There are many different links out there that talk about how to administer Azure Resources. What I have been looking for is putting all of the different Azure related administrative capabilities all together in one place. Hopefully this post now does that for you too. I am largely cross referencing all of the bits and pieces that are out there and also will put it all together in a simple graphic further below. The Azure administrative categories to know and understand include:
- Enterprise Agreement (EA) administrators
- Subscription Administrators
- Azure Active Directory Administration administrators
- Role Based Access Controls (RBAC) on Azure Resources
When beginning down your journey of building out your Azure Subscriptions, these all should be considered, planned and designed before creating anything. Without an understanding of who can do what, where, when and how, your subscriptions can quickly get out of hand. Anyone every had an Active Directory Forest/Domain assessment and discovered too many domain admins? Too many forests? Too many domains? Say I! Let us learn from the lessons of history and do it right from the beginning. Already gone down this path….never too late to get back on track with understanding who does what and when. Then sprinkle some Governance on top of it all to make sure that this all happens. Remember ITIL? Learn more about the Enterprise Agreement and governance in this Channel 9 video on Azure enrolment: Management, Governance and Reporting.
Caveat – the very top level of these resource may not apply to your organization if you do not already have an Enterprise Agreement (EA) for Azure. These resources include that agreement. So if it doesn’t apply to your organization, just kindly ignore that part. Watch and learn more about EA Agreements at Ignite Australia Azure enrolment: Management, Governance and Reporting.
The journey for larger organizations begins with the Enterprise Agreement, which creates 1 or more subscriptions. Each subscription has 1 Azure Active Directory tenant associated with it. And then either uses that are synchronized from the on-premises Active Directory environment, or users created in Azure Active Directory, can be assigned Role Based Access Control (RBAC) on any Azure resource. The RBAC assignment can control who can do what at three different scopes:
- The Subscription
- Any Azure Resource Group
- Any Azure Resource
And like all good permissions, they are inherited from top down in the order above.
Here are resources to dive into the various administrative capabilities from the EA portal down to the Azure Resources.
- ENTERPISE AGREEMENT PORTAL
- AZURE SUBSCRIPTION
- Subscription and accounts guidelines
- How to add or change Azure administrator roles
- Changing Service Administrator and Co-Administrator when logged-in with an organizational account
- Transferring ownership of an Azure subscription
- Azure Billing and Subscription FAQ
- Note: if you have an Enterprise agreement, billing will be driven by that
- AZURE ACTIVE DIRECTORY
- ROLE BASED ACCESS CONTROLS