I had one doubt regarding resource management via Azure Portal.
Although, I am aware that migration to another subscription and tenant is possible along with movement of resources between resource groups but I am not sure if the access to resources will still remain available after I add someone via access control but the account giving access itself gets deleted or removed.
I wanted to know if it was possible to migrate the resources with full permissions to another user account if some account is removed from Azure which was used to create the resources in first place.
The account used to create a resource is no longer relevant after the resource is created. Other than the activity log entry, Azure doesn't track who created a resource, and if that original user account is deleted it will have no effect on the resource or any other user's access to it.
Related
Currently i am trying to dig deeper into the organizational/entity structure of ms azure. All I find online in discussions and official ms documentation only shows parts of the bigger picture but never the underlying relationships between them.
I try to formulate statements which I ask you to correct in case they are wrong:
I log in to the azure portal using an email adress witch is called account
In the azure portal I am acting in the context of a directory
The account i use to log in is associated with an identity in the directory
A directory belongs to a tenant
Signing up for MS Azure using my Microsoft Account will create a Tenant
A Subscription I create is assoiciated with but not created/stored within a directory (not with a tenant)
A Subscription I create is associated with the Account I am currently logged in, called Azure Account
A Management Group will be created within the directory per default, called Root Management Group
When no other Management Group is created, all Subscriptions I create are associated with this Root Management Group
Any thoughts on that?
Thanks TGY for your question. The terms "tenant" and "directory" are for the most part interchangeable and are used in Azure.
A tenant is an instance of an Azure Active Directory. The tenant is an account in Azure that comes with a subdomain and an associated Azure Active Directory. In order to use an Azure Active Directory you need to become a tenant within the system. So a tenant is basically securing a .onmicrosoft.com subdomain. At that point you would have one account registered in your Azure AD.
An Azure subscription is a logical container used to provision resources in Azure.It serves as a single billing unit for Azure resources in that services used in Azure are billed to a subscription. An Azure subscription is linked to a single account, but you can add multiple subscriptions to the same directory.
Please see this DOC if it helps you.
Root Management>>Management Group>>Subscription>>Resources Group>>Resources. So for IAM(Identity & Access Management) purpose, management Group is higher level than Subscription. Subscription is higher than Resource Group and Resource Group is higher than a particular resource level.
Please find below Architectural structure for more understanding and pictorial representation --
I want to create an user in azure portal with read only access to all resources in all of my subscription.
This user should not be able to modify any thing in any of my available subscriptions.
Seems You are trying to add a user who should have read only access to all resources in all of your subscription beside This user should not be able to modify anything on the tenant.
So the best way is to add that user as Global Reader(Can read everything that a global administrator can, but not update anything.) Role
Which provides authority to access all resources in all of your
subscription but cannot modify anything among the available
subscriptions.
Hope this would help you.
This only covers Azure Active Directory resources. If you are trying to give read-only to Azure SUBSCRIPTION Resources, add the users to the Azure Role: "Readers".
The best recommendation here will be to add users with the reader permission to each subscription.
You would need to set your RBAC assignments per subscription. In case you have many subscriptions, you can automate this with a Logic App and doing requests to the Management API. Reference here. So on your logic app, you basically get a list of subscriptions, and then iterate them, and make the RBAC add assignment request for each of the subscriptions and for your given user(s).
I want to find or create an azure role that has the same capabilities as an Owner, or at the very least a contributer. But this role should not have access to create azure resources.
I've been going through the pre-defined roles that exist.
this makes no sense in Azure RBAC context. you cant edit but not create resources, because this is being governed by the same permission: resource/write.
you can achieve something like that by having a role that can do anything except writes, but that would mean that it cannot edit resources, which is not what you are after, probably.
technically you can grant contributor permissions to each individual resource, that way user wont be able to create new resources, only modify existing ones (he would be able to delete resource).
I have the same requirements, and I managed to configure it by taking the Contributor role as base and adding
"Microsoft.Resources/*/write"
in notActions section of role JSON configuration.
What it does is that it prevents deployments. Every resource creation is a deployment.
As far as I have tested every "edit" operation on resources works, even deployment slot creation for Web Apps, but you can disable that too if you need.
I have two Azure Subscriptions, Enterprise and MSDN subsciptions. I want to transfer a resource group from one subsciption to another. Already found this method but it requires to change the tenant of one of the subscriptions. How to move resources from subscriptions in different directories in Azure
These accounts have different active directories (Cannot Change Directory). So essentially the tenantid remains different.
Official Docs also mentions this way https://azure.microsoft.com/en-in/documentation/articles/resource-group-move-resources/
Is there any alternate methods to move the RG?
I think there is no alternate method to move the RG. What you can do as a Workaround is to try to download the Automation Script (ARM template) for your Resource Group, delete the RG and deploy the template to your new subscription. But this only works for services that uses the Resource Manager (not Service Manager).
Also this only creates the services / infrastructure but you probably have to redeploy content depeding on which resources you are using.
Someone mentioned this can be done by contacting the support.
I found that its possible in some scenarios to do this by moving the resource group to a new/temporary subscription, and then transferring ownership of that subscription to the desire account. It doesn't matter if the account is on a different domain or not, however not all resource types can be transferred (e.g. Azure role-based access control assignments).
https://learn.microsoft.com/en-gb/azure/cost-management-billing/manage/billing-subscription-transfer?WT.mc_id=Portal-Microsoft_Azure_SubscriptionManagement
I can't create an Azure Batch service. I keep getting error: "Please assign Contributor role to "MicrosoftAzureBatch" service principal through your Subscription's Access control (IAM) blade." even after adding it to my subscription Access control (IAM):
We could get the detail steps about how to Create a Batch account with the Azure portal from azure officail document. It is odd that you can not create the service that if you have assigned the Contributor role.
If it is still not working for you, please have a try to create a Batch account. As the document mentioned that user subscription mode which is no longer recommended for most scenarios.
When creating a Batch account, you should generally choose the default Batch service mode, in which pools are allocated behind the scenes in Azure-managed subscriptions. In the alternative user subscription mode, which is no longer recommended for most scenarios, Batch VMs and other resources are created directly in your subscription when a pool is created. To create a Batch account in user subscription mode, you must also register your subscription with Azure Batch, and associate the account with an Azure Key Vault.
I've already fixed the problem. It seems there was a permissions issue, and the error message was not clarifying at all, though. I've been able to create Azure Batch service logging into Azure portal with the subscription owner account, instead of mine's.