2,480 questions
I think you can use root management groups. and you can assign identities to particular subscription
https://learn.microsoft.com/en-us/azure/governance/management-groups/overview
Limit User managed identity to be used within a Subscription
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 2%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGV%3C/text%3E%3C/svg%3E)
Gaurav Verma
6
Reputation points
We have multiple teams within our organisation. Each team have their own Azure subscription under the same AAD tenancy.
Our requirement is to
- Create User managed Identity and permissions assigned.
- Limit the usage of the User managed identity to be allowed only in a specific subscription.
The above are once of activity done by the infra team who have rights write access to AAD.
Once user managed identity is created we want to use it to assign to the worker nodes spun up by Jenkins to perform automation tasks. This action will be done by application teams who don't have write access to AAD.
We do not want to use system identity as its created every time and application teams don't have rights to assign permissions to identity.
1 answer
Sort by: Most helpful
-
Somnath Shukla 411 Reputation points2020-02-07T11:20:05.527+00:00