Looking to see if it's possible to prevent/block guest accounts from IAM roles on a subscription.
Looking to see if it's possible to prevent/block guest accounts from IAM roles on a subscription.
@MolloyFrank-7818
Thank for your time and patience throughout this issue!
Deny meaning, it denies to everyone except the ones we want to have access to it?
- Yes, you can create a Deny Assignment for all principals (all users, groups, service principals, and managed identities in an Azure AD directory). However, you can exclude some principals (i.e. certain users or groups) from this Deny assignment.
It seems like a good idea for something which has limited access to begin with but sounds difficult to implement when there a lot of users and groups which have access?
- When it comes to our RBAC best practices, to make role assignments more manageable, avoid assigning roles directly to users. Instead, assign roles to groups. Assigning roles to groups instead of users also helps minimize the number of role assignments.
It sounds like you're suggesting RBAC in that owners or administrators should know what type of access they are granting (or not granting) which could include not adding "guest" accounts to an IAM role?
- Yes. Users in an Owner/Admin role should follow our RBAC best practices documentation and only grant the access users need, rather than granting unneeded IAM roles to guest users.
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
@MolloyFrank-7818
Thank you for your post!
Similar to a role assignment within IAM, you can leverage the Deny assignment feature. This feature attaches a set of deny actions to a user, group, or service principal at a particular scope for the purpose of denying access. Deny assignments block users from performing specific Azure resource actions even if a role assignment grants them access.

As of right now, Azure Blueprints and Azure managed apps are the only way that deny assignments can be created. You can't directly create your own deny assignments. For more information see Understand resource locking in Azure Blueprints.
If this feature doesn't meet your requirements, I'd recommend providing feedback/creating a feature request within our User Voice forum so our engineering team can take a closer look into implementing this.
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
@MolloyFrank-7818
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
Hi James,
So technically there's no way to block guest accounts from being added to and IAM role in subscription beyond using the Deny Assignment?
Reading about the Deny Assignment, that is applied using Blueprints, but in order to use that method it would only apply to new resources?
Is there a way to alert when a guest account is added to an IAM role in a subscription?
thanks, Frank
@MolloyFrank-7818
For Azure Blueprints it should apply to current resources as well.
I did some more research and you can try implementing a Deny Assignment for All Principals, and then exclude some principals from this deny assignment. I'd also recommend following our Best practices for Azure RBAC to only grant the access users need. For example, assigning RBAC roles, the pre-req is for users is to have the Microsoft.Authorization/roleAssignments/write permissions, such as User Access Administrator or Owner.
If you have any other questions, please let me know.
Thank you for your time and patience!
Thanks James, is good that can apply to current resources.
Deny meaning, it denies to everyone except the ones we want to have access to it?
It seems like a good idea for something which has limited access to begin with but sounds difficult to implement when there a lot of users and groups which have access?
It sounds like you're suggesting RBAC in that owners or administrators should know what type of access they are granting (or not granting) which could include not adding "guest" accounts to an IAM role?
2 people are following this question.