Currently, we have our own Azure active directory and azure subscription for our organization. Now I want to On-Board different organizations and users in different organizations into our Azure. infrastructure. I want to manage resources for all the organizations and want to get billing details of each organization.
There are two ways to On-Board different organizations
Create separate AAD and Subscription for each organization - Clear separation between organizations makes it easier to get billing details for each resource group. But this option could not be cost-effective as we need to create the same resource for each organization
Create an AAD group for each organization in our Azure active directory and use our main subscription for all organizations - We need to add resource tagging to each Azure resource to get the usage details and billing for each organization. This could be cost-effective but will not get the all the features of azure cost management like alerts, budget, etc.
Please let me know which option should be used in this scenario while On-Boarding a large number of organizations and users?
Let me know other Pros and Cons of each option.
I recommend to go with the separate Azure Active Directory along with separate subscriptions so that you can track the billing details for each organization.
We cannot track the billing details with single subscriptions for each organization separately. You can have one billing for 2 subscriptions and you cannot have more than billing for 2 subscriptions. Kindly check this link to get more information and see if it helps. If you have any further queries kindly let me know
Related
I was wondering if someone could help. Is it possible to share resource groups between azure subscriptions;
A little bit of background, I have two subscriptions in azure under one tenant, I am after setting up a VPN between each of the subscriptions, however I am yet to find a solution that doesn't involve sharing a resource group to allow connections.
With this in mind, is it possible to share resource groups between subscriptions or does it have to be in the same subscription?
If this is the case, how would I go about setting up a VPN between subscriptions.
Resource groups have nothing to do with using or connecting services. They're just an organizational (and security) boundary for viewing/configuring/changing resource settings, deleting resources, etc. Resource Groups are specific to a given subscription.
There's absolutely nothing stopping you from connecting services across subscriptions, as long as you know the passwords/access tokens/certificates/etc.
No, you cannot share resource groups across subscriptions (not that it makes sense in the first place). You can either create a site-to-site VPN or (better) create a peering between virtual networks across the subscriptions.
Peerings are free, easy to setup and don't require any management. Peerings work cross subscriptions and cross tenants (as of november 2019 afaik).
I'm looking into transitioning all our company systems to MS Azure from our current on-premises setup. We have multiple affiliates operating using their versions of the same system (i.e. a custom built application that is fundamentally the same but is tailor fit to specific business cases/industries.
Is it possible for our mother company to register for MS Azure, and the affiliates exist as separate organizations on that plan? or is each organization required to have its own Azure subscription?
Many Thanks,
Jevb
I saw many different implementations of Azure for companies. Mostly based on per-separate-subscription model, sometimes I saw working with 1 subscription and then splitting teams to Resource Groups, I think it is all up to the company, budgets and goals.
I would recommend to read first these, maybe this will give you some hints how to start and migrate :)
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/reference/azure-scaffold
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/decision-guides/subscriptions/
https://learn.microsoft.com/en-us/azure/governance/management-groups/overview
You can have one tenant for your whole company, and individual subscriptions for each business case. The way that Azure does billing it is nice to split your industries into separate subscriptions until you have a solid tagging strategy in place.
I would highly suggest looking into management groups within Azure as you start to implement policy and RBAC for your individual subscriptions so that you can adhere to security best practices and avoid repeating yourself.
https://learn.microsoft.com/en-us/microsoft-365/enterprise/subscriptions-licenses-accounts-and-tenants-for-microsoft-cloud-offerings?view=o365-worldwide
https://learn.microsoft.com/en-us/azure/governance/management-groups/overview
I have an Azure subscription and there are a number of services available.
If I configure VM, web apps, application. etc.,
there are few high-end resources which are very expensive.
In order to avoid unwanted billing,
I want to create a policy that allows only a few services and lower configuration resources.
Is there an Azure policy that can do that?
If I configure VM, web apps, application.. etc there are few high-end
resources which prices are high. In order to avoid unwanted billing, I
want to create policy there allow only a few services and lower
configuration resources
Do take a look at Azure Policy. In short, Azure Policies enables Cloud Governance and by defining proper policies, you can restrict creation of certain kinds of resources, disallow certain SKUs for resources and more.
However, as a good practice, you should have only few people in your organization who have the capability to provision resources and there should be a formal procedure for provisioning resources. One of my friend burned $180,000 in Azure in just 3 months because every developer in his team has the capability to create resources in the company's Azure Subscription. The developers in the team created resources as they pleased without thinking about pricing implication.
I'm trying to configure some management groups in Azure, I have three subscriptions (prod, dev and core), I have three mnagement groups by the same name, I then have six application groups (prod1, prod2, dev1, dev2, core1 and core2), what I;'m trying to work out is whether we can have the root management group, going into three subscription groups, which then go into 2 application groups, per subscription group and then have the two application groups going into one subscription? Or does it not work like that? All the reading I've been doing shows one management group per subscription, but I can't see why we can't do this. Help!!
Image: https://pasteboard.co/IiYTk1a.jpg
Hope that makes sense
Thanks in advance
A subscription can exist in a single management group. You can have hierarchy of groups to have more fine grain control but each group can have a single parent
If you need to control access for multiple users between different subscriptions then you can use a custom RBAC roles and give it a custom permissions.
A group of friends and I are working on an private project and are considering hosting it on Azure.
I have an account on Azure and will be the one controlling the costs.
Is it possible to assign a pool of resources (e.g. Functions + database) to another user(s), preferably also assigning a cost limit for it to avoid things exploding?
You can give them access to a subscription / resource group / resource by going to e.g. the subscription and clicking on Access Control (IAM).
There you can enter their email address, and give them the role needed. Reader for read-only, Contributor for Read/Write, and Owner for Read/Write + access management. There are a bunch of others too. More about Role-based access control
I am not aware of a way to limit cost for individual users, though you can for example setup Billing alerts.
You can use ARM policies to limit the types of resources that can be used. As an example, you can deny the use of certain very expensive VMs to a group of users. Some samples of these policy templates can be found here
As stated in other answers, you can assign access to others on various levels. You can assign to "live" accounts (Hotmail,outlook,live.com etc) but as part of your subscription you can also create an Azure Active Directory instance on which you can create users. You would also want to use this AAD to create service accounts in the future, register applications for authentication, etc.