question

JasonJohnson-7828 avatar image
0 Votes"
JasonJohnson-7828 asked ·

Azure Subscription Custom User Role

Hello I am trying to create a custom user role that would restrict the user from the ability of canceling or renaming an Azure subscription.

This is the JSON I am using however it seems like the user still has access to the subscription.

alt text

  "Name":  "New Role",
     "Id":  null,
     "IsCustom":  true,
     "Description":  "Lets you manage everything except access to resources or subscriptions.",
     "Actions":  [
                     "*"
                 ],
     "NotActions":  [
                        "Microsoft.Authorization/*/Delete",
                        "Microsoft.Authorization/*/Write",
                        "Microsoft.Authorization/elevateAccess/Action",
                        "Microsoft.Blueprint/blueprintAssignments/write",
                        "Microsoft.Blueprint/blueprintAssignments/delete",
                        "Microsoft.Subscription/cancel/action",
                        "Microsoft.Subscription/CreateSubscription/action",
                        "Microsoft.Subscription/register/action",
                        "Microsoft.Subscription/rename/action",
                        "Microsoft.Subscription/SubscriptionDefinitions/write"
    
                    ],
     "DataActions":  [
    
                     ],
     "NotDataActions":  [
    
                        ],
     "AssignableScopes":  [
                              "/subscriptions/00000000000000000000000000000"
                          ]
 }


azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@JasonJohnson-7828 If a user is assigned a role that excludes an operation in NotActions, and is assigned a second role that grants access to the same operation, the user is allowed to perform that operation. NotActions is not a deny rule – it is simply a convenient way to create a set of allowed operations when specific operations need to be excluded.

E.g. If the user is assigned with Contributor and New Role (custom role that you are creating), user will be allowed to rename the subscription because Contributor role allows this action.

I would suggest you to create a new test user, assign only the "New Role" to the user and try to rename the subscription to make sure no other role is allowing this action.


Please "accept as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JasonJohnson-7828 avatar image
0 Votes"
JasonJohnson-7828 answered ·

Ok.

I did create a test user and assigned it this new role and it was still able to change and cancel the subscription.

Basically what I am trying to do, is to create a Contributor role without the ability to cancel or rename the subscription. The controls should be greyed out.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.