Restricting Access to what users can see in the Azure portal

Question

For users that are assigned only a resource contributor role (such as Storage File Data SMB Share Contributor) the desired outcome is for them to see only the storage resources in Azure to which they are assigned

With this role, users can still see, however, the Subscription ID, a list of devices in Azure Active Directory, can log into Microsoft Intune, etc.

We have tried enabling "Restrict access to Azure Admin Portal" but some details are still visible. https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions#restrict-member-users-default-permissions

I am looking for guidance on how to ensure restricted access for users with a resource contributor role assigned.

score 0 · Answer 1 · answered Dec 10 '21 at 00:26

Ability to see the existence of an Azure subscription when you have any role assigned to a resource in the subscription is special behavior provided by ARM to allow users to browse to the resources they have access to...

The other items (devices in Azure AD, Intune) are not controlled by Azure RBAC roles. You should find that the users have the same permissions even if you remove their Azure RBAC role assignments.

These systems have independent authorization logic which may be granting some access to all users.

Restricting Access to what users can see in the Azure portal

1 Answers1