Hide some resources in Resource group except one AD group
I have a scenario where I need to restrict access to a specific Azure resource to only one Azure Active Directory (AD) group. Here's the setup:
Environment Details:
The resources are deployed in a shared Resource Group (RG). Role assignments are applied at the subscription level, so they are inherited by all resources in the RG.
Current Setup:
The subscription has role assignments for Group1, Group2, and Group3, granting them access to all resources in the RG. The RG is shared between two projects: One of the projects has sensitive data and includes a specific storage account named "testhrweuo1".
Goal:
I want to restrict access to the "testhrweuo1" storage account so that only Group1 can see or access it (i.e., members of Group2 and Group3 should not have any visibility or access to this resource).
Issue:
Because the role assignments are inherited from the subscription level, all three groups currently have access to the storage account. I am looking for a way to override this inheritance and restrict the visibility or access to only Group1.
Note that: At the subscription level, you cannot restrict access to a specific resource.
- Role assignments at the subscription level are inherited by all resources within that subscription, including all Resource Groups and their resources.
- This means if you assign a role at the subscription level, it applies to all resources within that subscription and cannot restrict it to a specific resource.
The subscription-level role assignments do not have the ability to be scoped further to a single resource, in your scenario only the "testhrweuo1" storage account or even to a specific Resource Group. They apply to everything in the subscription unless overridden at a lower level (Resource Group or resource).
I want to restrict access to the "testhrweuo1" storage account so that only Group1 can see or access it (i.e., members of Group2 and Group3 should not have any visibility or access to this resource).
To restrict access to the "testhrweuo1" storage account:
- Remove access for Group2 and Group3 at the subscription level and assign roles separately for Group2 and Group3 at either the Resource Group level or Resource level (depending on where you want them to have access).
- Assign a role for Group1 to ensure they have access to the "testhrweuo1" storage account. You can assign the role at the Resource Group level, Resource level, or Subscription level (if you want Group1 to access all resources).
Resource Group level role assignment:
Go to the Resource Group in the Azure portal, select Access control (IAM), click + Add → Add role assignment, choose the appropriate role, select the user/group (e.g., Group1), and click Save.
Resource level role assignment:
On the storage account page, go to Access control (IAM), click + Add → Add role assignment, choose the appropriate role (e.g., Storage Blob Data Contributor), search and select Group1, then click Save.
- What is a difference between elastic computing and serverless computing?
- Access Sharepoint Online Files from .NET Worker Service via Microsoft Graph/OAuth - Unauthorized or Access Denied error (401)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?
- Update VCore by database in power shell
- While scanning a simple key, could not find expected ':'. Syntax error in azure-pipeline.yaml
- I'm not able to call the Azure document intelligence api using the latest api version "2024-02-29-preview"
- AzureWebJobsStorage Managed Identity not working
- Get-RemoteDomain in powershell exchange online error : The term 'Get-RemoteDomain' is not recognized as the name of a cmdlet
- How can I Get Started Using Certificates to Authenticate my APIs Using Azure Key Vault?
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How to set up a site-to-site connection between Azure VNet and an on-premises network with a single IP address for traffic selectors?
- Summarization of docx or pdf document
- Unable to use Azure Developer CLI (azd) in vsCode even after extensions installed
- How to configure backend application on Container Apps
- WebJob is stopping due to website shutting down
- Azure SQL trigger for Functions configuration problem
- Does azure blob storage support http2?
- Azure Pronunciation Assessment Could not deserialize speech context error
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- How do I Parse FormData containing a audio file in AZ function app in 2025
- Not able to delete Public IP address in azure
- Azure Devops Apple App Store Release.Missing value for the attribute 'whatsNew'
- Azure Storage accounts container public access level has dissabled
- Issue with adding delegated Graph API permission to Enterprise app with Terraform
- Getting an error when using the Flexible File Destination Task in Visual Studio 2022 SSIS
- Problem with Azure Email Communication Service Custom Domain
- How to refresh client assertion in ConfidentialClientApplication?
- Using Microsoft Graph Explorer (we have code too) we can GET All Subscriptions, but GET one by ID gives access error
- Invalid operands found for operator -eq
- nginx - php-fpm - azure container app returns truncated pages