azureazure-securityazure-resource-lock

Selective Resource/Infra isolation on Azure. Possible?


Good day, folks! I have an Azure subscription and it has multiple resources created, like App Services, Databases, Key Vault, Storage, account, etc I want only a few people to see the full resources, for the rest of the team, I don't want all the resources to be seen. For example -

  1. Matt sees 5 App services out of 10
  2. Kevin sees 10 App services out of 10 Is this possible to create selective isolation? If yes, then how?

I tried this link https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json But, did not get it. Am I looking in the right direction?


Solution

  • I was in a similar situation. I had a team in Atlanta, Georgia and one team in Bangalore, India. So, Team B has to see all the resources but Team A had to see only the new or selective resources.

    Now there could be multiple ways to do this, but this is what I did. You can try the same. (Make sure you're owner and has the appropriate access)

    1. Go to Subscriptions -> Select your Subscription

    2. Got to IAM

    3. Go to Roles

    4. Click on Add -> Add a Custom role

    5. Give it a name and fill the Description

    6. You can create a JSON or Start from Scratch

    7. In the JSON file, add these properties

      properties": { "roleName": "NoAccess_SubscriptionLevel", "description": "", "assignableScopes": [ "/subscriptions/your_subscription" ], "permissions": [ { "actions": [], "notActions": [ "" ], "dataActions": [], "notDataActions": [ "" ] } ] }

    8. Save it

    9. Now, whenever you add a new person/teammate, at first assign them this role. No moderator, no owner, no contributor, nothing!

    10. Go to resource group -> create a new RG -> IAM -> Assign the access here to the new user.

    11. Now, whatever you create in this Resource Group, only that would be visible to the new user.

    Disclaimer : This is how I controlled the access. Now, there could be multiple ways to do this but this is is what I did and will save you some time unless there is a better solution.