How can we improve Azure Active Directory?

← Azure Active Directory

RBAC role for Tagging only

Please create a new RBAC roles for "Tag Contributor" and "Tag Reader"

We currently have no way to restrict a service account to be able to automatically add tags to resources without granting the service account "Contributor" rights on all our subscriptions. Huge security concern.

14 votes

Sign in

(thinking…)

Sign in with:

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

We’ll send you updates on this idea

Ian Moroney shared this idea · November 14, 2018 · Flag idea as inappropriate… · Admin →

2 comments

Add a comment…

Sign in

(thinking…)

Sign in with:

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

Submitting...

An error occurred while saving the comment

Rene Løhde commented · May 06, 2019 04:45 · Flag as inappropriate

Could we rephrase this as "Implement Resource Provider Operations (Actions) for Tag on each of the Azure resources" ...I am guesssing that this issue is due to the top-level implementation of the Tag-action at the subscription level:

Microsoft.Resources/subscriptions/tagNames/read
Microsoft.Resources/subscriptions/tagNames/write
Microsoft.Resources/subscriptions/tagNames/delete
Microsoft.Resources/subscriptions/tagNames/tagValues/delete
Microsoft.Resources/subscriptions/tagNames/tagValues/read
Microsoft.Resources/subscriptions/tagNames/tagValues/write

Where-as, what is really needed to gain granular control is somthing like:

Microsoft.Compute/virtualMachines/tagNames/*
Microsoft.Compute/virtualMachines/tagNames/tagValues/*
...
Microsoft.Storage/storageAccounts/virtualMachines/tagNames/*
Microsoft.Storage/storageAccounts/virtualMachines/tagNames/tagValues/*
...

Additional use-cases: Role that can start/stop VM and change tags (with-out having to allow for "Microsoft.Compute/virtualMachines/write" in the custom role)

Submitting...
AK commented · November 30, 2018 05:07 · Flag as inappropriate

Agreed, we cannot promote governance and cost-control properly if we have no control over tag changes.

Submitting...

Azure Active Directory: Role-based Access Control

Searching…

No results.
Clear search results

Give feedback
- (General Feedback) 3,445 ideas
- ACE Tools 45 ideas
- Additional Services 322 ideas
- Analytics Platform System 12 ideas
- API Apps 9 ideas
- API Management 454 ideas
- Automation 428 ideas
- Azure Active Directory 3,778 ideas
- Azure Active Directory Application Requests 221 ideas
- Azure Advisor 19 ideas
- Azure Analysis Services 147 ideas
- Azure API for FHIR 4 ideas
- Azure App Configuration 21 ideas
- Azure Arc 5 ideas
- Azure Backup 450 ideas
- Azure Blockchain Service 5 ideas
- Azure Bot Service 63 ideas
- Azure Cloud Shell 322 ideas
- Azure Confidential Compute 3 ideas
- Azure Container Instances 99 ideas
- Azure Container Registry 63 ideas
- Azure Cosmos DB 235 ideas
- Azure CycleCloud 1 idea
- Azure Data Explorer 67 ideas
- Azure Data Share (Public Preview) 2 ideas
- Azure Database for MariaDB 9 ideas
- Azure Database for MySQL 62 ideas
- Azure Database for PostgreSQL 93 ideas
- Azure Database Migration Service 50 ideas
- Azure Databricks 67 ideas
- Azure Dev Spaces 8 ideas
- Azure Digital Twins 26 ideas
- Azure Event Grid 59 ideas
- Azure FarmBeats 4 ideas
- Azure Functions 172 ideas
- Azure FXT Edge Filer 0 ideas
- Azure Governance 111 ideas
- Azure Government 87 ideas
- Azure HPC Cache 0 ideas
- Azure IoT 262 ideas
- Azure IoT Central 106 ideas
- Azure IoT Device Catalog 10 ideas
- Azure IoT Edge 56 ideas
- Azure IoT Solution Accelerators 32 ideas
- Azure Key Vault 130 ideas
- Azure Kinect DK 43 ideas
- Azure Kubernetes Service (AKS) 158 ideas
- Azure Lighthouse 11 ideas
- Azure Management Groups 25 ideas
- Azure Maps 38 ideas
- Azure Marketplace 396 ideas
- Azure Media Services 210 ideas
- Azure Migrate 36 ideas
- Azure mobile app 242 ideas
- Azure Monitor 111 ideas
- Azure Monitor- Alert Management 117 ideas
- Azure Monitor-Application Insights 562 ideas
- Azure Monitor-Log Analytics 906 ideas
- Azure Pack 326 ideas
- Azure portal 1,887 ideas
- Azure Red Hat OpenShift 12 ideas
- Azure Resource Manager 463 ideas
- Azure Search 243 ideas
- Azure Security Center 215 ideas
- Azure Sentinel 44 ideas
- Azure Service Health 19 ideas
- Azure SignalR Service 10 ideas
- Azure Spatial Anchors 17 ideas
- Azure Sphere 62 ideas
- Azure Spring Cloud 0 ideas
- Azure Stack 168 ideas
- Azure TCO Calculator 28 ideas
- Azure Time Series Insights 10 ideas
- Batch 45 ideas
- Batch AI 9 ideas
- Biztalk Services 23 ideas
- Blockchain 45 ideas
- Cache 53 ideas
- Change Tracking 9 ideas
- Cloud Services (Web and Worker Role) 286 ideas
- Cost Management 181 ideas
- Cross region move for Azure resources 11 ideas
- Customer Insights 13 ideas
- Customer Lockbox for Microsoft Azure 1 idea
- Data Catalog 134 ideas
- Data Factory 745 ideas
- Data Lake 340 ideas
- Data Science VM 21 ideas
- Diagnostics and Monitoring 195 ideas
- Event Hubs 28 ideas
- Global Infrastructure 45 ideas
- HDInsight 128 ideas
- Lab Services 266 ideas
- Logic Apps 1,407 ideas
- Machine Learning 107 ideas
- Mobile Engagement 19 ideas
- Networking 1,010 ideas
- Notification Hubs 34 ideas
- Scheduler 47 ideas
- Scripting and Command Line Tools 109 ideas
- SDK and Tools 139 ideas
- Security and Compliance 88 ideas
- Service Bus 196 ideas
- Service Fabric 290 ideas
- Signup and Billing 1,556 ideas
- Site Recovery 251 ideas
- SQL Data Sync 70 ideas
- SQL Data Warehouse 260 ideas
- SQL Database 698 ideas
- SQL Managed Instance 107 ideas
- SQL Server 10,059 ideas
- Storage 817 ideas
- StorSimple 46 ideas
- Stream Analytics 239 ideas
- Support Feedback 270 ideas
- System Center Data Protection Manager 114 ideas
- Update Management 121 ideas
- Virtual Machines 1,486 ideas
- Web Apps 408 ideas
Microsoft Azure