Hi @adm_ysmail-ext ,
The only way to create a deny assignment is through Azure blueprints, and this can only be done when the resource is created. The resource locks protecting against other subscription Owners cannot be applied to existing resources, only new ones. https://zcusa.951200.xyz/en-us/azure/governance/blueprints/tutorials/protect-new-resources
Deny assignments block users from performing specific Azure resource actions even if a role assignment grants them access. But you need add this protection in the blueprint definitions of resources created by an Azure Resource Manager template artifact, and the Blueprint resource lock is set during blueprint assignment.
Access for Owners can be set to "Read only" or "Do not delete", but not fully restricted. https://zcusa.951200.xyz/en-us/azure/governance/blueprints/concepts/resource-locking
Additional reading:
Deny Assignments
Let me know if you have further questions. If you have a business justification for greater granularity, you can create a feature request in the Ideas forum: https://feedback.azure.com/
-
If the information helped you, please Accept the answer. This will help us and other community members as well.