You have an Azure subscription that contains several resource groups. Including a resource group named RG1. RG1 contains several business-critical resources.
A user named admin1 is assigned the Owner role to the subscription.
You need to prevent admin1 from modifying the resources in RG1. The solution must ensure that admin1 can manage the resources in the other resource groups.
What should you use?
Role-based access control (RBAC) focuses on user actions at different scopes. You might be added to the contributor role for a resource group, allowing you to make changes to that resource group.
If your organization has many subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions.
There are a few key differences between Azure Policy and role-based access control (RBAC). Azure Policy focuses on resource properties during deployment and for already existing resources. Azure Policy controls properties such as the types or locations of resources. Unlike RBAC, Azure Policy is a default allow and explicit deny system.
Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements.