How can we improve Azure Active Directory?

← Azure Active Directory

RBAC role for Tagging only

Please create a new RBAC roles for "Tag Contributor" and "Tag Reader"

We currently have no way to restrict a service account to be able to automatically add tags to resources without granting the service account "Contributor" rights on all our subscriptions. Huge security concern.

7 votes

Sign in

(thinking…)

Sign in with:

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

We’ll send you updates on this idea

Ian Moroney shared this idea · November 14, 2018 · Flag idea as inappropriate… · Admin →

2 comments

Add a comment…

Sign in

(thinking…)

Sign in with:

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

Submitting...

An error occurred while saving the comment

Rene Løhde commented · May 06, 2019 04:45 · Flag as inappropriate

Could we rephrase this as "Implement Resource Provider Operations (Actions) for Tag on each of the Azure resources" ...I am guesssing that this issue is due to the top-level implementation of the Tag-action at the subscription level:

Microsoft.Resources/subscriptions/tagNames/read
Microsoft.Resources/subscriptions/tagNames/write
Microsoft.Resources/subscriptions/tagNames/delete
Microsoft.Resources/subscriptions/tagNames/tagValues/delete
Microsoft.Resources/subscriptions/tagNames/tagValues/read
Microsoft.Resources/subscriptions/tagNames/tagValues/write

Where-as, what is really needed to gain granular control is somthing like:

Microsoft.Compute/virtualMachines/tagNames/*
Microsoft.Compute/virtualMachines/tagNames/tagValues/*
...
Microsoft.Storage/storageAccounts/virtualMachines/tagNames/*
Microsoft.Storage/storageAccounts/virtualMachines/tagNames/tagValues/*
...

Additional use-cases: Role that can start/stop VM and change tags (with-out having to allow for "Microsoft.Compute/virtualMachines/write" in the custom role)

Submitting...
AK commented · November 30, 2018 05:07 · Flag as inappropriate

Agreed, we cannot promote governance and cost-control properly if we have no control over tag changes.

Submitting...

Azure Active Directory: Role-based Access Control

Searching…

No results.
Clear search results

Give feedback
- (General Feedback) 3,463 ideas
- Additional Services 314 ideas
- Analytics Platform System 12 ideas
- API Apps 8 ideas
- API Management 447 ideas
- Automation 398 ideas
- Azure Active Directory 3,317 ideas
- Azure Active Directory Application Requests 216 ideas
- Azure Advisor 16 ideas
- Azure Analysis Services 142 ideas
- Azure API for FHIR 2 ideas
- Azure App Configuration 13 ideas
- Azure Backup 412 ideas
- Azure Blockchain Service 2 ideas
- Azure Bot Service 59 ideas
- Azure Cloud Shell 307 ideas
- Azure Confidential Compute 3 ideas
- Azure Container Instances 93 ideas
- Azure Container Registry 61 ideas
- Azure Cosmos DB 225 ideas
- Azure CycleCloud 1 idea
- Azure Data Explorer 52 ideas
- Azure Data Share (Public Preview) 2 ideas
- Azure Database for MariaDB 7 ideas
- Azure Database for MySQL 55 ideas
- Azure Database for PostgreSQL 86 ideas
- Azure Database Migration Service 43 ideas
- Azure Databricks 55 ideas
- Azure Dev Spaces 0 ideas
- Azure Digital Twins 22 ideas
- Azure Event Grid 52 ideas
- Azure Functions 139 ideas
- Azure FXT Edge Filer 0 ideas
- Azure Governance 89 ideas
- Azure Government 78 ideas
- Azure IoT 242 ideas
- Azure IoT Central 84 ideas
- Azure IoT Device Catalog 14 ideas
- Azure IoT Edge 61 ideas
- Azure IoT Solution Accelerators 27 ideas
- Azure Key Vault 112 ideas
- Azure Kinect DK 36 ideas
- Azure Kubernetes Service (AKS) 137 ideas
- Azure Lighthouse 9 ideas
- Azure Management Groups 22 ideas
- Azure Maps 41 ideas
- Azure Marketplace 384 ideas
- Azure Media Services 205 ideas
- Azure Migrate 32 ideas
- Azure mobile app 220 ideas
- Azure Monitor 89 ideas
- Azure Monitor- Alert Management 76 ideas
- Azure Monitor-Application Insights 553 ideas
- Azure Monitor-Log Analytics 883 ideas
- Azure Pack 324 ideas
- Azure portal 1,804 ideas
- Azure Red Hat OpenShift 12 ideas
- Azure Resource Manager 426 ideas
- Azure Search 230 ideas
- Azure Security Center 187 ideas
- Azure Sentinel 22 ideas
- Azure Service Health 19 ideas
- Azure SignalR Service 8 ideas
- Azure Spatial Anchors 16 ideas
- Azure Sphere 63 ideas
- Azure Stack 153 ideas
- Azure TCO Calculator 28 ideas
- Azure Time Series Insights 8 ideas
- Batch 44 ideas
- Batch AI 9 ideas
- Biztalk Services 23 ideas
- Blockchain 43 ideas
- Cache 51 ideas
- Change Tracking 7 ideas
- Cloud Services (Web and Worker Role) 284 ideas
- Cost Management 171 ideas
- Customer Insights 13 ideas
- Customer Lockbox for Microsoft Azure 1 idea
- Data Catalog 127 ideas
- Data Factory 702 ideas
- Data Lake 335 ideas
- Data Science VM 19 ideas
- Diagnostics and Monitoring 187 ideas
- Event Hubs 22 ideas
- Global Infrastructure 43 ideas
- HDInsight 124 ideas
- Lab Services 245 ideas
- Logic Apps 1,302 ideas
- Machine Learning 70 ideas
- Mobile Engagement 19 ideas
- Networking 884 ideas
- Notification Hubs 27 ideas
- Scheduler 47 ideas
- Scripting and Command Line Tools 108 ideas
- SDK and Tools 138 ideas
- Security and Compliance 85 ideas
- Service Bus 183 ideas
- Service Fabric 278 ideas
- Signup and Billing 1,421 ideas
- Site Recovery 242 ideas
- SQL Data Sync 68 ideas
- SQL Data Warehouse 250 ideas
- SQL Database 640 ideas
- SQL Managed Instance 94 ideas
- SQL Server 9,694 ideas
- Storage 742 ideas
- StorSimple 46 ideas
- Stream Analytics 229 ideas
- Support Feedback 267 ideas
- System Center Data Protection Manager 110 ideas
- Update Management 109 ideas
- Virtual Machines 1,418 ideas
- Web Apps 365 ideas
Microsoft Azure