Azure AD custom roles

Question

Hi Team,

I want create a custom contributor role which can access/modify all resources but can not assign roles to others and can not modify policies

And also there is another restriction to this role is, Assume we have 100 storage accounts, this role can have reader to 1 storage account and all other storage accounts have contributor access.

Can you please help me possibilities.

Thanks
Vasudev

Answer 1

You will have to create 2 custom roles, one that grants read permissions and other that grants contributor permissions and:

• Add a role assignment at the subscription level (the one that will contain all aformentioned storage accounts) for the one that grants permissions so that it applies to all storage accounts below it.
• Add a role assignment at the resource group level (the one where the "all other storage" accounts will be placed) for the one that grants contributor.

Or

Create 2 resource groups:

• One that will contain "all other storage accounts". Add a role assignment to this one for the role that grants contributor permissions.
• One that will only contain the lone storage account. Add a role assignment to this one for the role that grants reader permissions.

Answer 2

Currently we are managing access via azure groups, below is what i have tried

1) We have a group name ---Azure-xxxx-contributors
2) Already contributor role assigned to that group
3) Assigned new role to that group which is storage account resource level having reader access.
4) still user able to edit/delete in that storage account because contributor access at subscription level is inheriting

What we want : we have 10 storages in one RG, need reader access to only 1 storage account and all other 9 storage accounts should have contributor access