Hello Thomas Yiu,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
I understand that you would like to restrict who can use user-assigned managed identities in Azure.
There is major two ways you can achieve this by Built-in RBAC Roles and Azure policy.
- You can use Azure built-in role-based access control (RBAC) roles, and you can grant permissions at the subscription or resource group level. Also, you can restrict which users or groups can attach these identities to their services. https://docs.microsoft.com/azure/role-based-access-control/built-in-roles
- Using Azure policy to prevent users from creating user-assigned managed identities is achievable when you Sign in to the Azure portal, navigate to "Policy," and create a policy definition with below similar rule:
https://video2.skills-academy.com/en-us/answers/questions/1923459/how-to-limit-user-assigned-managed-identities-to-a and https://video2.skills-academy.com/en-us/azure/governance/policy/concepts/definition-structure-basics{ "mode": "All", "policyRule": { "if": { "field": "type", "equals": "Microsoft.ManagedIdentity/userAssignedIdentities" }, "then": { "effect": "deny" } }, "parameters": {} }
Accept Answer
I hope this is helpful! Do not hesitate to let me know if you have any other questions.
** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.
Best Regards,
Sina Salam