Share via

Is there a way to limit what users can see in Azure?

Vinster 1 Reputation point
2022-03-17T12:20:35.37+00:00

Hello,

This is my first post so apologies in advance if I have not submitted correctly.

Currently picking up an Azure deployment for a customer with literally no handover or documentation from the previous company. Users are currently using Wyse Thin Clients to RDP into Azure VMs with a public IP over RDP or use AzureVPN for RDP access if working remotely. This has proved difficult to manage with constant issues so I have deployed Bastion with MFA which works great.

The issue I have is I do not want users to see resources in Azure portal only the VM they have access to. Is there a way or any suggestions we could overcome this? I want to avoid extra costs as the VM's are very GPU intensive on N series plan plus the Bastion cost. Also need to ensure very tight security is adhered to and ultimately remove the public IPs for each VM.

Any advice or help would be greatly appreciated.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
978 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2022-03-17T22:52:34.92+00:00

    Hi @Vinster ,

    Question summary
    Is there a way to block users from viewing resources in the Azure portal and only give them access to a particular VM?

    Answer
    There are two ways that I know of to achieve this.

    1) You can use the setting, Restrict access to Azure AD administration portal to prevent standard users from viewing any Azure AD data in the administrative portal. That said, this setting does not restrict access to Azure AD data by using PowerShell or other clients such as Visual Studio.

    2) You can use conditional access policies to restrict access to Azure Portal by blocking users, groups, or locations from the Microsoft Azure Management cloud app. This would also block access to the following services:

    Azure portal
    Azure Resource Manager provider
    Classic deployment model APIs
    Azure PowerShell
    Azure CLI
    Azure DevOps
    Azure Data Factory portal
    Azure Event Hubs
    Azure Service Bus
    Azure SQL Database
    SQL Managed Instance
    Azure Synapse
    Visual Studio subscriptions administrator portal

    Additional reading:
    Conditional Access: Microsoft Azure Management
    Default user permissions

    Let me know if this helps.

    -
    If this answer was helpful to you, please remember to "mark as answer" so that others in the community with similar questions can more easily locate the solution.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.