We're using Azure to maintain our development and QA servers.
One of the needs we have now, is to provide our QA members access to update web.config file on the server, which can be achieved via Visual Studio Server's Explorer (with the right configuration).
The problem is that you need a user with a subscription as a co-administrator within Azure (at least as far as I managed to understand), but obviously we'd like to allow our QA members only to maintain the files, with limited access via Visual Studio.
Is there any way to do it?
Following Brendan advice, I've granted the QA members FTP access. This should do the job for now, until Microsoft will come up with something better :)
Thanks Brendan!
Related
I am a Solution Architect responsible for setting up a project's infrastructure on Azure. The project should be running in multiple environments (dev, staging, prod). As far as I learned the best practice regarding environment separation in Azure is to use Resource Groups. That's what I did.
However, this is where things start getting tricky. Our application will use Azure AD as OAuth Authorization Server. I want to have my AD isolated, like everything else in my infrastructure. I don't want to accidentally modify a production user from the dev environment and for the dev environment, I want to be able to create a ton of test users which I don't want to see in production. So, isolation.
The problem is I don't see any option on how to do this. My first instinct was to create multiple ADs. But when I do that, they actually need to create a completely new tenant for each of these environments. This seems really messy to me. Have to support as many (almost empty) tenants as I want to have environments.
Please, what is the right way how to do this?
Does Azure AD have some kind of support for isolation I require?
Am I missing something?
Note: this question was also asked in MS Q&A.
You're correct that a tenant is equivalent to a directory and a user is either in the directory or it's not. However, using RBAC, you can restrict the permissions on users so that they can't access particular services. It would be good if you separated permissions by subscription which is what a lot of major companies do and that's how they know which workload a subscription handles.
I want to provide/restrict access to resources based on IP from my google cloud vm to prevent my dev team downloading/uploading the code to public drives.
Everything is working fine up to now.But I want to provide access to Visual studio online TFS with my outlook account.
I created visual studio online account for Version control.
URL: https://eschooltest.visualstudio.com
Region: Canada Central
I came to know vs online IPs are published every wednesday and downloaded from the below url and added these canada central Ips to Google Firewall system with allow access.
https://www.visualstudio.com/team-services/support/ip-addresses-used-hosted-build/
But still I am not able to access vs url.I pinged this url from command prompt and found the ip is 13.107.6.175 which is not present in the canada central IP list and also not present in the whole ip list of all regions.
Can someone help to achieve the requirement? OR please let me know if there is an elegant way of doing this.
if this is not possible with VS online, I am planning to set up TFS express in another VM to prevent leaking of my code to outside world though this is cumbersome.
EDIT:
1. Why this ip is not present in the Published xml?
VSTS does not offer any type of IP-based filter — so you can't do like in SQL Azure, in which you add and/or remove IPs that can access the service on Azure. About this area take a look at thie blog: Prevent users from accessing the VSTS out of the workplace
You should take a look at the official tutorial how to Manage conditional access to VSTS
Conditional access offers simple ways to help secure resources for
VSTS accounts backed by an Azure Active Directory (AAD) tenant.
Conditional access policies like multi-factor authentication can help
protect against the risk of compromised credentials and help keep your
organization's data safe. For example, in addition to requiring
credentials, you can have a policy that only devices connected to a
corporate network can gain access.
We're completely upgrading our production and development environment from co-located boxes to an Azure implementation and we'll be developing using Visual Studio Online. Up until this point our dev has occurred on a Remote Desktop environment where developers were logging into Windows server and developing on that RDP box.
We want to set this up and we have some confusion about the Account types/set up types.
It appears there are two ways to set up our Azure and two ways to set up our developers. We are a MS partner w/ some MSDN licenses and Azure credits.
So for Azure we can use our existing MS accounts and just set up an Azure Pay As You Go (PAYG) subscription. This was suggested to us initially but it seems weird to have the entire companies Azure environment going through an individuals live ID. Then we saw we can sign up as an Organization now and it uses Azure AD. We have not been using Active Directory and we're not sure how much complexity this is going to add to our administration. Is there a discernible difference/benefit to going one way or the other?
Then, when we sign up our developers we can either have everyone sign up with their live ID's (we have MSDN w/ VS Premium credits for all developers) or we can set them up using Active Directory with Work Accounts. Having our credits allotted in work accounts sounds like a good way to control things at first reading, but it also seems a bit more complex. I'm wondering if there is much difference between MSDN accounts signed up w/ live IDs or AD Work Accounts. I can't find a real comparison article or pro/con type of discussion anywhere.
It sounds like you have already figured out the main differences. As an organization, I would suggest signing up for Azure as an organization. You can do that here. This is going to give you the management capabilities for resources typically needed by an organization.
Your developers can continue to use the MSDN subscriptions. As Dylan commented, these are not to be used for production environments. You should consider using these for Dev/Test environments and activating your MSDN benefits. This will save you some money. More on that here.
Visual Studio Online will work with your Work Accounts and again give you more control over managing your online resources. This link describes the sign-up process for both Microsoft Accounts and Work Accounts. And if you scroll down a bit you will find your original question specifically addressed.
Finally, you can also add your Work Account(s) to your existing MSDN subscriptions if you like. This way you (and your developers) can use the same account credentials when accessing Azure Subscriptions. Information on how to do that is available in this link.
Your Work Account subscription should be limited to personnel responsible for managing your "production" environment.
After signing up for Azure as an Organization, you can add users to the directory as described here. You can also add "external" users using their existing Microsoft Accounts. It's just a few dialogs to add a user.
I'm trying to use Set up deployment from source control to allow publishing from my TFS project to Azure, but for some reason after I authorize, it says I have no projects. The accounts are correct, I was just wondering, is there some kind of criteria for it to allow the integration or something?
I get this window
Yet I have two projects on my TFS Account.
Ended up closing my azure account and getting off of team foundation service, that solved the problem.
In our company we use TFS for issues tracking. For now we are thinking to create a new project and made it accessible outside from company network for one customer (we will create a separate user for that).
The biggest concern here is that we will create external access and it became potentially hackable.
Could you please share own experience for this case?
Do you know any useful information to read about TFS security that is related to access from outside network.
Thanks a lot. Any thoughts are welcome!
While you can technically put SSL on the TFS Web Services, the general best practice is to:
1) Require use of Team Explorer over a VPN connection
or
2) Implement Team System Web Access
Other thoughts would be to setup a tfs instance with a hosted tfs provider and then do some automation to provide work item replication. Do you intend the customer to be read only or will they update and submit?