Thanks in Advance. I am new to Azure cloud and I have below setup in my Azure cloud
Subscription 1:
Created a VM image with packer called image 1.
Created a new shared image gallery.
uploaded the packer VM image(image 1) to the new Shared image gallery.
I also have more subscriptions like subscription 2 to subscription 10 and all these subscriptions are under a management group called "dev" and under the same tenant called "company".
Question: How can I automatically share the Shared image gallery images with all subscriptions? Also can I share the shared image gallery with the management group?
A how-to steps will be more useful here as I don't see a valid document from MS on this scenario.
Using a Shared Image Gallery you can share your images to different users, service principals, or AD groups within and outside your organization.
Shared Image Galleries let you share images using Azure RBAC. You can use Azure RBAC to share images within your tenant, and even to individuals outside of your tenant
We can give share access at the image gallery level
On the page for your new image gallery, in the menu on the left, select Access control (IAM).
Under Add a role assignment, select Add. The Add a role assignment pane will open.
Under Role, select Reader.
Under assign access to, leave the default of Azure AD user, group, or service principal.
Under Select, type in the email address of the person that you would like to invite.
If the user is outside of your organization, you will see the message This user will be sent an email that enables them to collaborate with Microsoft. Select the user with the email address and then click Save.
reference
Shared Image Galleries overview
Related
Days ago I onboarded a customer using Service Principal with an ARM template in our blob storage, then the client went to this URL:
https://portal.azure.com/#create/Microsoft.Template/uri/{Blob Url}, accepted us as their resource manager, and we could make connections and go-to resources but via PowerShell, why it doesn't show to us in our Azure Lighthouse Customers page?
I can work with the resources, make deployments, and such but doesn't show in the list, I want to know if it is because we need to be gold competency or an expert MSP because we don't want to make a public offer in the market, we just want to manage certain customers.
It should be displayed there. No special conditions are required such as the ones you've mentioned. Are you definitely signed in to your own partner/MSP tenant with an account that has delegated access to the customers? Does anything show up under delegations within the Azure Lighthouse section?
If you have access to the customer tenant, does your company show up under Service Providers within Azure Lighthouse on the Azure portal?
Case closed, the Service Principal itself doesn't have the privileges on the service provider's tenant to make your user a reader. So the solution for this was:
Remove the offer in the customer tenant.
Add new authorization in the ARM template for a user/group with "Reader" built-in role id. (In our case, we decided to use an AD group because people in the organization is temporary)
Upload the new ARM template and re-onboarded the client.
After a couple of hours, the client's subscription showed in the subscription list in the section: Directories + subscriptions, checked it, and saw all the resources from the service provider's tenant.
I found a solution for this issue.
The Azure Lighthouse->My customers list on the azure portal only shows subscriptions activated in the global directories and subscription filter.
Please go to the global directories and subscriptions filter (in the portal top navigation) and open the drop downs for directories and for subscriptions and check, if your customer subscription appears here.
If yes, select all entries in both drop downs.
After that go back to Azure Lighthouse->My customers
and check, if the customer subscription appears now.
Currently i am trying to dig deeper into the organizational/entity structure of ms azure. All I find online in discussions and official ms documentation only shows parts of the bigger picture but never the underlying relationships between them.
I try to formulate statements which I ask you to correct in case they are wrong:
I log in to the azure portal using an email adress witch is called account
In the azure portal I am acting in the context of a directory
The account i use to log in is associated with an identity in the directory
A directory belongs to a tenant
Signing up for MS Azure using my Microsoft Account will create a Tenant
A Subscription I create is assoiciated with but not created/stored within a directory (not with a tenant)
A Subscription I create is associated with the Account I am currently logged in, called Azure Account
A Management Group will be created within the directory per default, called Root Management Group
When no other Management Group is created, all Subscriptions I create are associated with this Root Management Group
Any thoughts on that?
Thanks TGY for your question. The terms "tenant" and "directory" are for the most part interchangeable and are used in Azure.
A tenant is an instance of an Azure Active Directory. The tenant is an account in Azure that comes with a subdomain and an associated Azure Active Directory. In order to use an Azure Active Directory you need to become a tenant within the system. So a tenant is basically securing a .onmicrosoft.com subdomain. At that point you would have one account registered in your Azure AD.
