Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,678 questions
@Abhijit Mukherjee
Thank you for your post!
I understand that you have some Managed Identities with the Contributor role assigned at the Subscription level. Because of these assignments the Managed Identities are given/inheriting Contributor access to all resources under that Subscription.
As you mentioned, you can definitely leverage Azure deny assignments to block the Managed Identities from performing specific actions on your managed disks. However, from our Understand resource locking in Azure Blueprints documentation, the Blueprints used to deny assignments are assigned at the management group level and scoped down to the Resource Group.
When it comes to our Best practices for Azure RBAC documentation, it's also best practice to grant users (managed identities in your scenario) the least privilege to get their work done. Avoid assigning broader roles at broader scopes even if it initially seems more convenient to do so.
- Are these managed disks all in the same resource group?
- Is there a reason why the Managed Identities aren't assigned RBAC permissions at the resource or resource group scope?
Additional Links:
How blueprint locks work
Assignments - Create Or Update
Best practices for Azure RBAC - Only grant the access users need
If you'd like the ability to deny assignments for specific resources, I'd recommend leveraging our User Voice forum and creating a feature request, so our engineering team can look into implementing this. I've also created an internal feature request, so our engineering team is aware of this as well.
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Hello @JamesTran-MSFT
Thanks for the response.
To clarify , the managed identity is being used by a third party solution for disaster recovery. The software is basically using this identity to create additional resources within subscription e.g additional resource groups, Vm scale sets, storage acoounts and disk snapshots. I can create custom RBAC for it but it must be assigned at the subscription level.
And yes, all managed disks are in same resource group.
Now I have seen the documentation on deny assignment, seems as of now there is no way to create one by end users. Blueprints and resource locking seems not applicable here. I am basically trying to find a way so the identity cannot see some disks within subscription that follows a specific naming convention and probably RBAC is the only way to control it.
I shall definitely submit a feature request and may be it will be helpful to have more granualar control on RBAC specially in inheritance scenarios.
Do let me know if you have any questions or suggestions please.
Edit : Just to clarify, the solution need access over disks to understand block level changes. It creates SAS enabled snapshots to replicate the changes to the other region.