Hello I am trying to create a custom user role that would restrict the user from the ability of canceling or renaming an Azure subscription.
This is the JSON I am using however it seems like the user still has access to the subscription.
"Name": "New Role",
"Id": null,
"IsCustom": true,
"Description": "Lets you manage everything except access to resources or subscriptions.",
"Actions": [
"*"
],
"NotActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Subscription/cancel/action",
"Microsoft.Subscription/CreateSubscription/action",
"Microsoft.Subscription/register/action",
"Microsoft.Subscription/rename/action",
"Microsoft.Subscription/SubscriptionDefinitions/write"
],
"DataActions": [
],
"NotDataActions": [
],
"AssignableScopes": [
"/subscriptions/00000000000000000000000000000"
]
}