How to disable RBAC inheritance over resources on Azure?

Abhijit Mukherjee 1 Reputation point

Hello , I am looking for an option to disable RBAC inheritance coming from subscription level to specific to resource type "Managed Disks" . There are managed identities having Contributor RBAC over subscription and I do not want that to be inherited over the managed disks that contains a specific string in its name , inheritance is acceptable for other disks. I tried with Azure policy but it cannot block inheritance it seems. Can deny assignment is an option here , I am not sure how flexible it is.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
651 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,289 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,351 Reputation points Microsoft Employee

    @Abhijit Mukherjee
    Thank you for your post!

    I understand that you have some Managed Identities with the Contributor role assigned at the Subscription level. Because of these assignments the Managed Identities are given/inheriting Contributor access to all resources under that Subscription.

    As you mentioned, you can definitely leverage Azure deny assignments to block the Managed Identities from performing specific actions on your managed disks. However, from our Understand resource locking in Azure Blueprints documentation, the Blueprints used to deny assignments are assigned at the management group level and scoped down to the Resource Group.

    When it comes to our Best practices for Azure RBAC documentation, it's also best practice to grant users (managed identities in your scenario) the least privilege to get their work done. Avoid assigning broader roles at broader scopes even if it initially seems more convenient to do so.

    • Are these managed disks all in the same resource group?
    • Is there a reason why the Managed Identities aren't assigned RBAC permissions at the resource or resource group scope?

    Additional Links:
    How blueprint locks work
    Assignments - Create Or Update
    Best practices for Azure RBAC - Only grant the access users need

    If you'd like the ability to deny assignments for specific resources, I'd recommend leveraging our User Voice forum and creating a feature request, so our engineering team can look into implementing this. I've also created an internal feature request, so our engineering team is aware of this as well.

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.


    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.