify resources within this Resource Group.

As you stated, you'll definitely have to modify your current roles from Subscription level to Resource Group level in order to achieve this. As for the steps, I'll share my recommendation below based off of our Best practices for Azure RBAC documentation, specifically referring to the Assign roles to groups, not users section.

Steps:

1. Since all of your users have the Owner RBAC role assigned (I'm assuming the roles are directly assigned to each user) at the subscription level. I'd recommend creating a group specific to the Development Resource Group users and assigning them to this group. For example, "Development Group Users".
   

2) Since you only want two users to be able to edit the Production Resource Group, I'd also create a "Production Team" Group, and assign the necessary users.

3) Once you have all the users assigned to their required Groups. You'll have to go to the the respective Resource Groups (Prod/Dev) -> Access Control (IAM) -> and assign the respective RBAC role to each group.

4) After the Groups are assigned to their Resource Group(s), feel free to "clean up" your subscription level Owner roles. Please be sure that you don't delete yourself or any other user(s) that needs to be an Owner on the Subscription. Lastly, I'd recommend testing everything once you remove the Owner roles from the Subscription.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

---

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.