Share via

Limiting the contributor access at resource group level

Yadhu Krishnan 0 Reputation points
2025-11-28T10:49:03.8266667+00:00

Hi Team,

We are given contributor access to developer at resource group level and now we are planning to limit this access by denying the creation of VM, App service plan, Database Servers, Azure Databricks, Azure Data factory for this resource group level contributor. And from now onwards only subscription level contributor is able to do the above-mentioned operations.

For this We have created a policy to deny the creation of these resources at subscription level and also created a security group and added subscription level contributor to these groups and created the exception for this group buts when I added this exception the policy is not working as expected and now resource group level contributor are still able to create these resources.

Tell me how I can achieve this.

Regards

Yadhu Krishnan J

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva shunmugam Nadessin 3,025 Reputation points Microsoft External Staff Moderator
    2025-11-28T14:08:23.03+00:00

    Hello Yadhu Krishnan,

    Here’s how you can troubleshoot and achieve the expected outcome:

    Steps to Achieve the Desired Access Control

    1. Review Policy Exemption: Ensure that your policy exemption is applied correctly. The exemption should specifically target the security group with subscription-level contributors and not inadvertently include resource group-level contributors. You can verify this in the Azure Portal under the Policy section:
      • Go to PoliciesAssignments → [Your Policy] → Exemptions.
    2. Use Principal-Based Exemptions: As mentioned in the comment by Rukmini, you may need to recreate the exemption as a principal-based exemption. This approach allows you to specify the identities (users or groups) that should be exempt from the policy restrictions.
    3. Test Policy Effectiveness: After making changes to the exemption, ensure to test the policy to verify that resource group-level contributors are indeed restricted from creating the specified resources.
    4. Evaluate Role Assignment Rights: Ensure that the role assignments for the developers at the resource group level do not include permissions to override the policy you established. Check if the roles are appropriately assigned at the resource group level versus the subscription level.
    5. Use Management Groups or Higher Scope: If the policies continue to conflict, consider applying your restrictions at a higher scope, such as the management group or subscription level, which can better enforce resource creation limitations.

    If you have any further query, please do let us know.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.