Specialized role permissions – Locking down standard Azure infrastructure

Possibly due to specific governance needs, or perhaps maintaining a specific infrastructure in your cloud environment, you might want to lock out standard build capability for a group of users.

In the following example, I had a request to remove the ability of creating new Resource Groups in Azure to most users regardless of authorization levels, here is the example of how to do so with Microsoft Graph permission sets.

I created a custom Azure role that defined what can be done, and what can’t be done, looking at a the empty role JSON file, you can see there are “Actions” and “NotActions” sections:

{
  "Name": "",
  "Id":,
  "IsCustom": true,
  "Description": "Base Role file",
  "Actions": [
    ""
  ],
  "NotActions": [
    ""
  ],
  "AssignableScopes": [
    ""
  ]
}

The fields we’re going to pay attention to are the Actions, NotActions, and AssignableScopes.

Step 1: Determine the resource providers that map to Azure services.

With this example, we are targeting Resource Groups, so we will use:

Microsoft.Resources/subscriptions/resourceGroups

Step 2: Find the available permissions. With this case, we want to restrict creating or modifying resource groups, so it makes sense to add to the deny section the “write” permission.

Microsoft.Resources/subscriptions/resourceGroups/write

Step 3: Assign it to the appropriate scope. A Resource Group is created in a subscription, therefore that’s where you’d define the scope:

/subscriptions/bf384112-966c-4eb5-xxxx-b495c90xxxx

Putting it all together, your JSON file will look something like this:

{
  "Name": "Deny RG Create",
  "Id": null,
  "IsCustom": true,
  "Description": "Disable New Resource Group creation",
  "Actions": [
    "Microsoft.Resources/subscriptions/resourceGroups/read"
  ],
  "NotActions": [
    "Microsoft.Resources/subscriptions/resourceGroups/write"
  ],
  "AssignableScopes": [
    "/subscriptions/bf384112-966c-4eb5-xxxx-b495c90xxxxx"
  ]
}

Once you’ve created the role definition, import it into your Azure subscription and assign the role to the necessary users, they’ll get the “You do not have permissions to create resource groups under subscription” message when trying to create a new group.