Skip to main content

How to modify Access control (IAM) in Azure

By March 8, 2018September 18th, 2020Azure, Blog, Microsoft
Azure Access Control blade (IAM) screenshot

I’ve been getting this same question with every client we enroll in Azure. It typically comes in as, “I can login and see everything in Azure; however my co-workers can’t. They’re Global Administrators in Office 365 just like I am.” Access control (IAM) on your Azure subscriptions is not inherently delegated. This is by design and for good reason.

In order to grant access to others per subscription follow the few steps below.

  1. Select Subscriptions in the navigation bar on the left.

Subscriptions Azure Access Control

  1. Select the name of the subscription from the Subscriptions blade.
  2. Select Access control (IAM) from the left menu.
  3. The Access control blade lists all users, groups, and applications that have been granted access to the resource group.Azure Access Control blade (IAM) screenshot
  1. Select Add on the Access control blade.
  2. Select the role that you wish to assign from the Select a role blade.
  3. Select the user, group, or application in your directory that you wish to grant access to. You can search the directory with display names, email addresses, and object identifiers.

 

These steps can also be followed to assign access on many resources in Azure.

A very common practice is to assign access control to a resource group.

  1. Select Resource groups in the navigation bar on the left.

Resource groups Azure Navigation

  1. Select the name of the resource group from the Resource groups
  2. Select Access control (IAM) from the left menu.
  3. The Access control blade lists all users, groups, and applications that have been granted access to the resource group.Azure Access Control IAM Resource Groups screenshot
  4. Select Add on the Access control blade.
  5. Select the role that you wish to assign from the Select a role blade.
  6. Select the user, group, or application in your directory that you wish to grant access to. You can search the directory with display names, email addresses, and object identifiers.

Notice that some roles are scoped to This resource while others have Inherited it from another scope. Access is either assigned specifically to the resource group or inherited from an assignment to the parent subscription.

Brandon Stuart, PEI

Leave a Reply