Permissions on Subscription vs Permissions on resource group.

Vijay Kumar 161 Reputation points

I have requirement to provide resources to a Team where they want to work independently. My single requirement for me is that all traffic going outside to internet should be managed by me via firewall, they should not have firewall access and rest they can play, build, decom delete whatever the resources (including storage, network, AD, gateways) whatever they want.

So -

  1. Should I create a separate resource group and provide permissions to that team on specifically under this !
  2. Or create a separate subscription, assign permissions to them.

Whole Idea is about to not give them permissions to modify routes, outbound traffic direction.


Azure Cost Management
Azure Cost Management
A Microsoft offering that enables tracking of cloud usage and expenditures for Azure and other cloud providers.
2,027 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
663 questions
Azure Firewall Manager
Azure Firewall Manager
An Azure service that provides central network security policy and route management for globally distributed, software-defined perimeters.
83 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,192 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,444 questions
0 comments No comments
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,361 Reputation points Microsoft Employee

    Thank you for your post!

    Depending on the team's size that you have to provide resources to, since they have to work independently, you can see if using your current subscription would work best as an initial set-up. Going this route, you'll just need to create an Azure AD Group, add the team members, and assign the group the appropriate RBAC role at the Resource Group level.

    If this team requires a good number of resources or is part of a different organization, you can consider your second option and leverage management groups to efficiently manage access, policies, and compliance for those subscriptions.

    I hope this helps!

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful