We are looking to force all Azure access assignments to go through our management groups instead of at the subscription level. Basically we don't want access to be able to be assigned per subscription and want to block that capability. This way we are forced to grant access at the Management Group level instead.
Is there any way to do this, maybe via a Policy somehow?
Thanks for the helping!
Just copy the answer from QnA for other communities reference (it seems the question in QnA is also asked by same OP).
Currently it is not possible and we can submit a feature request here
Related
I have one AD associated with one subscription and I need to create two users and need to isolate the resources created by them. Is this really possible? since I am new to Azure I am not much aware of this. It would be great if someone render their hand.
I need to create two users and need to isolate the resources created by them. Is this really possible?
Yes. To isolate them from a management and administration point-of-view, create two resource groups, and add each user to the appropriate role on one resource group.
So for Pay-as-you-Go Azure subscriptions you can use the ConsumptionManagementClient. However, this does not work on Azure Sponsorship or CSP subscriptions. It even states this at https://learn.microsoft.com/en-us/rest/api/consumption/. However, if you do have one of those unsupported subscription types, how do you get usage details?
Basically I want to be able to query the usageDetails of any subscription I am authorized to view in C#. What is the right approach to this?
Seems odd that Microsoft has completely different interfaces like this for usage details. What API/SDK (C#) should I be using when ConsumptionManagementClient doesn't work?
OK, so I was exploring the ARM subscription REST endpoint in more detail and I stumbled upon how to get this directly without the need for the ConsumptionManagementClient. For anyone else that needs this info, you can find it in '/providers/Microsoft.Commerce/UsageAggregates'. I can confirm this is working for both PAYG and sponsored subscriptions.
I've looked through all the permissions a user can have in regards to logic apps but I still have not be able to answer my question. Is it possible to restrict a user from using a certain connector in azure logic apps? For example, lets say I wanted users to use only the Outlook/Office 365 connector. Is this possible?
No, it is not possible to restrict Connectors or Actions at design time, though you can certainly restrict actual endpoints by simply not providing credentials.
Note, this is not really any limitation of LogicApps or such. Limiting the designer experience is not something readily available on any other platform.
We are looking at using Azure Jobs for out multi-tenant platform, but want to figure the best way to do security for it, without using a certificate that has access to our whole Azure account.
We have a Resource Group called "Scheduler" and for each tenant we create a Job Collection with the Tentants Id "Tenant{tenant.Id}".
Currently we do this using SchedulerManagementClient and passing in CertificateCloudCredentials. We could use the Token to do this, but I believe it still has the same problem - in that the credentials have access to the full azure account, which we don't want.
Ideally we would like to lock down creation to the resource group "Scheduler" and create a certificate/token for this.
Is there a way to do that? Is there a better way to do what we are doing anyway?
Ok I figured this out, as is always the way it seems when you finally post something on StackOverflow. Everything was complicated by the fact I was using the old management libraries (Microsoft.WindowsAzure.Management) and not the new libraries (Microsoft.Azure.Management).
Basically I needed to create an application, and then assign that application roles just like you do users. This also helped:
https://azure.microsoft.com/en-gb/documentation/articles/resource-group-create-service-principal-portal/
Is it possible to get programmatic access to Azure billing information?
I am aware that you can download a .csv file but that doesn't meet my requirements. I'd really like an API to access the current live billing data.
I can't find anything but I've seen a couple of applications that suggest its possible to do this - http://www.youtube.com/watch?v=ETs-NgnZV_U.
Thanks.
Azure now does provide ways to programmatically retrieve your resource usage and pricing data: https://weblogs.asp.net/scottgu/new-azure-billing-apis-available
At this tmie it is not. Quest tools scrap data from HTML of the web-pages afaik
The APIs Moinak refers to seem to be old APIs (we used them before switching to Azure Cost Management exports).
It seems like there are some new billing apis: https://learn.microsoft.com/en-us/rest/api/billing/