1. Azure Solution Alignment Workshop
11/13/2017 9:37 PM
Azure Solution Alignment Workshop
Azure Subscription Model Design Workshop
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Why are we here today? Purpose of this workshop
Develop the foundational Azure Subscription Design

3. Expected Outcomes from this Workshop
Decisions:
Subscription requirements and design to support Azure Pilot migrations
Regional approach for DR (Disaster Recovery)
High level Azure RBAC (Role Based Access Control) approach
Azure Resource management approach

4. Expected Outcomes from this Workshop
Deliverable:
Azure subscription design doc

5. Expected Outcomes from this Workshop
How we will know if the workshop is successful
The Azure Subscription Design document is signed-off.

6. High Level Agenda Azure Subscription Overview Design & Requirements
11/13/2017 9:37 PM
High Level Agenda
Azure Subscription Overview
Design & Requirements
Azure Resource Model
Azure RBAC (Role Based Access Control)
Azure Resource Manager Resource Locks
Azure Resource Manager Policy Management
Key Decisions
Next Steps
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7. 11/13/2017 9:37 PM
Introductions
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8. Microsoft Services Azure Project Delivery Team
11/13/2017 9:37 PM
Microsoft Services Azure Project Delivery Team
<Enter the names of Microsoft Team>
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9. Customer Team Each person take a minute to introduce yourself
11/13/2017 9:37 PM
Customer Team
Each person take a minute to introduce yourself
Your Name
Your Role
Time with the organization
Your familiarity with Microsoft Azure or Public Cloud
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10. Azure Subscription Overview
11/13/2017 9:37 PM
Azure Subscription Overview
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11. Subscription Principles
11/13/2017 9:37 PM
Subscription Principles
Subscriptions are…
Administrative security boundary
Support RBAC delegation
A billing unit
Logical limit of scale
First container that you create
Considerations
Subscriptions do not cost anything
Each subscription has its own admins, although a single account can be an admin in multiple subscriptions
Are global
Initially a subscription was the administrative security boundary of Microsoft Azure. With the advent of Azure Resource Management (ARM) environment, a subscription now has two administrative models. Service Management and Azure Resource Management. With ARM the subscription is no longer needed as an administrative boundary. ARM provides a more granular Roles Based Access Control (RBAC) model for assigning administrative rights at the resource level. RBAC is currently being released in stages, 32 new roles have been released and user defined roles is coming in a future release. There will be some complexity during the coexistence of the service management and resource management environments and will need to be carefully considered.
A subscription additionally forms the billing unit. Services charges are accrued to the subscription currently, as part of the new Azure Resource Management model it will be possible to roll up costs to a resource group. A standard naming convention for Azure resource object types can be used to manage billing across projects teams, business units, or other desired view.
A logical limit of scale by which resources can be allocated, these limits include both hard and soft caps of various resource types (like 10,000 compute cores /subscription) and are changing as capacity and capabilities are updated within Azure. Scalability will continue to be a function of subscriptions and therefore is a key element to understand how the Subscription strategy will account for growth as consumption increases.
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12. Containers and Resources
Subscription is the top level container
Create Resource groups in the subscription
Place resources within the resource groups

13. Azure Governance Layers
Enterprise
Aerospace
Auto
Application 1
Application 2
Application 3
Lin Chi
Adi Krishnan
Europe
North America
Project 1
Project 2
Project 3
Ted Bear
Grace Ma
Marketing
Finance
Project 1 Dev
Project 1 Test
Production Web Sites
Functional
Joe Smith
Jane Doe
Subscriptions
Business Division
Geographic
Accounts
Departments
[optional]
The Azure governance layers, roles, portals etc.. provide the technical means that can be used in different ways. Some customer prefer to use functional differentiation, others business division based or geographical or even a combination.

14. Management Portals Enterprise Portal Account Portal Management Portal
Location
Purpose
Enterprise Portal
Manage access
Manage accounts
Manage subscriptions
View price sheet
View usage summary
Manage usage & lifecycle notifications
Manage Authentication Types
Account Portal
Edit subscription details
Enroll in or enable Preview features
Management Portal or
Provision/de-provision Azure services
Manage co-administrators on subscriptions
Open support tickets for issues within the subscription 

15. Azure governance structure
CLI / Custom
Enterprise portal
Azure Management Portal
REST API’s
Azure
RBAC
Enterprise (enrollment)
Account portal
Department
Azure Resource Manager
Azure resources
Has
The three portals serve different audiences and needs and provide administrative boundaries. This picture can be used to provide answers on how these portals are related to one another.
Associated

16. Account and Subscription Management
The above diagrams explain what the account admin, service admin and coadmin roles are used for, these roles can be assigned to one or multiple identities.

17. Subscription Considerations
Management approach
Single team or distributed
RBAC
Security requirements
Data or network security
Environments - Sandbox, Dev, Test, UAT, Pre-Prod, Prod
Connectivity requirements
Single point of ingress?
Multiple regions?
Application requirements
Data flow
Compliance

