I am having a hard time finding a way to list instances and, more importantly, the user that created them respectively.
Going through the hundreds of options inside the activity logs has yet to turn up anything concrete for me as it seems sometimes this data is recorded and other times it is not.
The end goal is to be able to find any resource that is created and whom created it (be it user or a group) so that tags can be issued to each resource allowing for easy separation of resources by the groups that are responsible for them.
Is anyone aware of a way to display this data or if it is even possible?
Thanks!
Instance? Do you mean Azure VM? If yes, you could find who create it on Activity log. Note: You only could search log within 90 days if you don't save log to storage account.
You could search it as below:
Related
I have the following requirements, where I consider using Azure LogicApp:
Files placed in Azure Blob Storage must be migrated into a custom place (it can be different from case to case)
Amount of files is something about 1 000 000
When the process is over, we should have a report saying how many records (files) failed
If the process stopped somewhere in the middle, the next run must take only files that have not been migrated
The process must be fast as it can be and files must be migrated within N hours
But what makes me worried is the fact that I cannot find any examples or articles (including official Azure Documentation) where the same thing is achieved by Azure LogicApp.
I have some ideas about my requirements and Azure Logic App:
I think that I must use pagination for dealing with this amount of files because Azure Logic App will not be able to read millions of file names - https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-exceed-default-page-size-with-pagination
I can add a record into Azure Table Storage to track failed migrations (something like creating a record to say that the process started and updating it when the file is moved to the destination)
I have no ideas how I can restart the Azure Logic App without using a custom tracking mechanism (for instance it can be the same Azure Table Storage instance)
And the question about splitting the work across several units is still open
Do you think that Azure Logic App is the right choice for my needs or I should consider something else? If Azure LogicApp can work for me, could you please share your thoughts and ideas on how I can achieve the given requirements?
I don't think logic app is a good solution for you to implement the requirement because the amount of files is about 1000000, that's too much. For this requirement, I suggest you to use Azure Data Factory.
To migrate data in azure blob according data factory, you can refer to this document
I want to have a control in Azure regarding new and deleted items
I need a query to know "who" and "when" a resource is created or deleted in Azure
Is this possible? How can I do this query?
I need a query to know "who" and "when" a resource is created or
deleted in Azure
Is this possible? How can I do this query?
Whenever a resource is created or deleted, information about that operation is stored in Azure Activity Logs. You should be able to find the information by querying that.
Another alternative would be to make use of Azure Event Grid and subscribe to Subscription Events. You can subscribe to Microsoft.Resources.ResourceWriteSuccess (for creation/updation of resources) and Microsoft.Resources.ResourceDeleteSuccess (for resource deletion) events and take action on these events in near real time.
Within the Azure Portal, you can view these types of events from the past 90 days in the Activity Log blade.
For access to events occurring more than 90 days in the past, you need to pre-emptively set up log archival as detailed in the Export the Azure Activity Log article.
If you are planning to use the export Activity Log feature, please make sure you use the new diagnostic setting feature on Azure subscription to export Activity Logs. This feature offers multiple improvements over the old features such as Logprofiles or the Activity Log solution (Log Analytics).
https://learn.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-collect
https://learn.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings-template
We are a software company so we setup solutions for the other companies. I guess we are not unique in this regards :) so I would like to know if we should create a new subscription each time or just a resource group.
Requirements:
We should be able to bill each customer/project separably
They should be able to take control of their resources easily and move to another company
Managing them should not be a headache
What we have tried
We've tried adding a subscription for each customer. This way, we could just change the admin profile and they could completely move away from us.
The billing is also OK, since we receive a different email for each subscription, but managing them is becoming a real headache.
What I guess could work
From what I read, I guess we could work with resource groups instead of subscriptions and handle the billing part with tags (haven't tried it yet. can we?) but then I'm afraid of not being able to move it to another subscription when they've asked us.
Is it even possible? How easy is that? Does it envolve contacting support?
Has anyone tried it?
I would advise against billing using resource groups and tags. The reports are a real mess and 100% unusable. Also, its a lot of extra work for nothing (seriously, do you care if you have 1 subscription or 10?) and adds no real benefit.
Also, you can move resources across subscriptions of different tenants. Best way of handling this is doing a subscription move. That way you dont have to do anything else. They just link your subscription to another tenant and you are good.
I'm talking from a perspective of administering dozens of subscriptions, and believe me, if you move away from subscriptions to resource groups (as a billing\security boundary) you will get completely devastated by the increased complexity of what you are doing.
In my experience working with organisations that provide similar hosting services to customers, I'd say resource groups is the way to go to avoid too much segregation. It's easier for you to keep control of the resources as well as keeping the cost low if you decide to use shared compute resources such as Application Gateway, DDOS protection, etc.
Bear in mind that depending on what level of permission you're giving to your clients, they might have access to information from other clients, so it's important to come up with a good security and governance plan for the Azure environment and strictly limit what they can access.
Moving things from one subscription to another is easy as long as you're using resources within the supported move list. Check the list below:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-move-resources
You don't have to open a ticket with Microsoft to move these resources and the move can be easily done through the portal interface as long as you select all the resources and it's dependencies and you have access to both subscriptions. If your client decides to move their stuff to their own Azure subscription, they will have to give you permission on that. If the resource you're trying to move is not in the supported list, not even Microsoft can move that.
From a billing perspective, I'd say separating by RG and using tags is the way to go as that can be easily filtered in your exported Azure consumption usage report.
We are looking at using Azure Jobs for out multi-tenant platform, but want to figure the best way to do security for it, without using a certificate that has access to our whole Azure account.
We have a Resource Group called "Scheduler" and for each tenant we create a Job Collection with the Tentants Id "Tenant{tenant.Id}".
Currently we do this using SchedulerManagementClient and passing in CertificateCloudCredentials. We could use the Token to do this, but I believe it still has the same problem - in that the credentials have access to the full azure account, which we don't want.
Ideally we would like to lock down creation to the resource group "Scheduler" and create a certificate/token for this.
Is there a way to do that? Is there a better way to do what we are doing anyway?
Ok I figured this out, as is always the way it seems when you finally post something on StackOverflow. Everything was complicated by the fact I was using the old management libraries (Microsoft.WindowsAzure.Management) and not the new libraries (Microsoft.Azure.Management).
Basically I needed to create an application, and then assign that application roles just like you do users. This also helped:
https://azure.microsoft.com/en-gb/documentation/articles/resource-group-create-service-principal-portal/
One query about window azure that is there any way to get programmatic list of Regions which we are choosing while hosting our app?
CLI
az account list-locations
Powershell
Get-AzLocation
The only way that I can think of is to use the REST Management API.
You have to query the Management API, and call the List Locations method. You will however need a management certificate and a subscription id to do so. You can have the result cached for some time, if you are doing it very ofetn. I think that 1 hour is fair enough time to keep the locations cached. I don't expect that a change would happen that often, but it's good to refresh your list of locations from time to time.
Here is one example you can use. And here is a NuGet package that wraps everything around, so you don't need to construct your REST calls manually.