Skip to content

Limit Management Group delegation#

Security · Subscription · Rule · 2020_06 · Important

Limit Role-Base Access Control (RBAC) inheritance from Management Groups.


RBAC in Azure inherits from management group to subscription to resource group to resource. Management group RBAC assignments have broad impact.


Consider limiting the number of assignment inherited from Management Groups by scoping permission to individual Resource Group.

Azure Blueprints can be used to rollout standard RBAC assignments to common resources. Additionally RBAC assignments can be deployed using Azure Resource Manager templates.