Azure – Locking down RBAC permissions and access at the resource group level and other scopes

Recently I was asked to shoe horn a third part support vendor in an existing subscription which by the way had another third part vendor in the same subscription.

It took what I felt an unreasonable amount of time to find the answer I was looking for, so hence the blog article.

For anyone trying to give permissions to only a specific RESOURCE, RESOURCE GROUP, or object this article is for you.

Azure basically has three ingredients to their formula on permissions. They are:

  1. User/ Group Selection
  2. Role Access
  3. Scope

Alot of the confusion I suppose is that most articles point you to permissions at the subscription level where you can access IAM to define users and groups and the role for the subscription, but the scope was not as straight forward.

The scope if you are using the portal is simply done by clicking on the object type and then hitting the IAM permission option within the object.

Example of setting controls at a resource group level

From there you can assign the role and person you group you want on this resource.

 

More to come on this…