Azure Subscription Policies - azure

I would need to create a policy in subscription level contributor cannot able to create virtual machines and virtual network or any vnets. Only owner are able to create Vnets. How to do this

It looks like you might need to create a custom role.
You can add various roles using RBAC for Access management of cloud resources.
The following document has the information on all the built-in roles in Azure RBAC:
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
If built-in roles do not fulfill your requirements, you can also use create your own custom roles using PowerShell:
https://learn.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell
Here is the Azure doc on understanding various roles and create in Azure portal:
https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles

Related

Azure RBAC Custom Roles

I am currently trying to work out a concept for a roles and rights concept. Azure RBAC already has a few built-in roles but I am trying to create a few more custom roles. Are custom roles directly linked to the RBAC? And does anyone have any suggestions which roles I should definitely add? I'm not familiar with all applications in Azure at the moment since i have only been working with azure for a few weeks, so I would appreciate some suggestions. I am also trying to understand the hierarchy and structure behind Azure RBAC.
If anyone has worked out such a concept themselves or works a lot with azure rbac, feel free to share your experiences or results!
Azure role-based access control (Azure RBAC) helps manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.
Create your own custom roles. Just like built-in roles, assign custom roles to users, groups, and service principals at management group (in preview only), subscription, and resource group scopes.
Custom roles can be shared between subscriptions that trust the same Azure AD directory. There is a limit of 5,000 custom roles per directory. Custom roles can be created using the Azure portal, Azure PowerShell, Azure CLI, or the REST API.

Azure Policy to limit number of global administrator users

We need to create azure policy to restrict user count with global administrator role to 5 at a time. But there is no reference of how can we get the role and count its member in azure policy. Please let me know no how can I approach this.
Note We need azure policy and not power-shell or portal steps to limit the restriction.
It is not possible to manage Azure AD roles using Azure Policies, Global Administrator is an Azure Ad role. Please refer this document .
Azure Policy doesn't restrict actions (also called operations)and azure policies are different, its for Azure Resources not for Azure AD.

Azure Automation Privileges

I have two subscriptions.
On one subscription I run logic apps and on the logic apps I have azure functions.
The other subscription contain target resources for the automation via logic apps and azure functions.
In order to run the Logic Apps and Azure functions associated it with it, what privileges do I need on target subscriptions? I want to be able to do things like stop VM, change NSG settings, run malware scans, etc
Do I need to run the logic app using an account that has owner permissions on both the subscriptions?
Regards,
Kelly
Its best to use a service principal for having centralized access control.
With this, you can use the service principal to authenticate and authorize actions against resources. It can be configured for the Azure Resource Manager connector in Logic Apps as well.
Another option would be to use Managed Identity, but that is supported only for the HTTP Action.
Even in your Function Apps, you could either setup Managed Identity or use the Client Credentials Flow using the Service Principal details.
As for the exact permissions for this service principal, you can use this reference of built-in roles for providing granular control. For example, to just stop/start VMs, your service principal would need Virtual Machine Contributor.
You could also provision finer access to resources by creating custom roles.

Automation RBAC requirements for Security Center/Sentinel Playbooks

I am currently in the process of setting up Sentinel POC, within Sentinel you have playbooks which is basically Logic Apps, it is same as the playbooks in security center.
I need to know what permissions i need on target subscriptions in order to automate remediation of alerts, for example isolate a VM, Stop a VM, etc.
Our Sentinel will have its own subscription in a tenant where there are 100's of subscriptions.
Its best to use a service principal for having centralized access control.
With this, you can use the service principal to authenticate and authorize actions against resources. It can be configured for the Azure Resource Manager connector in Logic Apps as well.
Another option would be to use Managed Identity, but that is supported only for the HTTP Action.
As for the exact permissions for this service principal / managed identity, you can use this reference of built-in roles for providing granular control. For example, to just stop/start VMs, your service principal would need Virtual Machine Contributor.
You could also provision finer access to resources by creating custom roles.

Only give PS access to a specific VM?

I have an VM running in Azure which I would like the client to be able to turn on/off easily. I tought this would be simple; just a PS-script that performs an startup/shutdown/dealloc. But it seems I can't generate a "Azure Publish Settings"-file that only gives access to that VM? At the moment it seems I can only control this at the subscription level?
The Azure Publish Settings file basically contains the access information for an entire Azure subscription. It does not specify access to a specific resource (e.g. VM) but to all resources inside of a subscription.
To limit access to a subset of resources in Azure, you should be looking at the new role-based access (RBAC) functionality, which is available in the Azure preview portal and the latest Azure PowerShell cmdlets.
How it works is that you create an Azure resource group, to which you can assign roles with specific rights, and to this role you can then assign individual users.
Check the following Azure documentation link for details on how to do this.

Resources