Use Role-Based Access Control to Hide Access to Configurations, Connection Strings, Account Keys and Certificates
Access to Azure services can be defined in a more granular level. This is useful when you want to grant access to certain services without revealing sensitive information, such as account keys, connection strings or certificates.
RBAC Custom Roles
This can be achieved by defining Custom Roles in RBAC. Built-in roles is not going to be sufficient.
For example, we could restrict access to Azure Cloud Service ‘s Configurations and Certificates below:
"Name": "Dev Ops",
"Description": "Dev Ops role.",
What restrict users access to the configurations and certificates are the resource provider operations in
What Resource Provider Needed for Azure Service?
In the example above, I use Azure Cloud Service as an example and the resource provider for Azure Cloud Service is
You can find out what resource provider used in an Azure Service from the URL. For example, this is URL for Azure Cloud Service.
The part where it says
Microsoft.ClassicCompute is what tells you which resource provider to use.
The challenge is to find resource provider operations to suit your needs.
For more information on how to create custom roles, available built-in roles and list of resource provider operations, see the links in References.