How do I give a user access to a single App Server, SQL Database, & Azure Storage

Question

Hi;

I want to have my QA team do some load testing of the dev slot of our web app. I want to give them full administrative access to the dev slot app service and its associated SQL Database and BLOB Storage. I do not want them to have any administrative access to anything else. (I trust them, but people sometimes click the wrong button.)

Is there a way to do this? And if so, how.

Also, if the answer is to put it in a distinct subscription, can I swap the app service instance between subscriptions.

thanks - dave

Answer 1

@David Thielen Thanks for asking question!

Yes, there is a way to give a user access to a single App Server, SQL Database, and Azure Storage.

You can create a new Azure Active Directory group and add the QA team members to that group. Then, you can assign the group the Contributor role for the App Service, SQL Database, and Azure Storage account that you want to give them access to. This will give them full administrative access to the resources, but only for the specific resources that you have assigned them to.

To create a new Azure AD group and assign it the Contributor role for the resources, follow these steps:

1. In the Azure portal, go to the resource group that contains the resources you want to give access to.
2. Click on the Access control (IAM) tab.
3. Click on the Add button and select Add role assignment.
4. In the Add role assignment pane, select Contributor as the role.
5. In the Assign access to pane, select Azure AD user, group, or service principal.
6. In the Select pane, search for the Azure AD group you want to add and select it.
7. Click on the Save button to add the group and assign the role.

2nd method-

To grant the QA team the necessary permissions, use Azure RBAC. You can create a custom role that includes the required permissions and assign it to the QA team at the subscription level. This approach ensures they have access to specific resources without having access to anything else.

In the Azure portal, go to the subscription that contains the resources you want to give access to.

1. Click on the Access control (IAM) tab.
2. Click on the Add button and select Add role assignment.
3. In the Add role assignment pane, click on the Role drop-down list and select Create custom role.
4. In the Create custom role pane, give the role a name and description.
5. Click on the Add permissions button and select the necessary permissions for the role. For example, you can select the Microsoft.Storage/storageAccounts/* and Microsoft.Web/sites/* actions to give the QA team access to the App Service and Azure Storage account.
6. Click on the Add button to add the permissions to the role.
7. Click on the Review + create button to review the role settings.
8. Click on the Create button to create the custom role.
9. In the Add role assignment pane, select the custom role you just created.
10. In the Assign access to pane, select Azure AD user, group, or service principal.
11. In the Select pane, search for the Azure AD group you want to add and select it.
12. Click on the Save button to add the group and assign the custom role.

Once you have completed these steps, the QA team will have access to the specific resources they need without giving them access to anything else in the subscription.

Links to refer: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles

https://learn.microsoft.com/en-us/azure/role-based-access-control/best-practices

Please let us know if further query or issue remains.