Starting in System Center Configuration Manager current branch version 1810, the classic service deployment in Azure is deprecated. When you create a cloud management gateway (CMG) by using the Azure Resource Manager (ARM) deployment type, Contributor role assignment is limited to resource groups when the service is deployed. Contributor role at the subscription level is no longer assigned for the web application. The web application will have only Read permission at the subscription level.
For existing CMG cloud services, Contributor role assignment remains at the subscription level. If you want to restrict web application permissions at the subscription level, remove the Contributor role assignment at this level only. To do this, follow these steps:
- Open the Access control (IAM) blade for the resource group, and verify that the application has the CONTRIBUTOR role assigned.
- Open the IAM blade for the subscription, and then remove the CONTRIBUTOR role assignment for the application.
Note Don't delete the web app completely from the subscription. If you do that, Configuration Manager loses some dependencies on Azure objects.