Azure RBaC

Girish 61 Reputation points
2020-07-20T00:37:01.863+00:00

Hello

I have given say user A OWNER access at the management group level. It means anything below such as subscription - resource group etc user A will have access beacuse of Parent-Child relationship. My question is it possible to restrict access of user A even though I have given Owner access at the management group level?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
711 questions
0 comments
Accepted answer
  1. olufemia-MSFT 2,861 Reputation points
    2020-07-22T04:20:20.167+00:00

    To achieve your scenario, try setting an explicit "deny assignment" targeting the resource or set of resources (scope) you would like to deny user A.

    It's worth noting that since user A is already OWNER with Administrator-level permission on the management group, there's nothing stopping user A from reversing/removing the deny assignment and gaining access to the previously denied resource.

    13283-deny-assignment.png

    For more information, check out the content: Understanding Azure deny Assignments

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ming 6 Reputation points
    2021-03-08T02:37:52.957+00:00

    Hi thanks for your reply.

    Instead of deny certain access - we want to know what a user won't be able to do if they have Contributor access.
    The organization cannot grand owner access to users, we would like to find out what other access need to be given "on top" of Contributor access to complete a deployment from beginning to end.
    Hence a list of what "Contributor" CANNOT do will help. thank you

    0 comments