How to assign Azure Policy to a role or restrict user access to resource groups they did not create?

Bueyuekgebiz, Rahmiye Buesra (T CST SEL-DE) 0 Reputation points
2024-04-16T07:56:13.25+00:00

In our Azure subscription, each member has "Contributor" role at the subscription level. However, some people are creating high-cost resources, which we want to restrict. I found Azure Policy and denied the creation of those resources, but could only assign the policy at the subscription level. Unfortunately, Owner roles were also affected by this policy. Is there a way to assign a policy to a specific role instead of subscription level? If not, how can I handle this issue?

Another thing is that inside our subscription, we want each user to have the ability to create a resource group but have read/write/modify/delete access ONLY in scope of the resource group they have created. So, user would not be able to see other resource groups even. It would also be okay if user can read but not modify them. Is this possible? If so, can you tell me the way to do it?

For the second question, I do not want to assign each user manually when they need an access to a resource group (Assigning Contributor role on a specific resource group by hand). I would like the access to be given them automatically when they create it.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
672 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sandeep G-MSFT 14,566 Reputation points Microsoft Employee
    2024-04-22T10:06:50.4966667+00:00

    @Bueyuekgebiz, Rahmiye Buesra (T CST SEL-DE)

    Thank you for posting this in Microsoft Q&A.

    For the first part of your query, it is handled by Azure policy team. you can create another thread with "Azure Policy" tag.

    About the other part of your query, we can only assign the permissions "write/modify/delete" after creating a resource group. After creating the resource group you can assign specific permission whichever is required.

    As you do not want to manually assign permissions to users manually, you can make use of PIM feature in Azure. With this feature you can have users activate the permission. Once there is a permission activated there is a request that gets generated for application and you just have to approve the request.

    https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure

    https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-getting-started

    let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments