Divide Owner RBAC Role of Azure

Question

I am trying to divide the Azure Owner RBAC role between IAM actions and Other Actions, is it possible if yes then please help.

I have tried to list out all the actions of all the Azure RBAC roles and tried to distinguish between IAM and Other actions but this is not a good practice i know, even i have tried to list out actions of Owner role which is "*". i have tried 100's of websites as well for the solutions but dint work for me

Answer 1

As mentioned in the comment, I think you can use the Contributor, compared to Owner, it can do anything as the Owner but not manage the access to resources(the AD related thing you said).

For the AD related thing of Owner, you could just check the NotActions of Contributor.

And if you want to divide the Owner's permissions in two, I think it does not make sense, because once your custom role has the permission to manage the access to resources, he can assign other roles(e.g. Owner) to anyone like himself.

So in your case, you could just assign the Owner to the user who should need the most permissions, assign the Contributor to the user that you don't want to give the permissions of AD related thing.

Answer 2

As far as I know, Azure RABC role is used to manage azure resource. Regarding how to manage actions in Azure AD, Azure provides other roles to control it. For more details, please refer to

• https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles
• https://learn.microsoft.com/en-us/azure/role-based-access-control/overview
• https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles