We're looking at moving an Azure subscription under a new management group, I just wanted see if there any implications to the workloads running on the subsciption? The subscription is already under a management group, however we are moving it ot a new management group, this will not be under the same branch as the current management group, there will be some policies which I need to replicate to new management group, but thos policies restrict permissions.
Fairly sure this doesn't affect any workloads running in the subscription, but just wanted to confirm and make sure there's nothing I'm missing.
Thanks in advance :)
Related
A company that we hired to develop or software created an azure account where they have our database, API, etc. Recently we decided to have our own azure account and our plan is to move all the resources that are on the vendor azure account to our own.
It is possible to move all the services from the vendor account to ours? if so can you guys point me in the right direction?
The boundary for resources in Azure is the "Subscription". All you need to do is change the subscription for the resources.
In the Azure Portal, select the Resource Group with the resources that you want to move to your control. Then change the Subscription ID to yours.
You cannot move all types of resources. Some you will need to recreate. This link provides more details:
https://learn.microsoft.com/en-gb/azure/azure-resource-manager/resource-group-move-resources#services-that-enable-move
We currently have a lot of subscriptions in Azure which we managed, these range from the different execution environments(dev,test,etc) and are all grouped inside a management group structure to make RBAC and policies easier. The problem we are facing at the moment is that out root of the management group structure has a bunch of Visual Studio Professional(/MSDN) subscriptions. We are looking to automate a script to check for the offerId of the subscription and move all these into a specific management group.
So far we have had no joy or functions using the Powershell or Azure CLI to actually filter the subscriptions by OfferId. Even if I could get a subscription export with OfferId I could use that list to automate move all these subscriptions into a specific management group. Has anybody experienced the same, or should I rather just leave those subscriptions lying there. The idea behind having it separate is to have it isolated and more control over it, reporting on costs etc for the management group will also be an advantage.
If you want to move subscriptions to the Azure management group with PowerShell, please refer to the following script :
#create management group
New-AzManagementGroup -GroupName 'Contoso'
#move Subscription
New-AzManagementGroupSubscription -GroupName 'Contoso' -SubscriptionId ''
Besides, please note that if you want to do that, you need to have enough RBAC permissions
For more details, please refer to https://learn.microsoft.com/en-us/azure/governance/management-groups/manage#move-subscriptions-in-the-hierarchy.
I want to use a service principal to deploy a single ARM template to our Azure account.
I cannot find documentation for how to grant the least possible privilege, but it appears the only way to make this work is to grant contributor on the subscription.
Is there a way to limit the role on my service principal to only deploy ARM Templates or at the very least limit it to a single resource group?
actually, for each template you can figure out the minimum possible permissions by looking at the template, they would be resourcetype + /write. and the permissions to create deployments Microsoft.Resources/deployments/write.
but its really easier to just give a person contributor over the resource group. if you are concerned about security you can use Privileged Identity Management in Azure AD
In the access control (IAM) section under a Resource group you can make the service principle you created 'Contributer'. this will make sure that that user can only deploy resources within that resource group. This way the account doesn't need any permissions on the subscription level.
When you go to the Access Control section click Add, and select "Add role Assignment"
In the panel that shows you can select the role "Contributer" and lookup the Service principle you created.
Then click 'Save' to finish and you should be good to go
I tend to make service connections (with separate Service Principles) in DevOps per environment this makes it clear what resources you can touch and prevents people from accidentally deploying to incorrect locations from a pipeline because the typed in the wrong resource group name.
I want to find or create an azure role that has the same capabilities as an Owner, or at the very least a contributer. But this role should not have access to create azure resources.
I've been going through the pre-defined roles that exist.
this makes no sense in Azure RBAC context. you cant edit but not create resources, because this is being governed by the same permission: resource/write.
you can achieve something like that by having a role that can do anything except writes, but that would mean that it cannot edit resources, which is not what you are after, probably.
technically you can grant contributor permissions to each individual resource, that way user wont be able to create new resources, only modify existing ones (he would be able to delete resource).
I have the same requirements, and I managed to configure it by taking the Contributor role as base and adding
"Microsoft.Resources/*/write"
in notActions section of role JSON configuration.
What it does is that it prevents deployments. Every resource creation is a deployment.
As far as I have tested every "edit" operation on resources works, even deployment slot creation for Web Apps, but you can disable that too if you need.
I'm using "MSDN Platforms" and "Developer Program Benefit" subscriptions.
I'm unable to access to create resource groups and services in certain locations on a selected subscription either through azure portal or Azure Powershell. Sometimes getting exceptions on quota limits.
How do I check applied policies and/or the user limits on a subscription?
Asking because of the subscription limitations I got error message in the following scenario
Created availability set in southindia location
Trying to deploy a VM in the same location.
How do I check applied policies and/or the user limits on a
subscription?
You could check it on Azure Portal. <your subscription>-->Usage + quotas.
If you reach your subscription limit, you could create a ticket to raise the limit, please refer to this link.
Also, you need check your user's role, if you want to create resources in Azure, I suggest you select Owner or Contributor role. Please refer to this link.
Note: In this link I provide, the application name is your user name.