Forum Discussion

terruahmad's avatar
terruahmad
Icon for Microsoft rankMicrosoft
Apr 23, 2025

Custom Role to Prevent Users making any changes to Azure Web App Network Configuration

Hi, I have a customer who wants to create a custom role to prevent users from making any changes or updates to Web App network configuration under Networking tab.  This includes inbound access, out...
Kidd_Ip's avatar
Kidd_Ip
MVP
Apr 24, 2025

Some suggestions on below:

 

  1. Need based access such as read-only for Web Apps

  2. Ensured all write and delete actions related to network configurations and virtual network connections are explicitly blocked

  3. Removed Unnecessary Wildcards such as  "Microsoft.Web/sites/*" in actions to minimize unintended access
terruahmad's avatar
terruahmad
Icon for Microsoft rankMicrosoft
Apr 24, 2025

Hi Kidd_Ip,

Thanks for your reply.  The customer wants /app owner/dev to have full access to Web App but make sure they don't make sure changes to Networking.  That's why we have to use wildcards.  

How do you "ensure all write and delete actions related to network configurations and virtual network connections are explicitly blocked"?  We used the "notAction" section to make sure no change can be made to networking.  Do you have a different approach to block network changes?  

Thanks.

Resources