I have tried writing custom RBAC roles to deny access to particular resource group for a user who is contributor role on subscription level but could not succeed, i want to deny user only for particular resource group in a subscription but user should have rest all other access.
1
votes
1 Answers
1
votes
If you create a custom role this will work, however, custom roles do not work additively to existing permissions, so DENY permissions in custom role will only work for the permissions you've granted in the same custom role.
So there is no way of doing this if a user is subscription contributor with RBAC. You might come up with some Azure Policy, though.
