The worst about Azure is the overcomplicated permission system. You are owner of the whole resource group? No, that doesn’t give you permission to create a new secret in a keyvault. No day goes by searching for a missing role/permission on some service. And in the end it doesn‘t make things safer. By default any website you deploy is available worldwide immediatelly. Because for some mysterious reason, that doesn‘t need an extra role. But if you want to restrict access to your website you need special permissions to do that.