Selective Resource/Infra isolation on Azure. Possible?

Question

Good day, folks! I have an Azure subscription and it has multiple resources created, like App Services, Databases, Key Vault, Storage, account, etc I want only a few people to see the full resources, for the rest of the team, I don't want all the resources to be seen. For example -

1. Matt sees 5 App services out of 10
2. Kevin sees 10 App services out of 10 Is this possible to create selective isolation? If yes, then how?

I tried this link https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json But, did not get it. Am I looking in the right direction?

Answer 1

I was in a similar situation. I had a team in Atlanta, Georgia and one team in Bangalore, India. So, Team B has to see all the resources but Team A had to see only the new or selective resources.

Now there could be multiple ways to do this, but this is what I did. You can try the same. (Make sure you're owner and has the appropriate access)

1. Go to Subscriptions -> Select your Subscription

2. Got to IAM

3. Go to Roles

4. Click on Add -> Add a Custom role

5. Give it a name and fill the Description

6. You can create a JSON or Start from Scratch

7. In the JSON file, add these properties

   properties": { "roleName": "NoAccess_SubscriptionLevel", "description": "", "assignableScopes": [ "/subscriptions/your_subscription" ], "permissions": [ { "actions": [], "notActions": [ "" ], "dataActions": [], "notDataActions": [ "" ] } ] }

8. Save it

9. Now, whenever you add a new person/teammate, at first assign them this role. No moderator, no owner, no contributor, nothing!

10. Go to resource group -> create a new RG -> IAM -> Assign the access here to the new user.

11. Now, whatever you create in this Resource Group, only that would be visible to the new user.

Disclaimer : This is how I controlled the access. Now, there could be multiple ways to do this but this is is what I did and will save you some time unless there is a better solution.

Answer 2

Yes, it is possible. Here's a more detailed step-by-step guide:

Create Custom Roles:

• Sign in to the Azure portal (https://portal.azure.com) with your Azure account.

  Go to "Azure Active Directory" from the left-hand menu.

  Click on "Roles and administrators" under "Security."

  Click "+ New custom role."

  Name the role, add a description, and specify the desired permissions (e.g., read, write) for Matt and Kevin.

  Click "Create" to save the custom roles.

Assign Custom Roles:

• Navigate to the resource group containing the 10 App Services.

  Click on "Access control (IAM)" from the left-hand menu.

  Click "+ Add" to add a role assignment.

  Select the custom role for Matt from the "Role" dropdown.

  Search for and select Matt's user account or group.

  Click "Save" to assign the custom role to Matt.

  Repeat the same process for Kevin, assigning him the custom role that grants access to all 10 App Services.

Verify Access:

• Make sure Matt can only see 5 App Services, and Kevin can see all 10 when they access the Azure portal or use Azure CLI/PowerShell.

By following these steps, you can control the visibility and access level of resources within your Azure subscription based on the needs of your team members.

Answer 3

Yes, it is certainly possible to do so. Resource locking however is not the answer. Azure Role-based access control (RBAC) is the answer.

Essentially what you would need to do is assign roles to users on specific resources. For example, let's say you want you want Kevin to manage all 10 app services then you would assign Website Contributor role to Kevin on those 10 app services. Similarly you would assign the same role to Matt on the 5 app services that you want Matt to manage.