We are looking at using Azure Jobs for out multi-tenant platform, but want to figure the best way to do security for it, without using a certificate that has access to our whole Azure account.
We have a Resource Group called "Scheduler" and for each tenant we create a Job Collection with the Tentants Id "Tenant{tenant.Id}".
Currently we do this using SchedulerManagementClient and passing in CertificateCloudCredentials. We could use the Token to do this, but I believe it still has the same problem - in that the credentials have access to the full azure account, which we don't want.
Ideally we would like to lock down creation to the resource group "Scheduler" and create a certificate/token for this.
Is there a way to do that? Is there a better way to do what we are doing anyway?
Ok I figured this out, as is always the way it seems when you finally post something on StackOverflow. Everything was complicated by the fact I was using the old management libraries (Microsoft.WindowsAzure.Management) and not the new libraries (Microsoft.Azure.Management).
Basically I needed to create an application, and then assign that application roles just like you do users. This also helped:
https://azure.microsoft.com/en-gb/documentation/articles/resource-group-create-service-principal-portal/
Related
We are looking to force all Azure access assignments to go through our management groups instead of at the subscription level. Basically we don't want access to be able to be assigned per subscription and want to block that capability. This way we are forced to grant access at the Management Group level instead.
Is there any way to do this, maybe via a Policy somehow?
Thanks for the helping!
Just copy the answer from QnA for other communities reference (it seems the question in QnA is also asked by same OP).
Currently it is not possible and we can submit a feature request here
I have one AD associated with one subscription and I need to create two users and need to isolate the resources created by them. Is this really possible? since I am new to Azure I am not much aware of this. It would be great if someone render their hand.
I need to create two users and need to isolate the resources created by them. Is this really possible?
Yes. To isolate them from a management and administration point-of-view, create two resource groups, and add each user to the appropriate role on one resource group.
I want to create an Azure Function that would retrieve the Sources Groups List, I found related question
here, but I'm wondering if there could be another alternative as this function will be hosted in the same Azure subscription, without making REST requests.
It is not possible to have it without a call. Having something in the resource group does not grant access out of the box to list other resources in that resource group. That could be a security issue.
There are a couple of different ways to get the desired information. It could be done via a REST API call, Powershell, Azure CLI etc.
There is a way to use Powershell in Azure Functions, but it is currently in the preview. I have not tried this before, but maybe you can try to leverage this to call the simple PowerShell command to get the resources. That way you are not calling the rest API, at least not directly.
If you ask me, and if you really need an Azure function to do this, going with REST API call is the safest bet.
We have Azure environment with 3 different subscription and around 5 project resources are deployed in this environment.
Each project team has rights to create resources under specific Resource Group (RG) within Azure.
Now from Azure Admin perspective, i would like to know Who, When
This is basic requirements for any organization to track their cost, resource information. When i looked in Azure, this information is not available directly at resource level.
Few posts are mentioning to use Tagging for this or use logs (2 years back, really?)? Is it? I am surprised.
Can i use Application Insight for this? or only available for App Service kind of services?
Please help me to get this information in efficient way
Your only option is to implement some sort of logging (like poll Azure Subscription events) and save it somewhere. You can use Azure Monitor to achieve that rather easily. But by itself Azure doesnt offer anything like that out of the box.
you can use tagging, but with obvious challenges. logs only go 3 months back.
If you modify a resource through the Azure Portal, you may forget to update your ARM JSON before your next deployment and this would lead to an outdated deployment.
Also, if you have system admins taking care of your Azure Portal and your developers keeping track of ARM JSON in the source control, you need a good way to make sure to keep the environments consistent.
What would be the best practise to do that?
That's an easy question, don't modify anything through the portal. Or follow the change process as described by ITIL, or invent your own wheel.
But apart from that, there is no answer, there is no way your repository will magically sync with what you actually have.