deny assignment

adm_ysmail-ext 21 Reputation points
2022-11-29T15:56:03.8+00:00

Hello,

I'm trying to create a deny assignment on a storage account in order to deny access even if the users are owner of the subscription.
All what I see in the documentation is adding a lock (265297-image.png

using the blueprint or listing the deny assignements. But this is not a deny assignment , nothing is mentioned about how to create or customize them.
Can anyone tell me how to specify the actions to add, or give a template of a working Blueprint with a real deny assignment?

Thank you !

Azure Blueprints
Azure Blueprints
An Azure service that provides templates for quick, repeatable creation of fully governed cloud subscriptions.
72 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
851 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,645 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 37,046 Reputation points Microsoft Employee
    2022-12-02T23:14:32.897+00:00

    Hi @adm_ysmail-ext ,

    The only way to create a deny assignment is through Azure blueprints, and this can only be done when the resource is created. The resource locks protecting against other subscription Owners cannot be applied to existing resources, only new ones. https://zcusa.951200.xyz/en-us/azure/governance/blueprints/tutorials/protect-new-resources

    Deny assignments block users from performing specific Azure resource actions even if a role assignment grants them access. But you need add this protection in the blueprint definitions of resources created by an Azure Resource Manager template artifact, and the Blueprint resource lock is set during blueprint assignment.

    Access for Owners can be set to "Read only" or "Do not delete", but not fully restricted. https://zcusa.951200.xyz/en-us/azure/governance/blueprints/concepts/resource-locking

    Additional reading:
    Deny Assignments

    Let me know if you have further questions. If you have a business justification for greater granularity, you can create a feature request in the Ideas forum: https://feedback.azure.com/

    -

    If the information helped you, please Accept the answer. This will help us and other community members as well.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.