If a user is granted reader role on subscription level, but I want to remove his readre role for a particular resource group under this subscription

Question

if a user is granted owner role on subscription level, but I want to remove his owner role for a particular resource group under this subscription. I understand this can be achieved by deny assignment. Therefore wants to know how to create blueprint for deny permission

Answer 1

Hi @Neha ,

A deny assignment gets created when you select a blueprint lock type. This is described in the article here: https://learn.microsoft.com/en-us/azure/governance/blueprints/tutorials/protect-new-resources

You can't apply the deny assignments to existing resources, but you can add it during the creation of new ones.

If you apply the resource locks, you can block subscription owners from editing or deleting the resource group. However, based on the existing locks you cannot block Read access or apply the same granular level of control that you can apply using regular RBAC. The table of existing Locking Modes is defined here:

If you are looking for a way to add this type of granularity you can make a feature request in the Ideas forum, though. In most cases it makes sense for subscription-level roles to have the ability to control the resources within that subscription. The resource locks are an exception as a way to prevent accidental or programmatic deletion or alteration.

-

If the information provided was helpful to you, please remember to "mark as answer" so that others searching for this information can more easily find the solution.

Answer 2

@Marilee Turscak-MSFT - Thank you for the response, even i used the same option but we need to implement the deny on existing resource. Will post the ideas on forum

Answer 3

Have you tried creating a role using the NotActions ability? I've described it in my blog at: https://level400.org/2022/04/11/specialized-role-permissions-locking-down-standard-azure-infrastructure/