Deny the creation of a new management group at root level - azure

I am trying to deny the creation of any additional management group at root level. I enabled the capability of management groups which created the "Tenant Root Group".
I created some more MGs under that one for my governance purposes but I do not want users to be able to create their own. Even without giving them any specific access, it looks that they can (even though it sounds weird to me). I double-checked in IAM panel, nothing specific is there.
Whats displayed in the Azure Portal is like this:
Root Tenant Group
|--- ManagementGroup1
|--- ManagementGroup2
|--- etc.
"Root Tenant Group" is the one that have been automatically created and that I am trying to lock now that I created my structure.
I wanted to go with an Azure Policy, but whenever I apply it to that Tenant Root Group, it does not prevent the creation of another management group. Actually it looks like in the ARM structure, they are not considered as children at all but as independent items. When I run the command az account management-group show --name MyTenantRootGroup it says "children" is null.
Still, my policy was the following:
"if": {
"source":"action",
"equals":"Microsoft.Management/managementGroups/write"
},
"then": {
"effect": "deny"
}
Is there any other way to do so ?

Policy is unable to evaluate policies at a Management group level because of outside limitations. I would recommend submitting your idea to our UserVoice for proper feedback and consideration.

Related

Azure resource group - How can I tell which ones are "related"?

Recently I was provisioning a new Azure Synapse resource, which ended up creating 2 different resource groups.
I understand a resource group is basically a container for related items, fair enough but thinking about it more I am actually confused why would Azure decide to create two separate resource groups instead of just putting it all into one?
The bigger burning question I have is after creating a number of resources - Lets say each one spawns multiple resource groups.
How can I tell which resource group is a "child" or a "parent" of another?
#rodneyc8063 Thanks for updating the concern of your question. Posting your discussion in the comments as an Answer to help other community members.
As said by Daniel Mann you are getting the additional resource group because your synapse workspace is creating the managed resource group.
A managed resource group is like a container which can hold the resources required by your resource. It is created by default when your workspace is created.
You can name it if you want, else its name will be created automatically.
When you delete the Main Resource Group of your resource, then the resources inside it also will be deleted.
The managed resource group also deleted when you delete the resource(managed application).
That’s why the second resource group is deleted when you delete the first one.
As far as I know apart from this there is no relationship between them.
References:
Overview of managed applications - Azure Managed Applications | Microsoft Docs
Blog from DataSimAntics about managed resource group.

How to create custom RBAC/ABAC role in Azure?

The requirement is to create access package with few roles so that the users can perform below activities:
Read & write access to data stored in a given blob container ('abc' blob container).
Role to access azure data factory to build pipeline, process & load the data to a staging area (to Blob container or SQL server).
DDL & DML and execute permission role to access the data/database in SQL server environment.
I was referring Azure RBAC and built-in-roles but unable to get clear idea considering the above points.
My question is, is there any build in roles there OR do I need to create the custom role? And, how to create custom role (for above requirements) considering baseline security?
Is there any ways, can I get additional actions by referring which I can write custom JSON scripts?
My question is, Is the RBAC roles possible for SQL Server in a VM? If yes, how?
Additionally, if I have both PaaS instance of SQL Server and VM instance of SQL Server (that is, SQL Server in VM) - how the RBAC roles will be managed for both?
According to your requirements, please go through below workarounds if they are helpful:
Read & write access to data stored in a given blob container (‘abc'
blob container).
You can make use of built-in role like Storage Blob Data Contributor which allows operations like read, write and delete Azure Storage containers and blobs. If you want to know more in detail, go through this reference.
Role to access azure data factory to build pipeline, process & load
the data to a staging area (to Blob container or SQL server).
You can make use of built-in role like Data Factory Contributor which allows operations like create and manage data factories, as well as child resources within them. Those child resources include pipelines, datasets, linked services… With this role, you can build pipeline, process and load the data. If you want to know more in detail, go through this reference.
DDL & DML and execute permission role to access the data/database in
SQL server environment.
You can make use of built-in role like SQL Server Contributor which allows operations like manage SQL Servers and Databases. If you want to know more in detail, go through this reference.
If you want to create a custom role for all these, make sure you have Owner or User Access Administrator role on the subscription. You can create a custom role in 3 ways:
Clone a role – You can make use of existing roles and modify the permissions by adding and deleting them according to your need.
Start from scratch – In this, you must add all permissions you need manually by picking them from their providers and excluding the permissions you don’t need.
Start from JSON – Here, you can just upload a JSON file where you can create separately by including all needed permissions in Actions variable whereas excluded permissions in notActions variable. If the permissions are related to data, then add them to DataActions and notDataActions based on your need. In Assignable scope, you can include the scope where the role should be available i.e., subscription or resource group as per need.
Considering baseline security, it is always suggested to give read permissions only. But as you need write permission for blob container and building pipeline, you can just add only those(read/write) in Actions section and remaining all(delete) in NotActions section.
If you want to add additional actions, simply include those permissions in Actions section in JSON file and make sure to give read permissions to resource groups.
A sample custom role JSON file for your reference:
{
"assignableScopes": [
"/"
],
"description": "Combining all 3 requirements",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/***************************",
"name": "**********************",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.DataFactory/dataFactories/*",
"Microsoft.DataFactory/factories/*",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/servers/*",
],
"notActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Sql/servers/azureADOnlyAuthentications/delete",
"Microsoft.Sql/servers/azureADOnlyAuthentications/write"
],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
],
"notDataActions": []
}
],
"roleName": "Custom Role Contributor",
"roleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Reference:
Azure custom roles - Azure RBAC | Microsoft Docs

How to know the origin resource group of a App Service Plan?

