Reputation: 1
Restricting Access to what users can see in the Azure portal
For users that are assigned only a resource contributor role (such as Storage File Data SMB Share Contributor) the desired outcome is for them to see only the storage resources in Azure to which they are assigned
With this role, users can still see, however, the Subscription ID, a list of devices in Azure Active Directory, can log into Microsoft Intune, etc.
We have tried enabling "Restrict access to Azure Admin Portal" but some details are still visible. https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions#restrict-member-users-default-permissions
I am looking for guidance on how to ensure restricted access for users with a resource contributor role assigned.
Upvotes: 0
Views: 812
Answers (1)
Reputation: 35
Ability to see the existence of an Azure subscription when you have any role assigned to a resource in the subscription is special behavior provided by ARM to allow users to browse to the resources they have access to...
The other items (devices in Azure AD, Intune) are not controlled by Azure RBAC roles. You should find that the users have the same permissions even if you remove their Azure RBAC role assignments.
These systems have independent authorization logic which may be granting some access to all users.
Upvotes: 0
Related Questions
- Azure Blueprint deny read access to some admins
- Role-Base Access Control in Azure web and database
- Azure RBAC Permission
- How to restrict users on Azure Portal
- How to grant read access to only some resources in an Azure subscription?
- Is there way to restrict resource access by other 'Owners' in the same Azure Subscription?
- Azure Access Restriction
- Azure Access Control for Resource Groups
- Can we restrict user access from a resource group?
- Restrict which Users are accessible with Azure AD Permissions