Deny assignment using blueprint for particular Management group

[dimaMo9494]

Hello,

We would like to request a new feature/possible workaround for the following scenario:
If we have multi-subscriptions under a single tenant. All 2000+ subscriptions whose IAM is inherited with the Management AD group that is created on Azure Active Directory. How to restrict all and allow only one group from this Management AD group from getting access to a one subscription which has sensitive data. How to deny users from seeing specific resources using deny assignment?

However, from the discussions that we had between Azure Blueprint and RBAC team over support ticket, we confirmed that this is unsupported scenario for the following reasons:
++ From the Blueprint perspective, there is no place to modify / customize "DataActions". And the only way is to add delete/read only locks as recommended here https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking
++ although https://docs.microsoft.com/en-us/azure/role-based-access-control/deny-assignments mentions deny assignment, the assignment can only be deployment in Azure Blueprint or Azure Managed Apps. As blueprint only supports builtin role, we are not able to create custom role and leverage blueprint to do the assignment. Unfortunately.
++ from the RBAC role perspective, it cannot meet your requirement. In the meantime, Although RBAC role has "NotAction" or "NotDataActions" , these kind of the "Not" specifies the control plane actions that are subtracted or excluded from the allowed Actions that have a wildcard (*). It means you need to put the relevant permissions (such as *) in the custom role itself first. It doesn't subtract or exclude permission across roles. Azure RBAC is an additive model, so your effective permissions are the sum of your role assignments. This is why RBAC role cannot meet the customer requirement.

any help please? as rebuild/redo the design architecture is not an option at all...

[alex-frankel]

As blueprint only supports builtin role, we are not able to create custom role and leverage blueprint to do the assignment.

Are you referring to built-in roles for the role assignment artifact? You should be able to do either built-in or custom roles. My understanding is that custom roles are only partially supported at MG scope, but that is not a blueprints limitation. Blueprints will query for any available roles at the relevant scope.

If there are limitations with how blueprints is handling the application of deny assignments, then this will need to be addressed with deployment stacks, which is going to be a superset of blueprint assignment functionality. It's going to expose the full fidelity of settings for a deny assignment, including data actions. Deployment stacks is in private preview now and we are hoping to have a public preview out in the next 6 months.