Do I have the client setup an account using their payment, contact info etc? or do I use my own account then somehow transfer everything to the client? Also, How do I give access to devs?
Thanks.
There are different strategies you can employ to decide how you want to design and organize your Subscriptions. The Subscription decision guide within the Microsoft Cloud Adoption Framework for Azure can help you establish that structure.
As for granting access to others, Azure role-based access control (Azure RBAC) is a system that provides fine-grained access management of Azure resources. Using Azure RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or resources, you can allow only certain actions at a particular scope. You can further refer to the best practices for Azure RBAC doc to know more.
Related
This is more of an 'Is this possible' question. A developer on the team suggested using Azure AD for user management, but one of the requirements is that the app admin be able to add/manage user access through the application without having to go to the Azure Portal.
So the question is, is the Graph API (or some other mechanism) full featured enough to replace the portal (at least for basic user set up and management) and allow all actions to be done from the application UI?
Thanks.
Simple answer to your question is Yes. Graph API can be used to manage users and their access to applications instead of using Azure Portal. In fact, Azure Portal itself makes use of Graph API to perform these operations.
You may also need to use Azure REST API if you're planning on managing Azure resources as well through this custom application especially Authorization APIs if you want to manage access to Azure resources (Azure Role-based access control) through your application.
One of my customers would like to know what are all the implications and what all precautions one needs to take before migrating all their identities to Azure and use Azure AD as the main AD. Any kind of documentation on this would be really helpful.
I would also need to show the various workflows how the authentication for a user accessing a particular resource would work using Azure AD and use of various technologies like PIM, CA,Intune etc. Thanks
I need to build a solution that utilizes Azure B2B Collaboration to on-board customers from different organizations to use my system.
Each customer may have 100's or 1000's of users, where some may have Azure AD and other don't.
The application will have different user roles/groups structure that controls access to my API's.
What is the best way to design this and can you provide references?
Option 1: Create a separate Azure AD for each customer
Each customer will have their own Azure AD and I can use Azure Groups to control access.
What is the limit of Azure AD's per subscription? (can't find a
definitive answer in MS docs) https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-service-limits-restrictions
Is this a good "Azure" practice? can you provide references?
Any info about structuring/organizing this for easy maintinance.
Any complications that I need to be aware of?
Option 2: Create a single Azure AD for all customers/users
All users for all customers will be added to a single Azure AD and for users segregation, each customer's users belong to a separate Azure Security Group.
In this scenario, I will probably need to maintain each customer groups in a local database since they may have different groups.
Any concerns from having all customer's users in the same directory?
Options 3:???
In my opinion single tenant is better. Creating a tenant for each customer makes management much harder (also login becomes harder to implement). Limit of Azure AD per subscription probably does not exist since directories are above subscriptions in the hierarchy. Yes, you can setup a group for each customer and keep the id of the group in your database.
The users will be added as Guests to your directory, make sure that the setting Guest user permissions are limited is enabled in the external collaboration settings.
That will make it so that they cannot access the user or group list at all in your tenant.
We have an azure subscription and keep some important resources (VMs, network interfaces, ...) there. A new engineer from an outsource company is joining us, he'll need to manage resources as part of his job (create/update/remove new VMs,...).
We'd like to organize access in such a way that we have full access to resources that he creates, he has full access to resources that he creates, but he has no access to resources that we create
Is it possible?
It is possible.
Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. Using RBAC, you can grant only the amount of access that users need to perform their jobs. This article helps you get up and running with RBAC in the Azure portal.
If you want more details about how RBAC helps you manage access, see what is Role-Based-Access Control.
You can config RABC roles to manager it, also you can set permission to resource group, If you have not grant permission to new user, he can't find that resource.
More information about use RBAC to manage access to your Azure subscription resources, please refer to this article.
Hope this helps.
I was speaking with a Azure employee and they said this: You are able to assign roles on the account and some roles have access to specific things and some don't. https://learn.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator I hope that helps!
I have a business requirement where Azure Subscription owner will Provision User Groups like Infrastructure Admin, Billing Admin, Enterprise Users. Ifra Admin people should login to this Portal & can only see options related to Infra provisioning. Billing Admin people should have access to Azure usage Enterprise wide - And they should be able to generate bills for respective teams(which are part of the organization). Enterprise Users are those who want to procure azure storage, VMs etc. and they want estimate cost for required infra.
I am looking out for a solution/approach for this requirement. If Azure Portal is already providing this feature then please provide me reference material. If i should build new custom Web application which internally use Azure APIs then let me know about that option as well.
If there are any products which already doing this even am open for that.
Deeply appreciating your help. Thanks a lot :)
Vishal.
Let me answer by breaking your question in 2 parts:
Managing Users - This is something you can do today in Azure. Some time ago, Azure announced Role-based access control (RBAC) and that fits the bill nicely for you as far as managing users and granting them permissions to do things. So in your scenario, the owner will create users and groups in Azure Active Directory and then put these users and groups in appropriate roles. When a user or a group member tries to manage the resources (either by logging into the portal or using other tools like Azure PowerShell Cmdlets), they will only be able to do things the role they are in allows.
Managing Billing - Though Azure Portal exposes the billing functionality (and there's a billing/usage REST API), it does not have the capability you're looking for. What you would need to do is look for ITFM (IT Financial Management) Systems that has support for Azure. Off the top of my head, two tools come to my mind - Cloudyn & Cloud Cruiser. You can learn more about it here: https://azure.microsoft.com/en-in/documentation/articles/billing-usage-rate-card-overview/. You could always consume the Billing/Usage REST API to create a solution of your own. If you're writing your own solution, you may want to check out Billing Samples on GitHub.