Permissions on Subscription vs Permissions on resource group.

Vijay Rana 76 Reputation points

I have requirement to provide resources to a Team where they want to work independently. My single requirement for me is that all traffic going outside to internet should be managed by me via firewall, they should not have firewall access and rest they can play, build, decom delete whatever the resources (including storage, network, AD, gateways) whatever they want.

So -

  1. Should I create a separate resource group and provide permissions to that team on specifically under this !
  2. Or create a separate subscription, assign permissions to them.

Whole Idea is about to not give them permissions to modify routes, outbound traffic direction.


Azure Cost Management
Azure Cost Management
An Azure service that provides cloud cost management capabilities.
980 questions
Azure Firewall Manager
Azure Firewall Manager
An Azure service that provides central network security policy and route management for globally distributed, software-defined perimeters.
52 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
678 questions
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,765 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
372 questions
No comments
{count} votes

Accepted answer
  1. JamesTran-MSFT 26,616 Reputation points Microsoft Employee

    @Vijay Rana
    Thank you for your post!

    Depending on the team's size that you have to provide resources to, since they have to work independently, you can see if using your current subscription would work best as an initial set-up. Going this route, you'll just need to create an Azure AD Group, add the team members, and assign the group the appropriate RBAC role at the Resource Group level.

    If this team requires a good number of resources or is part of a different organization, you can consider your second option and leverage management groups to efficiently manage access, policies, and compliance for those subscriptions.

    I hope this helps!

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

0 additional answers

Sort by: Most helpful