Preventing administrative users to change critical network settings in an Azure hub-spoke topology

Marcel Meurer's picture

An Azure hub-spoke topology enables a company to use infrastructure as a service without losing control of the network flow. This is particularly important if you have business users with their own subscription (which I support) and the services in this spoke needs access to on-premises resources via a vpn gateway (e.g. site-2-site vpn).

 To prevent the business users from changing the network settings in the prepared spoke subscriptions, it’s necessary to give them the right role in Azure. I tried some of the built-in role but I didn’t find one which allows nearly everything except deleting routing rules, edit subnets, etc. For example: If you deny access to the spoke vnet itself, the user can no longer create a vm, because the nic of a vm needs to join a vnet/subnet (which the user needs access to).

So, I built a custom role which allows this. You can import this custom role with powershell:

Get-AzureRmSubscription # login to Azure
New-AzureRmRoleDefinition -InputFile .\ExceptNetworking.json


Now you can add this role for your business user  to the root to your subscription. The user can do nearly everything without changing your network setting.

The definition for ExceptNetworking.json:

  "Name": "Everything except critical network changes (per subscription)",
  "Id": "6ffa1df5-20ef-4926-8bf9-6e44a5315b9d",
  "IsCustom": true,
  "Description": "Role for spoke administrative users without the ability to change critical network settings",
  "Actions": [
  "NotActions": [
  "AssignableScopes": [
     "/subscriptions/<Subscription 1>",
     "/subscriptions/<Subscription 2>",
     "/subscriptions/<Subscription 3>"

The “id” is a random guid. Add the subscription id’s you want to use with this role to “AssignableScopes”.

Add new comment
By submitting this form, you accept the Mollom privacy policy.