We currently have a lot of subscriptions in Azure which we managed, these range from the different execution environments(dev,test,etc) and are all grouped inside a management group structure to make RBAC and policies easier. The problem we are facing at the moment is that out root of the management group structure has a bunch of Visual Studio Professional(/MSDN) subscriptions. We are looking to automate a script to check for the offerId of the subscription and move all these into a specific management group.
So far we have had no joy or functions using the Powershell or Azure CLI to actually filter the subscriptions by OfferId. Even if I could get a subscription export with OfferId I could use that list to automate move all these subscriptions into a specific management group. Has anybody experienced the same, or should I rather just leave those subscriptions lying there. The idea behind having it separate is to have it isolated and more control over it, reporting on costs etc for the management group will also be an advantage.
If you want to move subscriptions to the Azure management group with PowerShell, please refer to the following script :
#create management group
New-AzManagementGroup -GroupName 'Contoso'
#move Subscription
New-AzManagementGroupSubscription -GroupName 'Contoso' -SubscriptionId ''
Besides, please note that if you want to do that, you need to have enough RBAC permissions
For more details, please refer to https://learn.microsoft.com/en-us/azure/governance/management-groups/manage#move-subscriptions-in-the-hierarchy.
Related
We're looking at moving an Azure subscription under a new management group, I just wanted see if there any implications to the workloads running on the subsciption? The subscription is already under a management group, however we are moving it ot a new management group, this will not be under the same branch as the current management group, there will be some policies which I need to replicate to new management group, but thos policies restrict permissions.
Fairly sure this doesn't affect any workloads running in the subscription, but just wanted to confirm and make sure there's nothing I'm missing.
Thanks in advance :)
I want to use a service principal to deploy a single ARM template to our Azure account.
I cannot find documentation for how to grant the least possible privilege, but it appears the only way to make this work is to grant contributor on the subscription.
Is there a way to limit the role on my service principal to only deploy ARM Templates or at the very least limit it to a single resource group?
actually, for each template you can figure out the minimum possible permissions by looking at the template, they would be resourcetype + /write. and the permissions to create deployments Microsoft.Resources/deployments/write.
but its really easier to just give a person contributor over the resource group. if you are concerned about security you can use Privileged Identity Management in Azure AD
In the access control (IAM) section under a Resource group you can make the service principle you created 'Contributer'. this will make sure that that user can only deploy resources within that resource group. This way the account doesn't need any permissions on the subscription level.
When you go to the Access Control section click Add, and select "Add role Assignment"
In the panel that shows you can select the role "Contributer" and lookup the Service principle you created.
Then click 'Save' to finish and you should be good to go
I tend to make service connections (with separate Service Principles) in DevOps per environment this makes it clear what resources you can touch and prevents people from accidentally deploying to incorrect locations from a pipeline because the typed in the wrong resource group name.
I'm creating subscriptions in Azure with a number of RBAC roles assigned: hosting team and project team. The hosting team should have full access to everything, and the project team should have full access to everything baring a few exception, e.g. no access to the 'Networking' resource group (although they are allowed to create their own resource group(s) containing networking). We have set the RBAC owner for the project team at the subscription level, but in doing so, this also allows them to fully manage the restricted areas.
In principal the 'deny' assignments in Azure Portal would fit our needs, however they are currently only available for Azure Blueprints. Any ideas?
Block inheritance doesnt exist yet, your only option is to carefully craft and assing custom rbac roles or carefully assing built-in roles (so, never at sub level, only at resource group level).
Or use Azure Blueprints, it appears they added support for that there.
I have two Azure Subscriptions, Enterprise and MSDN subsciptions. I want to transfer a resource group from one subsciption to another. Already found this method but it requires to change the tenant of one of the subscriptions. How to move resources from subscriptions in different directories in Azure
These accounts have different active directories (Cannot Change Directory). So essentially the tenantid remains different.
Official Docs also mentions this way https://azure.microsoft.com/en-in/documentation/articles/resource-group-move-resources/
Is there any alternate methods to move the RG?
I think there is no alternate method to move the RG. What you can do as a Workaround is to try to download the Automation Script (ARM template) for your Resource Group, delete the RG and deploy the template to your new subscription. But this only works for services that uses the Resource Manager (not Service Manager).
Also this only creates the services / infrastructure but you probably have to redeploy content depeding on which resources you are using.
Someone mentioned this can be done by contacting the support.
I found that its possible in some scenarios to do this by moving the resource group to a new/temporary subscription, and then transferring ownership of that subscription to the desire account. It doesn't matter if the account is on a different domain or not, however not all resource types can be transferred (e.g. Azure role-based access control assignments).
https://learn.microsoft.com/en-gb/azure/cost-management-billing/manage/billing-subscription-transfer?WT.mc_id=Portal-Microsoft_Azure_SubscriptionManagement
I am trying to figure out how to create a windows azure active directory group and/or role from the web portal. Am I missing something obvious here or? I can create users, and assign them to the 2 built in roles, but how do I create a new role? or group?
Admittedly I haven't tried this yet, but the PowerShell extensions should be able to do this:
http://technet.microsoft.com/en-us/library/jj151815.aspx
Look under "Manage group and role membership" for details on the relevant commands.
I would also assume that the Graph API could handle it. I too was hoping that the Azure Management Portal would let us do it in their GUI.
Seems the way to add groups, etc is via the graph api or as suggested above by PS scripts. The graph api is amazingly powerful, albeit not as convenient as if this funcitonality lived within the Azure portal.
Basically you have 2 options:
create app roles and assign security groups to them (AAD Premium is
required)
enable security groups as claims (AAD Free is enough)
Follow this official manual: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps