Microsoft Azure: How to setup Contributor-role User Groups for separate Resource Groups?

0
votes

I am trying to setup 2 separate Contributor-role user group for 2 separate Resource Groups in Microsoft Azure. In the new portal, I added 2 groups in the Contributor role. So after I created a new Azure website and its resource group, the 2 contributor user groups are automatically accessible to the new resource group, however, I want to only allow one group to be able to access that resource. I went in to the Resource Group blade and select the User group I don't want it to access, however, the 'Remove' button is disabled. So how can I remove the User group?

And also I realized that a member of the User Group is not able to see the resource assigned but if that member is added explicitly as a user(without a group), the user is then able to access the resource group. So my question is, is the Resource Group not supported for user group (yet)? In my case, should I create 2 separate active directory for the 2 different user groups?

2
azureuser-managementazure-active-directory

2 Answers

2
votes

It sounds like you've assigned your 2 groups to the Contributor role at the subscription level. If you want to remove access for one of those groups (or otherwise manage access at a more granular level than the subscription) you should go to your subscription, remove the group there (where it was assigned), and then individually add that same group to the Resource Groups that you want it to have access. Make sense?

0
votes

Role assignments are supported for user groups.

My hypothesis for the user/group issue is that you may have recently added the user to the group. If you sign the user out and in again they might be able to get access.

Feel free to email me specifically on this issue as well.