In Azure, how to prevent a user create a Network Interface Card but not modify it?

Question

I want to give a specific RBAC to a user so that he can create a NIC but not to modify. As a matter of fact, what it is aimed is that he shouldn't have permission to change the dynamic ip to static ip and change the ip address of the NIC.

I have checked the RBACs of NIC, but it seems that if he has Microsoft.Network/networkInterfaces/write permission , he can create a network interface or update an existing network interface. So this Rbac is not as detailed as i want. I have also tried to give all permissions but not Microsoft.Network/networkInterfaces/read. In that case, the NIC can be created but i can neither see the ip of the nic nor ssh/rdp to the VM. So it is not a solution for me.

I have checked the built-in Azure Policies, but there isn't nothing good for my needs.

Any idea?

score 1 · Accepted Answer · answered Jun 11 '21 at 08:46

1

It is not possible for someone to have permissions to create a resource but not edit it, as it is all contained under the write permission.

Your best bet would be to use Azure Policy to define a policy that doesn't allow static IP addresses.

answered Jun 11 '21 at 08:46

Sam Cogan

39,089

In Azure, how to prevent a user create a Network Interface Card but not modify it?

1 Answers1