Azure Permissions

%3CLINGO-SUB%20id%3D%22lingo-sub-2646852%22%20slang%3D%22en-US%22%3EAzure%20Permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2646852%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20would%20like%20to%20give%205-8%20people%20in%20our%20envirionment%20full%20access%20to%20Azure%2C%20but%20we%20don't%20want%20to%20give%20them%20Global%20Admin%20rights%2C%20as%20we%20don't%20want%20them%20to%20have%20access%20to%20M365.%20What%20is%20the%20easiest%20way%20to%20accomplish%20this%3F%20We're%20not%20looking%20forward%20to%20assigning%20each%20person%2025-30%20roles.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20You%2C%3C%2FP%3E%3CP%3EGerry.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2646852%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2650329%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2650329%22%20slang%3D%22en-US%22%3ECreate%20a%20Custom%20Role%2C%20assign%20the%20role%20to%20a%20Group%2C%20add%20the%20users%20into%20that%20Group.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Frole-based-access-control%2Fcustom-roles%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Frole-based-access-control%2Fcustom-roles%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fluke.geek.nz%2Fazure%2Fcreate-custom-roles-for-microsoft-azure%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fluke.geek.nz%2Fazure%2Fcreate-custom-roles-for-microsoft-azure%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E
New Contributor

We would like to give 5-8 people in our envirionment full access to Azure, but we don't want to give them Global Admin rights, as we don't want them to have access to M365. What is the easiest way to accomplish this? We're not looking forward to assigning each person 25-30 roles. 

 

Thank You,

Gerry. 

2 Replies

In addition to what Luke wrote, you can use built-in roles like Owner and assign it on a certain scope (single Resource Group, single subscription, several subscriptions grouped under a Management Group). Please note that Global Admin is Azure AD role (not something you are using in Azure RBAC). There is no need to assign your users (devs and similar) any Azure AD privileged role.

 

Microsoft recommends following the "least privilege access" principle (or even just-in-time access using Privileged Identity Management), so defining the "blast radius" (what part of your Azure environment that group of people will have access to and what level) is a good approach.