How to restrict multiple users access to specific subscription under multi subscription Model?

%3CLINGO-SUB%20id%3D%22lingo-sub-3070514%22%20slang%3D%22en-US%22%3EHow%20to%20restrict%20multiple%20users%20access%20to%20specific%20subscription%20under%20multi%20subscription%20Model%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3070514%22%20slang%3D%22en-US%22%3E%3CP%3EElaborated%20question%3A%26nbsp%3BHow%20to%20restrict%20multiple%20users%20access%20to%20specific%20subscription%20when%20they%20are%20a%20member%20of%20the%20management%20group%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EScenario%20%3A%3C%2FP%3E%3CP%3EI%20am%20having%20a%20Multi-subscription%20which%20is%20organised%20by%20management%20group%20for%20easy%20governance%20and%20management%20under%20a%20single%20tenant.%20When%20i%20Say%20Multi-Subscription%20%2C%20i%20mean%20500%2B%20subscription%20under%20a%20single%20tenant%2C%20Now%20i%20have%20all%20500%2B%20subscription%20whose%20IAM%20is%20inherited%20with%20Management%20AD%20group%20that%20is%20created%20on%20Azure%20Active%20Directory%20.%3C%2FP%3E%3CP%3EI%20want%20to%20restrict%20few%20users%20from%20this%20Management%20AD%20group%20getting%20access%20to%20few%20subscription%20which%20has%20sentitive%20data.%20How%20to%20achieve%20this%20is%20my%20question%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3070514%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EA%20worrying%20system%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Management%20Groups%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

Elaborated question: How to restrict multiple users access to specific subscription when they are a member of the management group ?

 

Scenario :

I am having a Multi-subscription which is organised by management group for easy governance and management under a single tenant. When i Say Multi-Subscription , i mean 500+ subscription under a single tenant, Now i have all 500+ subscription whose IAM is inherited with Management AD group that is created on Azure Active Directory .

I want to restrict few users from this Management AD group getting access to few subscription which has sentitive data. How to achieve this is my question ?

 

 

 

1 Reply
The best solution for what you're looking for might be locks if this is the only resource you want to lock down: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources

There are also more granular RBAC setups than just giving someone full owner/contributor access: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles