So I manage Azure stack and I want to put a cap on the number of Windows VMs that could be created per subscription and I also need it in template form for automation. So far I have not been able to do that. Could I please get some help?
Such restrictions on Azure Subscriptions are usually applied by implementing Azure Policies (which can also be programmatically created and managed) but looks like it is not yet supported on Azure Stack. Check this similar thread for details.
Related
I want to create a Sendgrid Subscription with Terraform from the Azure Marketplace.
Currently i have to use the UI, but it would be nice to create the Subscription and automatically retreive an access token for Sendgrid in Terraform.
As far as I tried and researched couple days ago, there's no way for us to create the Sendgrid anymore.
Since it's migrated to be SaaS in Azure, the platform does not support for automation by ARM or Terraform, even Biceps.
You possible look into this thread: https://learn.microsoft.com/en-us/answers/questions/559161/sendgrid-as-saas-resource-arm-template-deployment.html
But the platform also disabled the Deployment template generation (right after creation and resource export too).
And many others function are also disabled (change resource group, manage account on Portal, .etc).
So this problem also frustrated me.
I am using azure machine learning services. I have created an experiment and deployed as a webservice on Azure Machine Learning Workspace.
My problem Is my subscription has expired and now I want to export/move my Azure Machine Learning Workspace to different subscription so I can reuse its all content(model, experiment etc.) without losing.
How can I save my all important work and export or move Azure Machine Learning Workspace with all working functionalities in different subscription?
Thank you
Regards,
Ahmad
The following document demonstrates how to migrate Azure resources across subscriptions. You should be able to migrate your workspace as indicated here.
As highlighted in the document above, if the tenant IDs for the source and destination subscriptions aren't the same, use the following methods to reconcile the tenant IDs:
Transfer ownership of an Azure subscription to another account
How to associate or add an Azure subscription to Azure Active Directory
The source and destination subscriptions must be active. If you have trouble enabling an account that has been disabled, create an Azure support request. Select Subscription Management for the issue type.
This document says that moving an AML workspace is currently not supported:
https://learn.microsoft.com/en-us/azure/machine-learning/how-to-manage-workspace
In this doc referenced in a previous answer, .MachineLearning refers to the classic ML studio. You should be looking for .MachineLearningServices which refers to the new AML studio which clearly states that moving between resource groups or subscriptions is not supported.
I'm looking to do this myself but I haven't found a complete solution.
I'm looking to manage certain settings of Azure via Azure Powershell from C#. I need to manage subscriptions for many many customers programmatically.
I want to ensure that anytime I open a PowerShell session to deal with particular customer's subscription, nothing of that session is left over in registry, certificate store, etc.
I have management certificates available to me as encrypted byte arrays. I can save them on the hard drive if needed.
I am also happy to call Powershell cmdlets not thru Powershell session but directly thru referencing objects in the .DLL
I would prefre to avoid the use of Management API directly in certain scenarios which is why I'd like to do so via Powershell
Is this possible? If so, how do I avoid using the certificate store? Ideally, I would prefer to just have a way to call into the cmdlet from C# without going thru Powershell session
You should start using Azure Active Directory credentials instead of X.509 certificates. Both the Azure Service Management (ASM) and Azure Resource Manager (ARM) mode of Azure PowerShell supports AAD while certificate authentication can only be used for ASM. Using AAD credentials means you NEVER need to use certificates of X.509 certificates, and be subject to the management difficulties they impose. You would need to be added as a co-admin to your clients subscriptions for ASM support (and the production portal) and provided an appropriate role for ARM support (and the preview portal). However, your customers could restrict your ARM and preview portal access with RBAC.
PowerShell has one cmdlet called clear-azureprofile ... And it clears all connections ... If you really want to be sure you better also clear the IE cookies and start a new PoSh session after both actions (so best to do it at the end of each session)... I agree with Neil btw: Stay clear from the certs... Aim for AAD
BUT ... Why don't you take a look at the management libraries(MAML? It's the basis for all you don't need to call REST and you can avoid PowerShell (that also uses MAML.) it's downloadable as nuget package
Find it here http://www.nuget.org/packages/Microsoft.WindowsAzure.Management.Libraries
And find info on it here http://azure.microsoft.com/en-us/updates/management-libraries-for-net-release-announcement/ and here http://www.bradygaster.com/post/getting-started-with-the-windows-azure-management-libraries
Hope this helps!
Only automated way is with a AAD account for the subscription. Be aware, the token expires in 12 hours. See June's fantastic blog post.
http://www.sapien.com/blog/2014/10/23/saving-passwords-for-add-azureaccount/
I need to assign publish permission to one of my developers so that he should be able to publish to only one cloud service & do not affect others.
Azure websites have these concepts called download publishing profile.
I could not find anything similar for cloud service. Can it be
achieved?
As you know Azure Management Portal does not have any role defined where we could map a user account login to manage a set of resources (say cloud service 1 & 2)
It is not possible as of today. It seems that it should be possible with Resource Groups and Role Based Access Control (RBAC) however currently cloud services can't be added in resource groups and assigned RBAC.
One way you could achieve this is have a custom application consuming Service Management API and implement your own RBAC in that application. However it is still a "hack" and not proper solution.
Why don't you try using "publish from source control"? When the developer checks in it will auto publish the code.
I believe the new portal will allow the creation of roles for publishing profiles; it already allows adding additional users to your organization; but to get what you want for now; publishing from source code should do the trick.
I know it is possible to add co-administrators to my subscription but I can't find any way to add a user space. I mean something that would allow users to see only their own storage and services created within the subscription.
I'm not worried about usage quotas but just would like to separate my users into distinct areas, so they don't interfere with each other.
Is there any way to do/achieve that?
Cheers,
Jacek
Currently in a subscription it is not possible to do so in Windows Azure. One possible solution would be to create separate subscription for each user and make them co-administrator on that subscription so that they will only see that subscription. This will obviously add more management headaches for you.
Again, not a fool-proof solution but when we were developing Azure Management Studio at Cerebrata (Disclosure - I was Founder of Cerebrata though now I'm not associated with it), we came up with something called Profiles. Basically what you do is put some resources (like storage accounts, cloud services etc.) and grant permissions on these resources in a profile and save that profile. You can then distribute this profile file to your user. When they run Azure Management Studio, they can load this profile file and will only see the things you included in that profile file. Again it is very specific to the tool only, is not as comprehensive as it does not include everything that Windows Azure offers and as and when you change storage credentials etc., you would need to regenerate that profile file.
No that is not possible.
The Co-Admins have complete control for the services in the account (non billing) as a whole and all the Services (Storage, Virtual Machine, Websites etc) are equally accessible to every administrator and co-administrator.