I have requirement to provide resources to a Team where they want to work independently. My single requirement for me is that all traffic going outside to internet should be managed by me via firewall, they should not have firewall access and rest they can play, build, decom delete whatever the resources (including storage, network, AD, gateways) whatever they want. So - Should I create a separate resource group and provide permissions to that team on specifically under this ! Or create a separate subscription, assign permissions to them. Whole Idea is about to not give them permissions to modify routes, outbound traffic direction. Thanks Vijay

@Anonymous Thank you for your post! Depending on the team's size that you have to provide resources to, since they have to work independently, you can see if using your current subscription would work best as an initial set-up. Going this route, you'll just need to create an Azure AD Group , add the team members, and assign the group the appropriate RBAC role at the Resource Group level. If this team requires a good number of resources or is part of a different organization, you can consider your second option and leverage management groups to efficiently manage access, policies, and compliance for those subscriptions. I hope this helps! If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

Permissions on Subscription vs Permissions on resource group.

Accepted answer

JamesTran-MSFT 36,361 Reputation points Microsoft Employee

2022-06-23T22:33:10.523+00:00

@Anonymous
Thank you for your post!

Depending on the team's size that you have to provide resources to, since they have to work independently, you can see if using your current subscription would work best as an initial set-up. Going this route, you'll just need to create an Azure AD Group, add the team members, and assign the group the appropriate RBAC role at the Resource Group level.

If this team requires a good number of resources or is part of a different organization, you can consider your second option and leverage management groups to efficiently manage access, policies, and compliance for those subscriptions.

I hope this helps!

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Please sign in to rate this answer.

1 person found this answer helpful.
Vijay Kumar 161 Reputation points

2022-06-24T08:14:27.607+00:00

Hi James

Thanks for detailed explanation. I am going to check management group options. The overall goal is -

To make engineering team to use all Azure resources lifecyclemanagement llike build, delete, test anything either its infra, devops work.

But I want to manage firewall and theirs's incoming outgoing traffic should be allowed by firewall which I should only handle. They shouldn't modify routes.

Limited permissions to AD so they can't create, delete users and groups and that must be managed by me.

As per my understanding, giving permissions to them on a resource group will restric them to use all resources use so was checking to give them new subscription so where they can test/build. at same time want to hold above permissions to me only. I am not sure if this is possible via management groups.

Thanks
Vijay

JamesTran-MSFT 36,361 Reputation points Microsoft Employee

2022-06-30T21:11:36.34+00:00

@Anonymous
Thank you for following up on this and I apologize for the delayed response!

For limited permissions within Azure AD, these will be different RBAC roles (Azure AD RBAC vs Azure RBAC) so you can definitely maintain management of Azure AD. When it comes to restricting network traffic through a Firewall, you can leverage our Azure Policy service to enforce All Internet traffic to be routed via your deployed Azure Firewall. Additionally, you can enable the Not allowed resource types policy and scope it to a specific Resource Group/Management Group.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Vijay Kumar 161 Reputation points

2022-07-01T08:19:53.303+00:00

Thank you for help on this James, i think this will work perfect on this requirement - https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc5e4038-4584-4632-8c85-c0448d374b2c
Sign in to comment

Permissions on Subscription vs Permissions on resource group.

0 additional answers