question

NickT-2446 avatar image
0 Votes"
NickT-2446 asked NickT-2446 commented

Azure blueprints deny inherted roles to storage account

We have a storage account that contains sensitive info. We need to remove certain groups that have inherited access. (the dev group for example) If I select the group and try to "Remove" the group from the storage account it tells me "Inherited role assignments cannot be removed" When I go to Deny assignments page it says that I need to use Azure Blueprints to add a rule. I'm struggling with building the right blueprint to remove access.

Can you give me an example blueprint that would accomplish this or if there is a better method for making this happen. I'm open to anyway to deny select inherited groups. Thanks.

166798-image.png


166893-image.png


azure-storage-accountsazure-blueprints
image.png (200.6 KiB)
image.png (27.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SumanthMarigowda-MSFT avatar image
0 Votes"
SumanthMarigowda-MSFT answered NickT-2446 commented

@NickT-2446 Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

Blueprints is not a tool to create deny assignments. Instead, Deny assignments are a feature that the Blueprints service uses to leverage its own functionality.

Blueprints can only lock resources that a blueprint creates, in a do not delete or read only fashion, so it won't cover this requirement

Azure doesn't offer functionality for users to create their own custom deny assignments

Please let us know if you have any further queries. I’m happy to assist you further.


Please do not forget to 167233-screenshot-2021-12-10-121802.png and 167169-image.png wherever the information provided helps you, this can be beneficial to other community members.





· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for the info. That helps us know our options. We have decided to just create a new subscription for this type of sensitive data. And just for more info on this for everyone here is the response from a support ticket I put in.
168072-image.png


0 Votes 0 ·
image.png (109.7 KiB)

@NickT-2446 Kindly let me know your support request #SR number is so that I can keep track of your case.

0 Votes 0 ·
NickT-2446 avatar image NickT-2446 SumanthMarigowda-MSFT ·

2201200040008711

0 Votes 0 ·