Azure Subscription Custom User Role

Jason Johnson 1 Reputation point
2020-01-07T19:22:35.043+00:00

Hello I am trying to create a custom user role that would restrict the user from the ability of canceling or renaming an Azure subscription.

This is the JSON I am using however it seems like the user still has access to the subscription.

alt text 

 "Name":  "New Role",  
    "Id":  null,  
    "IsCustom":  true,  
    "Description":  "Lets you manage everything except access to resources or subscriptions.",  
    "Actions":  [  
                    "*"  
                ],  
    "NotActions":  [  
                       "Microsoft.Authorization/*/Delete",  
                       "Microsoft.Authorization/*/Write",  
                       "Microsoft.Authorization/elevateAccess/Action",  
                       "Microsoft.Blueprint/blueprintAssignments/write",  
                       "Microsoft.Blueprint/blueprintAssignments/delete",  
                       "Microsoft.Subscription/cancel/action",  
                       "Microsoft.Subscription/CreateSubscription/action",  
                       "Microsoft.Subscription/register/action",  
                       "Microsoft.Subscription/rename/action",  
                       "Microsoft.Subscription/SubscriptionDefinitions/write"  
  
                   ],  
    "DataActions":  [  
  
                    ],  
    "NotDataActions":  [  
  
                       ],  
    "AssignableScopes":  [  
                             "/subscriptions/00000000000000000000000000000"  
                         ]  
}
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,672 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2020-01-08T05:08:26.097+00:00

    @Jason Johnson If a user is assigned a role that excludes an operation in NotActions, and is assigned a second role that grants access to the same operation, the user is allowed to perform that operation. NotActions is not a deny rule – it is simply a convenient way to create a set of allowed operations when specific operations need to be excluded.

    E.g. If the user is assigned with Contributor and New Role (custom role that you are creating), user will be allowed to rename the subscription because Contributor role allows this action.

    I would suggest you to create a new test user, assign only the "New Role" to the user and try to rename the subscription to make sure no other role is allowing this action.

    -----------------------------------------------------------------------------------------------------------

    Please "accept as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.

  2. Jason Johnson 1 Reputation point
    2020-01-08T17:06:05.767+00:00

    Ok.

    I did create a test user and assigned it this new role and it was still able to change and cancel the subscription.

    Basically what I am trying to do, is to create a Contributor role without the ability to cancel or rename the subscription. The controls should be greyed out.

    0 comments