@Abhijit Mukherjee
Thank you for your post!
I understand that you have some Managed Identities with the Contributor role assigned at the Subscription level. Because of these assignments the Managed Identities are given/inheriting Contributor access to all resources under that Subscription.
As you mentioned, you can definitely leverage Azure deny assignments to block the Managed Identities from performing specific actions on your managed disks. However, from our Understand resource locking in Azure Blueprints documentation, the Blueprints used to deny assignments are assigned at the management group level and scoped down to the Resource Group.
When it comes to our Best practices for Azure RBAC documentation, it's also best practice to grant users (managed identities in your scenario) the least privilege to get their work done. Avoid assigning broader roles at broader scopes even if it initially seems more convenient to do so.
- Are these managed disks all in the same resource group?
- Is there a reason why the Managed Identities aren't assigned RBAC permissions at the resource or resource group scope?
Additional Links:
How blueprint locks work
Assignments - Create Or Update
Best practices for Azure RBAC - Only grant the access users need
If you'd like the ability to deny assignments for specific resources, I'd recommend leveraging our User Voice forum and creating a feature request, so our engineering team can look into implementing this. I've also created an internal feature request, so our engineering team is aware of this as well.
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.