Problem - What are you trying to solve?
Today as we go through and install NME within our Azure Tenant we are finding that the product requires it to be an owner of the Resource Group that it has been associated with. The security posture at our company would like to avoid this as a required permission piece in order for the product to function. To create a static host in a host pool the application currently needs Owner, but there are other roles with least privilege that can be used by combining more than one role for the application.
Description - A short summary of the feature.
Would like to see if it is possible to have NME only be listed as an App Group owner instead of Resource Group Owner, while maintaining the functionality it needs.
Vision - How your proposed solution functions. Please also include reference to the current console if needed.
Instead of using an owner role to allow the application to give out specific roles either scope the role to the application groups created or use a more scoped role in conjunction with contributor such as role-based access control admin with a condition to only allow it to assign the roles needed.
Comments (1 comment)