How to grant access to resource group without subscription permission to deploy services?

Question

Im this scenario I'm hosting several resources for several projects in one azure tenant. Additionally I have multiple azure subscriptions with corresponding resource groups per project:

• Azure Subscription A -> Resource Group A -> VMs, DNS, Bastion Host... for project A
• Azure Subscription B -> Resource Group B -> VMs, DNS, Bastion Host... for project B
• Azure Subscription C -> Resource Group C -> VMs, DNS, Bastion Host... for project C

In the Azure AD I would like to create groups like Project A, Project B, Project C and grant them role permissions to the dedicated resource groups.

But unfortunately if I grant the role Contributor this also includes the permission of the subscription to add new services. I just want to enable them to manager their resources (access the vm through bastion host) without givin them permission to add new services.

Answer 1

We can restrict the user not to create the resources in the resource group in two ways,

1. You can grant contributor permissions to each individual resource, that way user won't be able to create new resources, only modify existing ones (he would be able to delete resource).
2. Combination of RBAC and AzurePolicy.The users that have assigned contributor access have access to all resources in their resource groups. In Azure Policy you can use a policy like Allowed resource types, Not allowed resource types, Allowed location will enable you to specify the resource types that your organization can deploy.

There is a similar scenario that you can find here.