We may assign Roles, Policies, ARM templates and Resource groups to users via Azure Blueprints during deployments at organization's scope or to one or more subscriptions. But can we do the vice-versa. I mean can a VNET or VM be assigned to interact with some other user via Azure Blueprints.
This is a deployment question raised by my management. We currently are searching for an answer.
Each Published Version of an Azure Blueprint can be assigned only to an existing management group or subscription.
For more information read here.
Related
Currently, I am working on establishing enterprise-scale landing zones for Cloud Adoption Framework in Azure.
Azure has a list of BuiltInRoles defined as mentioned in this article - https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles.
It is unclear to me which role should be assigned to which resource
Especially for the below Resources
Management Groups
Subscriptions
Vnets
Gateways,
VMs
Storage Accounts,
SQL databases
Can you suggest what are all the Roles should be assigned while provisioning any of the above listed Resources?
The Cloud Adoption framework is not about putting some roles on some arbitrary resources. You have to look at the framework in terms of hierarchical levels. Each hierarchical level has its own purpose and therefore uses its own set of permissions to deploy the resources needed for that particular step. I referenced some role mapping templates from aztfmod (Terraform + CAF) so that you get an idea about the role/permission structure.
Level 0: Core platform automation
Billing subscription role delegation (source)
Credential role mappings (source)
Launchpad role mappings (source)
Level 1: Core platform governance
Level 2: Core platform connectivity
ASVM role mappings (source)
Level 3: Application landing zones vending machine
Level 4: Applications landing zone
If you understand the levels correctly, you are able to infer what permissions are needed at what stage of the deployment of the CAF framework. For example:
level 0 is initiated by a user that is tenant administrator and Enterprise Agreement (EA) user, besides it needs to be the owner of the initial "launchpad" subscription.
From there this user will create service principals for each of the other stages of the deployment, and delegate permissions according to the principle of least privilege.
Key vaults and key vault policies are used to exchange sensitive information like credentials in between steps.
Each platform step (automation, governance, connectivity) is then run by its own service principal with its own specific set of permissions set on a specific scope (management group, subscription, resource group).
When all the platform components are in place you’ll be able to provision custom landing zones. Where you’ll again create service principals that are scoped to a single subscription. These service principals are able to deploy resources only within that landing zone.
Etc.
I would not recommend setting CAF or the permissions by hand, because it will become a pain in the ass to maintain. You could for example use aztfmod a Terraform implementation of CAF. If you follow the steps as described here, you'll create terraform configuration to deploy a CAF setup.
I would need to create a policy in subscription level contributor cannot able to create virtual machines and virtual network or any vnets. Only owner are able to create Vnets. How to do this
It looks like you might need to create a custom role.
You can add various roles using RBAC for Access management of cloud resources.
The following document has the information on all the built-in roles in Azure RBAC:
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
If built-in roles do not fulfill your requirements, you can also use create your own custom roles using PowerShell:
https://learn.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell
Here is the Azure doc on understanding various roles and create in Azure portal:
https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
Team,
I am using the CSP subscription. I need to create a cloud service within the azure portal. But it gave me an red line saying that the "subscription not allowed to register Microsoft.classiccompute".
Is this because its using the CSP subscription ? Is there any workaround ?
I tried to find the "provider to register" to my subscription but cannot be found in the list to register it.
How do we possibly include the provider to my subscription or is it that CSP subscription is not allowed to register?
Do I have to use a Non CSP subscription.? Please help
Azure CSP supports only the Azure Resource Manager model, the cloud service Microsoft.classiccompute is classic deployment model, you need to use another subscription, refer to this link.
For example, because Azure CSP supports only the Azure Resource Manager model, non-Azure Resource Manager services are not available in the program.
I noticed subscriptions can set at resource group level (which seems very logic) and inside that, you can create an app service plan with another subscription.
Why do we have to set the subscription in the ASP since it already resides in a RG with a subscription?
There can be multiple Azure subscriptions within an Enterprise Agreement. Same resource groups name could be in multiple subscriptions. Subscriptions and resource group relationship is like below:
So, when you create web app, you need use specified subscription and exist or new resource group.
This blog maybe helpful.
I have several App Services, and storage accounts set up in Azure. We have a Resource Group, which is a handy way to bundle together all the services and storage - for example, for tracking billing (other teams use the same subscription).
Now, I want to add a new Cloud Service, and have it included in the Resource Group. But then I see the Cloud Service listed at the same level as Resource Groups, which makes no sense.
Is it possible to include Cloud Services inside a Resource Groups, along with our App Services - and if not, what's the rationale?
Currently azure cloud services( web roles and worker roles) are not part of the Azure resource manager feature. Hence you cannot add a cloud service to a resource group. This is a requested feature in the azure feedback portal. You can go add your comments and cast your vote.
https://feedback.azure.com/forums/169386-cloud-services-web-and-worker-role/suggestions/7899432-add-cloud-services-as-an-available-resource-when-w