Customizing Role Based Access Control in Azure
One of the things I often find in Azure deployments is the lack of RBAC usage, which is quite easy now in the new portal and integrated quite easily with AzureAD. By default the one that creates the a Azure Subscription has the role of Owner which has full rights to view/manage and can create resources within a subscription. The same user also becomes part of a group called Subscription admins, which will get full access to all Resource Groups by default, because the rights will be inherited from the subscription itself.
But we can also define direct access to a resource let’s say we want a speicific individual to be able to only manage certain virtual machines or services within Azure for instance DNS or an AppService for instance we need to define direct access to that resource.
So for instance we define a predefined role access to for instance a virtual network.
So when I now login with my account which as assigned access to some resources I will only get the resources that I’m assigned to.
Read the entire article here, Customizing Role Based Access Control in Azure
via Marius Sandbu.