How to restrict multiple users access to specific subscription under multi subscription Model?

Copper Contributor

Elaborated question: How to restrict multiple users access to specific subscription when they are a member of the management group ?

 

Scenario :

I am having a Multi-subscription which is organised by management group for easy governance and management under a single tenant. When i Say Multi-Subscription , i mean 500+ subscription under a single tenant, Now i have all 500+ subscription whose IAM is inherited with Management AD group that is created on Azure Active Directory .

I want to restrict few users from this Management AD group getting access to few subscription which has sentitive data. How to achieve this is my question ?

 

 

 

1 Reply
The best solution for what you're looking for might be locks if this is the only resource you want to lock down: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources

There are also more granular RBAC setups than just giving someone full owner/contributor access: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles