Limit User managed identity to be used within a Subscription

Gaurav Verma 1 Reputation point
2020-01-31T01:33:32.197+00:00

We have multiple teams within our organisation. Each team have their own Azure subscription under the same AAD tenancy.

Our requirement is to

  1. Create User managed Identity and permissions assigned.
  2. Limit the usage of the User managed identity to be allowed only in a specific subscription.

The above are once of activity done by the infra team who have rights write access to AAD.

Once user managed identity is created we want to use it to assign to the worker nodes spun up by Jenkins to perform automation tasks. This action will be done by application teams who don't have write access to AAD.

We do not want to use system identity as its created every time and application teams don't have rights to assign permissions to identity.

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,093 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Somnath Shukla 411 Reputation points
    2020-02-07T11:20:05.527+00:00

    I think you can use root management groups. and you can assign identities to particular subscription
    https://learn.microsoft.com/en-us/azure/governance/management-groups/overview

    0 comments No comments