Access Control







Nov 29, 2021


Updated wording of 1.3 made it easier to understand.

Nov 27, 2021



This convention describes how to manage access control to your resources in Azure. Users, Service Principals and Managed Identities will here be shortened to Users.

1.1 Users MUST NOT be assigned direct access to resources.

1.2 Users MUST NOT be assigned direct access to resource groups.

1.3 Users MUST be assigned access to user groups.

2 Component User Group

2.1 A resource group MUST have a component user group.

2.2 Component user groups MUST follow this format.


2.3 Environment SHOULD be simplified to dev/prod.

  • dev is short for dev and test

  • prod is short for stage and prod

Assigning users to User Groups instead of directly to resources, will keep your access control in order.

3 Project User Group

3.1 A project user group MAY be created to simplify user access assignments.

3.2 Project user groups MUST follow this format.


3.3 Project User Groups MUST be added as members to corresponding component user groups, and not assigned access directly to the resource group.

With project user groups, only 2 assignments are needed to give this user access to 8 resource groups.