Question:
You have assigned a user the Contributor role at the resource group scope. Later, you decide to assign a deny assignment at the subscription scope that blocks the user from deleting resources. However, you want to allow the user to delete resources within a specific resource group. What should you do?
Answer:
Deny assignments in Azure RBAC take precedence over role assignments. Therefore, even if the user has the Contributor or Owner role at the resource group scope, the deny assignment at the subscription scope would still block them from deleting resources. The only way to allow the user to delete resources within the specific resource group would be to remove (not applicable per requirement) or change the scope of the deny assignment at the subscription scope (not listed). Allowing delete operations for the resource group would not override the deny assignment at the subscription scope.