Microsoft Azure Notes - Part 3

Continuation of part 1 and part 2 and here the part 3 notes on Azure.

Build a cloud governance strategy on Azure

Control access to cloud resources by using Azure role-based access control

Instead of defining the detailed access requirements for each individual, and then updating access requirements when new resources are created, Azure enables you to control access through Azure role-based access control (Azure RBAC).

Azure provides built-in roles that describe common access rules for cloud resources. You can also define your own roles. Each role has an associated set of access permissions that relate to that role. When you assign individuals or groups to one or more roles, they receive all of the associated access permissions.

How is role-based access control applied to resources?

Role-based access control is applied to a scope, which is a resource or set of resources that this access applies to.

Scopes include:

·         A management group (a collection of multiple subscriptions).

·         A single subscription.

·         A resource group.

·         A single resource.

ObserversUsers managing resourcesAdmins, and Automated processes illustrate the kinds of users or accounts that would typically be assigned each of the various roles.

When you grant access at a parent scope, those permissions are inherited by all child scopes. For example:

·         When you assign the Owner role to a user at the management group scope, that user can manage everything in all subscriptions within the management group.

·         When you assign the Reader role to a group at the subscription scope, the members of that group can view every resource group and resource within the subscription.

·         When you assign the Contributor role to an application at the resource group scope, the application can manage resources of all types within that resource group, but not other resource groups within the subscription.

Use Azure RBAC when you need to:

·         Allow one user to manage VMs in a subscription and another user to manage virtual networks.

·         Allow a database administrator group to manage SQL databases in a subscription.

·         Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets.

·         Allow an application to access all resources in a resource group.


How is Azure RBAC enforced?

Azure RBAC is enforced on any action that's initiated against an Azure resource that passes through Azure Resource Manager. Resource Manager is a management service that provides a way to organize and secure your cloud resources.

You typically access Resource Manager from the Azure portal, Azure Cloud Shell, Azure PowerShell, and the Azure CLI. Azure RBAC doesn't enforce access permissions at the application or data level. Application security must be handled by your application.

RBAC uses an allow model. When you're assigned a role, RBAC allows you to perform certain actions, such as read, write, or delete. If one role assignment grants you read permissions to a resource group and a different role assignment grants you write permissions to the same resource group, you have both read and write permissions on that resource group.

Who does Azure RBAC apply to?

You can apply Azure RBAC to an individual person or to a group. You can also apply Azure RBAC to other special identity types, such as service principals and managed identities. These identity types are used by applications and services to automate access to Azure resources.

Tailwind Traders has the following teams with an interest in some part of their overall IT environment:

·         IT Administrators This team has ultimate ownership of technology assets, both on-premises and in the cloud. The team requires full control of all resources.

·         Backup and Disaster Recovery This team is responsible for managing the health of regular backups and invoking any data or system recoveries.

·         Cost and Billing People in this team track and report on technology-related spend. They also manage the organization's internal budgets.

·         Security Operations This team monitors and responds to any technology-related security incidents. The team requires ongoing access to log files and security alerts.



How do I manage Azure RBAC permissions?

You manage access permissions on the Access control (IAM) pane in the Azure portal. This pane shows who has access to what scope and what roles apply. You can also grant or remove access from this pane.

The following screenshot shows an example of the Access control (IAM) pane for a resource group. In this example, Alain Charon has been assigned the Backup Operator role for this resource group. 

Comments

Post a Comment

Popular posts from this blog

How to fix Azure DevOps error MSB4126

Image
Setting up build and release pipeline always tedious and we face many build related issues. Here is one common error I face couple of times while setting app Web or windows apps in Azure DevOps After placing the code in repos, and creating the build pipeline and run it, you can face the following error ##[error]D:\a\8\s\<your solution file>.sln.metaproj(0,0): Error MSB4126: The specified solution configuration "release|$(BuildPlatform)" is invalid. Please specify a valid solution configuration using the Configuration and Platform properties (e.g. MSBuild.exe Solution.sln /p:Configuration=Debug /p:Platform="Any CPU") or leave those properties blank to use the default solution configuration. To understand what is target platform defined in your project you need to visit or open the solution(.sln) file and review the following sections. In my case, this has been defined as x86 as target platform.                   GlobalSecti
Read more

SharePoint Admin Center

Image
 SharePoint Admin Center allows you to view your organization's SharePoint site including communication sites, channel sites, and sites that belong to Microsoft 365 group. This is same like Site Admin in earlier days of SharePoint versions. You can search organizational site, sort them or filter sites the way you want. Easy way to find and apply/change site settings. Under Policies, click on Sharing - This will allow you to create rules/ set control sharing at the organization level in SharePoint and OneDrive Here, in this page, you can apply settings to restrict how users are allowed to access content in SharePoint and OneDrive. Term store, the word getting populated from SharePoint 2010. You can feed metadata of metadata information of your organization level, program level, project level in Term store. helps your organization's knowledge better.  AI soon will play a vital role here and using AI, you can acyually find collect and process and finally yoour organization's d
Read more

How to create Custom Visuals in Power BI – Initial few Steps

Image
This post will help you to know the steps to create custom visuals in PowerBI. Microsoft defined them as well at https://docs.microsoft.com/en-us/power-bi/service-custom-visuals-getting-started-with-developer-tools . First things first, and you need to download and install NodeJS , in case if you do not have npm setup in your machine.  Second step is to run couple of npm commands to install Power BI Visual Tools and create & publish the cert. Finally, create your own package and upload with the help of npm. 1.       npm install -g powerbi-visuals-tools 2.       pbiviz --create-cert pbiviz --install-cert 3.       pbiviz new My Visual name – This will create the file under the name of your visual file. 4.      pbiviz start – You need to go to the folder where your custom visual  resides, and run this command. You can change a few things in your pbiviz.json file, like author, display name, icon, style etc. Finally, package your
Read more