Azure Access Control for Resource Groups

2
votes

I have a Subscription in my company that is shared for all members of the team (all employees). We use this subscription for test, dev and also production workloads. We have only one subscription because it is a sponsored subscription thanks to our MS partnership, so we don't want to create other subscriptions.

I want to restrict the access to a particular resource group that will host production resources where sensible data will be managed. Because all members of the teams are contributor in the subscription level, they have access to all resource group and I can't remove them from the resource group. So how can I proceed if I want to revoke their access to the resource group and allow them to use all other resource groups?

1
azurerole-based-access-control

1 Answers

2
votes

So how can I proceed if I want to revoke their access to the resource group and allow them to use all other resource groups?

AFAIK, Only way to do so is remove the users role (Contributor) at the subscription level and assign them at each resource group (other than production resource group). If a user has a higher role (say Contributor) at subscription level, then you can't assign a lower role (say Reader) at resource group level.

Essentially with Azure RBAC, when you grant access at a parent scope, those permissions are inherited to the child scopes.

You can read more about Azure RBAC here: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview#how-rbac-works.