I'm coming from Google Cloud Platform, and have been used to creating service agents, essentially user accounts to grant permissions/access that I specify to non human actors, so they can view/modify resources/attributes. I have been exploring Azure all evening and can't quite find something similar to that. Can anyone suggest Azure services or keywords I should do some reading on so I figure out how to implement similar identity and access in Azure?
You'll want to start off by looking at Azure Active Directory Service Principals and Application Registrations. These are the rough equivalent to Service Accounts. You'll also want to research Managed Service Identities, which are a way to simplify the use of Applications and Service Principals. You can start with this page and keep linking from there.
This medium article can give you a good comparison circa 2020.
Related
One of my customers would like to know what are all the implications and what all precautions one needs to take before migrating all their identities to Azure and use Azure AD as the main AD. Any kind of documentation on this would be really helpful.
I would also need to show the various workflows how the authentication for a user accessing a particular resource would work using Azure AD and use of various technologies like PIM, CA,Intune etc. Thanks
Cloud IAP works by verifying a user’s identity and determining if that user should be allowed to access the application.
Is there anything like this on Microsoft Azure?
This medium article that talks about how to "drop the bastion in the clouds" may be a good starting point.
I have a business requirement where Azure Subscription owner will Provision User Groups like Infrastructure Admin, Billing Admin, Enterprise Users. Ifra Admin people should login to this Portal & can only see options related to Infra provisioning. Billing Admin people should have access to Azure usage Enterprise wide - And they should be able to generate bills for respective teams(which are part of the organization). Enterprise Users are those who want to procure azure storage, VMs etc. and they want estimate cost for required infra.
I am looking out for a solution/approach for this requirement. If Azure Portal is already providing this feature then please provide me reference material. If i should build new custom Web application which internally use Azure APIs then let me know about that option as well.
If there are any products which already doing this even am open for that.
Deeply appreciating your help. Thanks a lot :)
Vishal.
Let me answer by breaking your question in 2 parts:
Managing Users - This is something you can do today in Azure. Some time ago, Azure announced Role-based access control (RBAC) and that fits the bill nicely for you as far as managing users and granting them permissions to do things. So in your scenario, the owner will create users and groups in Azure Active Directory and then put these users and groups in appropriate roles. When a user or a group member tries to manage the resources (either by logging into the portal or using other tools like Azure PowerShell Cmdlets), they will only be able to do things the role they are in allows.
Managing Billing - Though Azure Portal exposes the billing functionality (and there's a billing/usage REST API), it does not have the capability you're looking for. What you would need to do is look for ITFM (IT Financial Management) Systems that has support for Azure. Off the top of my head, two tools come to my mind - Cloudyn & Cloud Cruiser. You can learn more about it here: https://azure.microsoft.com/en-in/documentation/articles/billing-usage-rate-card-overview/. You could always consume the Billing/Usage REST API to create a solution of your own. If you're writing your own solution, you may want to check out Billing Samples on GitHub.
I am trying to make my way through a lot of Azure documentation on multitenant identity management, for a bespoke ASP.NET MVC SaaS site. It is difficult as it seems that a lot of the online examples and articles are now outdated and not applicable to latest VS templates, and other vague aspects, such as determining what is Preview and what is not. Also, MS tend to use the word "multitenant" when specifically dealing with partner companies who have their own Azure AD, which is not our case.
Our proposed system will offer a web application to different customers. The backend will have a separate db per customer (tenant). The front end will select which db connection (and probably use impersonation) depending on the logged in user. The identity management would preferably be offloaded to Azure ACS, so that in future if we want to integrate with corporations with their own Federation identity provider we can, but for those smaller companies that don't have their own domain, we want to create accounts on their behalf.
I am thinking that a good way to do this is by using Azure ACS (for federating with corporate customers) and a general Azure AD directory (for everyone else), where in the second case I create a group per tenant (customer). Then, in Azure ACS, I translate all claims, either the group from my own AD, or the company name from the federated identity provider, and use that in the MVC app to establish the tenant.
Is this an OK way to do it? Am I overlooking some standard, simple way that Azure already offers? Is this future proof wrt to the Azure roadmap?
for the latest multi tenant samples please see https://github.com/Azure-samples?utf8=%E2%9C%93&query=multiten. We are about to release more documentation on how to handle multi tenancy in Azure AD. I would strongly advise against using ACS in any new project, given that we are no longer adding any features and we are actively working on migrating functionality from ACS to Azure AD. See http://blogs.technet.com/b/ad/archive/2015/02/12/the-future-of-azure-acs-is-azure-active-directory.aspx for more details.
We have a complex Azure setup...cloud services, websites, storage accounts, VM's...the whole shebang.
We have custom domains to all of these things and they work great, but I can't find any documentation on setting up an A record or a CNAME to work with their Service Bus functionality.
Anyone know if this is possible?
David,
Thank you for sharing your requirement. Using custom domains with Windows Azure Service Bus is not currently supported. However, it is among the features that the Service Bus team is considering enabling in the near future. We'll have further information on this when the feature is available for use.
-santosh