Adding a User to your Azure Subscription with Resource Group Access


So, you’ve got your Azure subscription in place, and you’re the global administrator. Now you want to let someone else access your subscription, but only a specific resource group within your subscription. In this blog post, I’ll show you how to add a new user to your Azure subscription’s directory, and how to then grant permission for that user to a specific resource group within your Azure subscription that they can manage. The new user won’t be able to see or manage any resources in your subscription outside the resource group that you grant them access for.

Step-by-step procedure

Let’s get started. First, log in to the Azure portal and open your subscription’s directory. To do this, search for directory and choose Azure Active Directory, as follows:

Next, take note of the directory name; this is the domain name for the email address of the users you can create in this directory. It will be based on your username, followed by In my case, with username, the directory name is

Now click on Users:

You will see your username listed. Now click New user:

In the User blade, supply information for the new user. This includes the display name and the username. The username must be in the form of an email address, where the domain name matches the directory name.

Also check Show Password to view the auto-generated password so that you can send it to the new user (the portal will require that they change it the first time they log in).

Here I’m creating a new user for my buddy Andrew Brust:

At this point, I have created a new user for Andrew:

When Andrew logs in for the first time, he will be required to change his password. The login will succeed, but he won’t be able to see anything in the subscription until we grant him access to a specific resource group. Let’s do that next.

Click Resource groups, then select the resource group you want to give the user access to. Here I’m giving Andrew access to the sql-demo-rg resource group:

Next, click Access control (IAM):

We need to add the new user to this resource group. So click Add:

From the Role dropdown, select Owner. Then click on the new user and click Save:

This will make the new user an Owner over the entire resource group so that they can fully manage all the resources inside that group (and they can also create new resources inside the resource group). They will still have no access to any other resources in any other resource groups across your subscription.

You’re done! The new user now has full access to the resource group (and can’t see anything else) on the subscription.

To confirm, go back to the Active Directory blade for the new user and click Azure resources:

Here you can see that Andrew has Owner access to the sql-demo-rg resource group, but no access to anything else in the subscription.


In this blog post, I showed you how to create a new user to your Azure subscription directory, and how to grant Owner permissions for that user to a specific resource group in the subscription. Hope you all find this useful!


Introducing Azure DocumentDB

On April 8, 2015, Microsoft officially launched Azure DocumentDB, and it certainly can be characterized as a typical NoSQL document database. It is a massively scalable NoSQL document database that works with schema-free JSON documents. Beyond this, however, DocumentDB stands out with some very unique capabilities.

SQL Queries Over Schema-Free JSON

Of course, DocumentDB works with schema-free JSON. But unlike some platforms that require you to define index paths in advance of being able to query on specific properties, DocumentDB automatically indexes every property in a document as soon as the document is added to the database. Simply put, every document is instantly queryable the moment it’s created, and you can search on any property anywhere within the document hierarchy. Furthermore, documents are queryable using SQL, or I should say, using a special flavor of SQL that anyone with SQL experience should immediately find intuitive.

ACID Transactions Updating Multiple Documents

DocumentDB provides a server-side environment inside which you can write JavaScript code to update multiple documents with full transactional processing. This is an easy and powerful way to ensure data consistency across multiple documents, because DocumentDB ensures that all updates made on the server are committed together, or will roll everything back together in the event of an error.

Tunable Performance

There are many ways to tune DocumentDB for the performance needed by your application. For example, throughput can be scaled up or down instantly across three different performance tiers. And although DocumentDB indexes every property on every document, you can take control and fine-tune an indexing policy that reduces storage and processing overhead for specific documents and/or properties that never need to be indexed. And while DocumentDB supports both strong and eventual consistency, it also has two additional options to give you even greater control over the tradeoffs between performance and consistency.

Runs on Azure

Finally, DocumentDB is available as a fully managed, cloud-based, Platform As A Service, running on Azure. There’s just nothing for you to install or manage. No servers, cables, operating systems, or updates to deal with, no replicas to setup – Microsoft does all that work, and keeps the service running. Azure guarantees availability as well as predictable performance based on the service tier that you sign up for. Within literally minutes, you get started working with DocumentDB using just a browser and an Azure subscription.

Stay tuned for upcoming posts, where I’ll dig into all of these exciting capabilities in greater detail.