Forum Discussion

terruahmad's avatar
terruahmad
Icon for Microsoft rankMicrosoft
Apr 23, 2025

Custom Role to Prevent Users making any changes to Azure Web App Network Configuration

Hi,

I have a customer who wants to create a custom role to prevent users from making any changes or updates to Web App network configuration under Networking tab.  This includes inbound access, outbound traffic, VNet Integration, site access and rules.  We created a customer role, but it is not working.  Does anyone have a working custom role that you can share?  Thanks.

properties": {

        "roleName": "WebAppCustomRBAC",

        "description": "Web App Custom Role",

        "assignableScopes": [

            "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

        ],

        "permissions": [

            {

                "actions": [

                    "Microsoft.Web/sites/*",

                    "Microsoft.Web/serverfarms/Read",

                    "Microsoft.Resources/subscriptions/resourceGroups/read",

                    "Microsoft.Insights/components/*",

                    "Microsoft.Insights/alertrules/*"

                ],

                "notActions": [

                    "Microsoft.Web/sites/config/write",

                    "Microsoft.Web/sites/networkConfig/write",

                    "microsoft.web/sites/networkConfig/delete",

                    "microsoft.web/sites/slots/networkConfig/write",

                    "microsoft.web/sites/slots/networkConfig/delete",

                   "microsoft.web/sites/slots/virtualnetworkconnections/delete",

                   "microsoft.web/sites/slots/virtualnetworkconnections/write",

                    "microsoft.web/sites/virtualnetworkconnections/delete",

                    "microsoft.web/sites/virtualnetworkconnections/write"

                ],

                "dataActions": [],

                "notDataActions": []

            }

        ]

    }

}

3 Replies

  • Surendra_Aderu's avatar
    Surendra_Aderu
    Copper Contributor
    Aug 20, 2025

    Hello terruahmad​ ,

     

    we have two options:

    1. have owner access for user on the Azure app service and create Deny permissions to block access related to network related actions. [Not recommended]
    2. create the custom role for azure app service, remove the actions related to network and assign it to the user. which will allow the user to perform all actions and not to network section. Please find the below reference JSON where highlighted permissions can be removed and create a custom role. [Recommended]

      please check and let me know if it works.



  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Apr 24, 2025

    Some suggestions on below:

     

    1. Need based access such as read-only for Web Apps

    2. Ensured all write and delete actions related to network configurations and virtual network connections are explicitly blocked

    3. Removed Unnecessary Wildcards such as  "Microsoft.Web/sites/*" in actions to minimize unintended access
    • terruahmad's avatar
      terruahmad
      Icon for Microsoft rankMicrosoft
      Apr 24, 2025

      Hi Kidd_Ip,

      Thanks for your reply.  The customer wants /app owner/dev to have full access to Web App but make sure they don't make sure changes to Networking.  That's why we have to use wildcards.  

      How do you "ensure all write and delete actions related to network configurations and virtual network connections are explicitly blocked"?  We used the "notAction" section to make sure no change can be made to networking.  Do you have a different approach to block network changes?  

      Thanks.

Resources