I have an Azure App Service Plan and a Web App. I want to move them to another subscription. There is a limitation that app service plan and app service must be moved together from the origin resource group of the app service plan. Someone had moved the resources from their origin resource group and deleted the resource group. Now, how can I find the name of the origin resource group ?
In some cases it can be found in the WebSpace property of app service plan. For example [ "webSpace": "RG-SK-MarkIII-CentralUSwebspace" ], RG-SK-MarkIII is the origin resource group of the app plan. But in my case the webSpace is like this ["webSpace": "AustraliaEastwebspace" ]. Is there any other way to find it through CloudShell ?
You can look up the actions taken by a particular user, even for a resource group that no longer exists.
az monitor activity-log list -g ExampleGroup --caller someone#contoso.com --offset 5d
Kindly try these steps:
If you don't remember the original resource group, you can find it through diagnostics.
For your web app, select Diagnose and solve problems.
Then, select Configuration and Management.
Select Migration Options.
Select the option for recommended steps to move the web app.
You see the recommended actions to take before moving the resources. The information includes the original resource group for the web app.
- I understand you're referring to RG deletion scenario, kindly try this and let me know how it goes.
Reference document move across subscription.
Furthermore, you can only change to a plan that was created in the same "webspace" as your original app. Webspace is an internal concept that's not exposed, but you can verify whether your source and destination plans are in the same webspace or not.
To verify, do the following:
https://resources.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/serverfarms/{serverFarmName}
Confirm whether the webSpace property of your source plan matches the webSpace property of your new plan

AKS template creates new resource groups

When I create an AKS cluster using Azure portal I can see that new resource groups are created. It seems that I have no control over how they are named, especially the one with with "MC_" prefix. I also don't see an option to change its name when using ARM template.
In addition, if I create a cluster in customer's subscription, where I only have access to 1 resource group, I don't even see the newly created RG and can't manage it.
Is there a way to force deployment of all AKS components into a single resource group?
No, there is no way to force it at this point in time. As for the access, you should request access to that RG. No real workarounds.
Secondary resource group name can be inferred, I think, its something like:
MC_original-resource-group-name_aks-resource-name_location
it also creates OMS resource group (if you enable OMS) and Network Watcher (this can be disabled, btw, but its a provider setting). you have no control over that as well.
there is a not implemented yet nodeResourceGroup property: https://learn.microsoft.com/en-us/rest/api/aks/managedclusters/createorupdate#examples
EDIT: this is actually working right now, so the nodeResourceGroup property can be used. But it would still be a new resource group, so you would still need to request access to that group and using this property is not possible with the portal (so ARM Templates\pulumi\terraform)

How do I change the name of an Azure Resource Group?

After the new model was implemented, all of my websites now belong to individual Resource Groups called "Default-Web-East" and all of my SQL databases belong to individual Resource Groups called "Default-SQL-East".
This is confusing to say the least.
I would like to rename the groups to have some semantic meaning. I would also like to group the associated SQL database and Web Site in the same Resource Group.
However, I do not see anyway to do either. Is this possible?
1) Rename the Resource Group?
2) Combine an existing SQL DB and Website together into one Resource Group?
Edit: You can't rename an Azure Resource Group.
What you can do is move your resources to a new Resource Group instead. Moving all resources in Resource Group A to Resource Group B is the poor man's rename.
Unfortunately not all resource providers let you move resources between resource groups, and some that do might have strings attached that only let you move resources under certain conditions.
For Azure Web Apps (previously called Azure Websites) you can currently only move all the websites related resources in a single invocation. That "all websites related resources" means all resource under the provider "Microsoft.Web". This includes all websites, app hosting platforms, and certificates that are in the source resource group.
Via the portal
When viewing a group's resources, you can use the "Move" tab
Clicking the "Move" tab will show something this, allowing you to choose or create a new group:
Via Azure Powershell
The easiest way to do this is to use the Move-AzureRmResource powershell cmdlet.
The command would look like this:
Get-AzureRmResource -ResourceGroupName <sourceResourceGroupName> | Move-AzureRmResource -DestinationResourceGroupName <destResourceGroupName>
source: https://azure.microsoft.com/en-us/documentation/articles/resource-group-move-resources/
Via Rest API
The other way to do this is to use the MoveResource Rest API or with the ArmClient.
Here's the API call you'll want to make:
POST https://<endpoint>/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/moveResources?api-version={api-version}
Where {resourceGroupName} is the source resource group.
I'm pretty sure the endpoint should be "https://management.azure.com", but if you use the ArmClient the tool will just take care of the endpoint for you.
Request Body:
{
"targetResourceGroup": "/subscriptions/{subscriptionId}/resourceGroups/{targetResourceGroupNameName}",
"resources":
[
"/subscriptions/{id}/resourceGroups/{source}/providers/{namespace}/{type}/{name}",
"/subscriptions/{id}/resourceGroups/{source}/providers/{namespace}/{type}/{name}"
]
}
In addition to the main answer, Azure Portal has a feature of moving the Resources that is allowed to be moved to a new Resource group.
Go to your Resource Group that has Resources you want to move to an existing or a new created Resource Group.
Select the one, multiple or all (1) Resources you want to move and click on the Move (2) bottom as shown in image. (you can select moving to Resources with in the same subscription or to another subscription) A third option if you need just to change the Region) see the the figure at the end.
It will ask you to chose which Resource Group to move to.
Note: This process might take some time, be patient. When done, you
will see that the resource disappear from the old one and will be
found in the new one. That said some resources might be restricted
from been moved to other resources.
Move (Fixing) only region

Resources