how to stop azure users with contributor access to stop adding client ip address

Sathish Manokaran 1 Reputation point

I would like to restrict Azure users with Contributor access from adding Client IP Address in Firewall and Virtual networks blade of SQL Server.

Users with Owner access should be able to add / whitelist Client IP addresses.
Wondering how to implement this in Azure. Please share your thoughts that is it possible? if not any alternatives suggestion would be of great help. Thanks

Azure SQL Database
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
469 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
521 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Martin Cairney 2,231 Reputation points

    It sounds like you may have users in incorrect roles if they are permitted to do things you don't want them to do.

    If you went into this in detail then it would mean a reworking of your Azure RBAC controls - removing users from the Contributor role and adding them to more granular roles where possible.

    I'm guessing that this approach is less feasible for you - hence the question of how to pare back on a defined Role? It may be possible to look at Azure Policies to prevent changes to the Firewall Rules except to Owners? I haven't dived deeply into the Azure Role's detailed ability, but this would be my starting point to see if it can be achieved there.

    1 person found this answer helpful.
    0 comments No comments

  2. Sathish Manokaran 1 Reputation point

    Thanks Martin for your response. I shall explore the options in Azure policies. Cheers

    0 comments No comments