Azure blueprints deny inherted roles to storage account

Nick T 1 Reputation point

We have a storage account that contains sensitive info. We need to remove certain groups that have inherited access. (the dev group for example) If I select the group and try to "Remove" the group from the storage account it tells me "Inherited role assignments cannot be removed" When I go to Deny assignments page it says that I need to use Azure Blueprints to add a rule. I'm struggling with building the right blueprint to remove access.

Can you give me an example blueprint that would accomplish this or if there is a better method for making this happen. I'm open to anyway to deny select inherited groups. Thanks.



Azure Blueprints
Azure Blueprints
An Azure service that provides templates for quick, repeatable creation of fully governed cloud subscriptions.
70 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,731 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sumarigo-MSFT 43,911 Reputation points Microsoft Employee

    @Nick T Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

    Blueprints is not a tool to create deny assignments. Instead, Deny assignments are a feature that the Blueprints service uses to leverage its own functionality.

    Blueprints can only lock resources that a blueprint creates, in a do not delete or read only fashion, so it won't cover this requirement

    Azure doesn't offer functionality for users to create their own custom deny assignments

    Please let us know if you have any further queries. I’m happy to assist you further.


    Please do not forget to 167233-screenshot-2021-12-10-121802.png and 167169-image.png wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.