Azure management groups permissions over subscription - azure

I'm trying to configure some management groups in Azure, I have three subscriptions (prod, dev and core), I have three mnagement groups by the same name, I then have six application groups (prod1, prod2, dev1, dev2, core1 and core2), what I;'m trying to work out is whether we can have the root management group, going into three subscription groups, which then go into 2 application groups, per subscription group and then have the two application groups going into one subscription? Or does it not work like that? All the reading I've been doing shows one management group per subscription, but I can't see why we can't do this. Help!!
Image: https://pasteboard.co/IiYTk1a.jpg
Hope that makes sense
Thanks in advance

A subscription can exist in a single management group. You can have hierarchy of groups to have more fine grain control but each group can have a single parent
If you need to control access for multiple users between different subscriptions then you can use a custom RBAC roles and give it a custom permissions.

Related

Managing different organizations on Azure

Currently, we have our own Azure active directory and azure subscription for our organization. Now I want to On-Board different organizations and users in different organizations into our Azure. infrastructure. I want to manage resources for all the organizations and want to get billing details of each organization.
There are two ways to On-Board different organizations
Create separate AAD and Subscription for each organization - Clear separation between organizations makes it easier to get billing details for each resource group. But this option could not be cost-effective as we need to create the same resource for each organization
Create an AAD group for each organization in our Azure active directory and use our main subscription for all organizations - We need to add resource tagging to each Azure resource to get the usage details and billing for each organization. This could be cost-effective but will not get the all the features of azure cost management like alerts, budget, etc.
Please let me know which option should be used in this scenario while On-Boarding a large number of organizations and users?
Let me know other Pros and Cons of each option.
I recommend to go with the separate Azure Active Directory along with separate subscriptions so that you can track the billing details for each organization.
We cannot track the billing details with single subscriptions for each organization separately. You can have one billing for 2 subscriptions and you cannot have more than billing for 2 subscriptions. Kindly check this link to get more information and see if it helps. If you have any further queries kindly let me know

Regarding isolating reaources created by two users in subscription in Azure

I have one AD associated with one subscription and I need to create two users and need to isolate the resources created by them. Is this really possible? since I am new to Azure I am not much aware of this. It would be great if someone render their hand.
I need to create two users and need to isolate the resources created by them. Is this really possible?
Yes. To isolate them from a management and administration point-of-view, create two resource groups, and add each user to the appropriate role on one resource group.

isolating resources creating by two different users in Azure

I need to create two users in same subscription.Let users be A and B.the resource creating by user A should not be visible to user B and vice versa.It would be great if some one help me on this.
Assign RBAC to the user in the resource group Level, the user not able to access the resource until the user has permission to that resource group.
for more details please refer to this document
it would depend on the type of resources being created. it works in a hierarchy fashion, so if a user had access to read and write resources under the subscription, then they could see it all the resources under that. but you could for example create a resource group and only give users access to that, so they won't see other resource groups that they don't have access to.
Other than that, you could create more subscriptions, then use management groups for a level of management above that.
there may be other options, like creating custom roles that only allow very specific creation and not reading resources and such, which may or may not work. but that would need to be tested.

Azure - is it possible to share account with co-workers

A group of friends and I are working on an private project and are considering hosting it on Azure.
I have an account on Azure and will be the one controlling the costs.
Is it possible to assign a pool of resources (e.g. Functions + database) to another user(s), preferably also assigning a cost limit for it to avoid things exploding?
You can give them access to a subscription / resource group / resource by going to e.g. the subscription and clicking on Access Control (IAM).
There you can enter their email address, and give them the role needed. Reader for read-only, Contributor for Read/Write, and Owner for Read/Write + access management. There are a bunch of others too. More about Role-based access control
I am not aware of a way to limit cost for individual users, though you can for example setup Billing alerts.
You can use ARM policies to limit the types of resources that can be used. As an example, you can deny the use of certain very expensive VMs to a group of users. Some samples of these policy templates can be found here
As stated in other answers, you can assign access to others on various levels. You can assign to "live" accounts (Hotmail,outlook,live.com etc) but as part of your subscription you can also create an Azure Active Directory instance on which you can create users. You would also want to use this AAD to create service accounts in the future, register applications for authentication, etc.

Azure AD - Specific roles for sub-projects

I'm looking to develop an application using Azure Active Directory, primarily because of the built-in support for easy authentication in Web API and across various Azure tools.
My application will consist of a number of projects that each contain a number of sub-projects. With authentication covered, I'm trying to work out how I can handle authorization with Azure AD now. I envision that there would be different roles associated with each of the sub-projects (5-10), with people getting assigned to them on a per-sub-project basis.
Now, I know that AD supports roles and groups. Roles are sets of permissions and groups are sets of users. While I could create a group for each of the sub-projects, I expect that some of the roles could vary based on each of the larger projects, so I can't just check to see if a given user is assigned to X group and Y role. Not to mention, because a user could be assigned to more than one group and role, I don't see a way to specify that the role is applicable to just a single group (since the user may not be intended to have that role in all groups).
So, the only way I see right now to move forward would be to create new roles each time I create a new project and sub-project that are specific to each. However, as these projects and sub-projects are created and deleted over time, I expect we'll start hitting the upper caps of how many roles AD supports altogether (especially on a per-user basis).
In traditional Active Directory, I expect this would be handled via Organizational Units that could represent each of the projects and each of the sub-projects, each with assigned roles and groups. However, according to https://learn.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-create-ou there isn't support for Organizational Units in Azure AD and that it can't be assigned via the AD Graph API.
Using Azure AD, is there a better approach to take here apart from unique roles for each sub-project at this point?
Thanks!
Edit for more information:
Right now Azure AD supports groups and roles. Let's say I have two projects, A and B and each of those has two inner sub-projects, A1 and A2, and B1 and B2. Additionally, I have a user that I want assigned to an Admin role on A1, a Power User role on B2, and no access to B2 or A1.
It seems that I could make a group for A1, A2, B1 and B2 and simply assign the user to group A1 and B2. On the backend, I can just specify that the user should be in those groups and deny access for anyone that's not.
Ok, so that handles group access, but then I want to assign the roles. I can grant them Admin and Power User, but then they'll have both of those roles on both of the groups they're in because I can't assign the roles in the context of a group.
The only other approach I can see is to create distinct roles for each of the groups, so now I have "Admin-A1", "Power User-A1", "Admin-A2", "Power User-A2", "Admin-B1", "Power User-B1", "Admin-B2", and "Power User-B2", but this is going to greatly inflate my object count over time (50 projects with 10 sub-projects apiece with 8 roles will start working up there, though 500k is quite the high threshold).
I forsee a maintainability problem with having so many roles. Since I can't correlate a role with a group and can only specify the display name and description for it (both would be useful for a project owner to see when assigning them), how might you suggest that I identify on the backend which roles are associated with which project (without having to keep my own list of guids to store the extra attributes)? Is there a way to submit custom attributes with the roles/groups?
What kind of roles you are developing with? Did you mean the application role?
Based on my understanding, we can register an separate apps for every sub-project on Azure portal and custom the roles based on every app we register and assign the roles to users/groups we want. And this role should only work for the corresponding project for the app.
More detail about manage application based on the roles you can refer the code sample here.
, I expect we'll start hitting the upper caps of how many roles AD supports altogether (especially on a per-user basis).
There is no such limitation for the roles for one single user. But if you are using the free edition version Azure AD, it supports 500,000 objects. An object is an entry in the directory service, represented by its unique distinguished name. Here are two helpful links for your reference:
Azure AD service limits and restrictions
Azure Active Directory editions

Resources