An Azure subscription is a logical container used to provision resources in Azure.It serves as a single billing unit for Azure resources in that services used in Azure are billed to a subscription. An Azure subscription is linked to a single account, but you can add multiple subscriptions to the same directory.
Please see this DOC if it helps you.
Root Management>>Management Group>>Subscription>>Resources Group>>Resources. So for IAM(Identity & Access Management) purpose, management Group is higher level than Subscription. Subscription is higher than Resource Group and Resource Group is higher than a particular resource level.
Please find below Architectural structure for more understanding and pictorial representation --
A company that we hired to develop or software created an azure account where they have our database, API, etc. Recently we decided to have our own azure account and our plan is to move all the resources that are on the vendor azure account to our own.
It is possible to move all the services from the vendor account to ours? if so can you guys point me in the right direction?
The boundary for resources in Azure is the "Subscription". All you need to do is change the subscription for the resources.
In the Azure Portal, select the Resource Group with the resources that you want to move to your control. Then change the Subscription ID to yours.
You cannot move all types of resources. Some you will need to recreate. This link provides more details:
https://learn.microsoft.com/en-gb/azure/azure-resource-manager/resource-group-move-resources#services-that-enable-move
I have two subscription plans in Windows Azure and I'd like to configure a website to use a different subscription plan of my account.
How do I do this?
When creating a new website, there are 3 options: Quick create, Create with database and From Gallery. In each option there is a combo box labeled "Subscription". Use this field to select the subscription under which the new website will be created.
For example, when creating a new website with database:
Notes:
If there is an affinity group selected in the "Region/affinity group" combo box, you'll have to change it to a region (e.g. "East US") to be able to see the other subscriptions, because otherwise you'll only see the subscription that contains the selected affinity group.
While the website feature is in preview, only subscriptions that have this preview feature activated will be shown.
After a website has been created, it's not possible to change the subscription it belongs to via the administrative portal. If you want to migrate one website, create a new website under another subscription, transfer the contents to this new website and then change the domain name to point to the new website, if there is one.
If you want to have ALL the services under a subscription migrated to another, you can submit a request to the Windows Azure Billing Team as explained in this answer.
Note: If the 'Subscription' drop-down is not there, the service you want to enable might be in preview, and you have to explicitly enable the subscription for it, view this answer for details.
Simply, I have an Azure corporate subscription. I have a co-administrator who has his own personal 90-day trial subscription. When the co-administrator uses the new preview portal (manage.windowsazure.com) he can see their personal subscription (where he is admin) but cannot select or view the corporate subscription (where he is co-administrator).
Any ideas? We want to have multiple people within our company assigned as co-administrators so they can play with the preview features (Virtual Machines, Azure Web Sites, Media Services).
I had this problem as well, in fact trying to see data via the resources.azure.com site was proving unfruitful.
As it turns out the new portal has its own user management features that are more granular than the admin/co-admin of the old portal.
Allow a subscription owner to make you a contributor or owner in the new portal and you should be able to see more data on the subscription via the new portal.
To do that:
As the service administrator, go to the new portal
Browse to Subscriptions
Locate & select the subscription you need to add users into
In the subscription details blade, select settings
Under resource management, select users
You'll notice that even though you are a co-admin, you're not listed among the users.
Add the user and make them a contributor/owner
There's more information on Azure's role-based access control here: https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/
The Azure Admin has changed so the 2 current answers are outdated. Follow the following steps:
Open the subscription, click on 'my permissions' then 'click here to view complete access details for this subscription'
In Access Control (IAM), Click on Role assignments, then click Add
Choose 'Add role assignment' then choose the role to be 'Contributor' and choose which user you want to add from the right hand pane , then click Save.
Make sure the user is listed as a contributor under 'Role Assignments'
The main problem with Windows Azure preview portal is that if you are account administrator for any specific Windows Azure Subscription, it will only show configuration specific to that particular subscription when u used the live ID which is account administrator for other Windows Azure Accounts. If same live ID is service administrator of two different Subscriptions then in preview portal both subscription details will show up. This issue is related with Windows Azure Preview Portal and still in progress.
So if you want to solve this problem, you should use OrgID/liveID which is service administrator in multiple subscriptions (if applicable) this way that LiveID will shows details with both subscriptions.