Share via

Restricting Access in Customer Owned Subscription

Charlie O'Riordan 1 Reputation point
2022-10-12T17:05:41.137+00:00

Without using Azure Blueprint, how can I restrict a customer from altering a specific NVA/Subnet/PIP where the customer as owner access to the subscription?
Are there any other tenant level polices I can leverage to lock down a specific resource or set of resources? In my case, I cannot deploy the NVA with Blueprint, so that's not an option.

Azure Blueprints
Azure Blueprints
An Azure service that provides templates for quick, repeatable creation of fully governed cloud subscriptions.
70 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
682 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
802 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Manu Philip 16,991 Reputation points MVP
    2022-10-13T11:55:35.847+00:00

    If you are a Global Administrator in Azure AD, you can change access levels of subscription administrators who has owner level permissions in the subscription.
    You need to elevate the access to perform the changes. Global Administrator will be assigned the User Access Administrator role in Azure at root scope (/)
    250010-image.png

    Check the link below to learn, how to elevate the access
    elevate-access-global-admin

    Visit the subscription and select 'Deny Assignments' as below to refine the roles of the subscription owners

    250112-image.png

    Add a custom role where you can deny the access to the resources in the subscription
    250106-image.png

    ----------

    --please don't forget to upvote and Accept as answer if the reply is helpful--