18. Subscription per Department (Customer Managed)
11/13/2017 9:37 PM
Subscription per Department (Customer Managed)
Each department contains different types of environments (e.g. Prod, Non-Prod). Virtual Networks will wrap the different environments for traffic separation. Subnets will be created within each environment to establish required security isolation zones between applications.
Pros
Low ExpressRoute Circuit Costs
Simplified Subscription Management
No Vnet Subscription Limit
Cons
Granular RBAC model required
Subscription Limit Issues in Cores, Storage, NSGs
Complex Vnet addressing
Mistake in management will affect all environments
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19. Subscription per Environment (Customer Managed)
11/13/2017 9:37 PM
Subscription per Environment (Customer Managed)
Each environment contains the different types of applications. Virtual Networks will wrap the different applications for traffic separation. Subnets will be created within each environment to establish required security isolation zones among application tiers.
Pros
Shared ExpressRoute circuit model
Low Vnet subscription limit issues (Limit Per 100th application)
Vnet address spaces can be tailored per application
Cons
New ExpressRoute circuit required per 10th application, or ER Premium
Granulated Application RBAC model
Requires medium capacity planning
Max of 10 dedicated circuits per subscription, max of 100 applications
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20. Subscription per Application (Customer Managed)
11/13/2017 9:37 PM
Subscription per Application (Customer Managed)
Each application contains the different tiers. Virtual Networks will wrap the different tiers for traffic separation. Subnets will be created within each tier to establish required security isolation zones.
Pros
Minimal Subscription limit issues.
Minimal Capacity Planning
Per Application RBAC model
Cons
Increased Network Costs
Management Complexity
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21. Networking Considerations
Enterprise Enrollment
Department A
Department B
Account A
Account B
Account C
Subscription 1
Subscription 2
Subscription 3
Subscription 4
See dashed lines
1.You MUST create or use the Azure Dynamic Routing VPN gateways to connect your virtual networks. Static Routing VPN gateways are NOT supported for VNet- to-VNet.
2.For each virtual network, you can connect up to 10 “networks”; i.e., both virtual networks and on premises sites combined cannot exceed 10.
3.You need to ensure that the address prefixes don’t overlap among all the connected networks.
4. VNet-to-VNet feature works across regions and subscriptions – same or different regions, single or across subscriptions.
You can link up to 10 virtual networks to an ExpressRoute circuit. All virtual networks must be in the same continent as the ExpressRoute circuit.
You can link a single virtual network with up to 4 ExpressRoute circuits. All ExpressRoute circuits must be in the same continent. They can be ordered through different service providers and in different locations. ( )
Region
Region
Vnet 1
Vnet 2
Vnet 3
Vnet 4
Vnet 5
Vnet 6
Express Route Circuit
Express Route Circuit
Express Route Circuit
Express Route Circuit
Express Route Circuit

22. Subscription for Ingress Security Stack
11/13/2017 9:37 PM
Subscription for Ingress Security Stack
Build a subscription for driving all communications through a security stack. All public communications pass through this subscription then to subscriptions for applications.
Pros
Minimal Subscription limit issues.
Minimal Capacity Planning
Per Application RBAC model
Cons
Increased Network Costs
Management Complexity
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23. Multiple Subscriptions = Complexity
11/13/2017 9:37 PM
Multiple Subscriptions = Complexity
Multiple Azure subscriptions means:
Duplicate provisioning and management: IP Address space, network circuits, gateways, vNets, Subnets, NSGs, routing
More connectivity to manage
More security to manage
More identities to manage
Potentially more ExpressRoute circuits to buy
Multiple subscription are going to happen though, so design for it
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24. Azure Subscription Limits

25. Azure Roles versus Management
Active Directory
Azure Active Directory
Application
Customer Manages
the OS and app config
Customer provisions
and manages Azure
Object OS
Virtual hardware
Physical hardware
Microsoft manages
the platform and SLA
Fabric

26. Resource Groups and Hierarchy
11/13/2017
Resource Groups and Hierarchy
Subscription
Resource Group
Resource
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27. Design & Requirements

28. Enrollment Design
Ensure you have at least two Enterprise Administrators
Are you going to use Departments?
Who will be the Account Owners?
They are the only ones that can create subscriptions
Is there a concern about restricting Subscription creation?
Create functional accounts with split passwords

29. Subscription Design Guidance
Minimize # of subscriptions – start with one and justify additional based on requirements
Do not be afraid to have multiple approaches in the design
Take subscription limits into account
Plan for multiple subscriptions
Determine approach for Subscription Owners
Use functional accounts not named accounts because it’s not easy to change the account in Azure when a person changes job or leaves the organization

30. Subscription Design Guidance
Identity Management
Use Azure Active Directory for Azure Governance roles
Use groups to assign RBAC versus users
ExpressRoute (ER)
Minimize #subscriptions (take network requirements and ER boundaries into account)
Use functional accounts not named accounts because it’s not easy to change the account in Azure when a person changes job or leaves the organization

31. Customer requirements drive structure
To be derived from customer requirements
Organization structure
Technical (e.g. Network & Security)
Functional

32. Subscription Model Design
Department, Application, Environment, Other
Will you be using Ingress through Azure?
How granular will Azure resource management need to be?
Network, storage, compute, security, application

33. Customer requirements
Description
Answer
Identity
Use preexisting Azure Active Directory from Office 365

34. Azure Resource Overview
11/13/2017 9:37 PM
Azure Resource Overview
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35. 11/13/2017 9:37 PM
Role Considerations
Azure Subscriptions have two administrative models:
Classic
(v1)
Azure Service Management (ASM)
Resource Manager (v2)
Azure Resource Manager (ARM)
Azure Resource Management (ARM) environment, a subscription now has two administrative models: Service Management and Azure Resource Management. With ARM the subscription is no longer needed as an administrative boundary. ARM provides a more granular Roles Based Access Control (RBAC) model for assigning administrative rights at the resource level. RBAC is currently being released in stages, 22 new roles have been released and user defined roles is coming in a future release. There will be some complexity during the coexistence of the service management and resource management environments and will need to be carefully considered.
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

36. Resources in Azure Classic (v1) Resource Manager (v2)
Multiple objects combined into a single manageable instance
Must connect to a classic network infrastructure
Resource Manager (v2)
Each object a separately manageable
Must connect to a RM network infrastructure
All new development focused here

37. Azure Resource Manager
11/13/2017
Azure Resource Manager
Classis (ASM)
ARM with RPs
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38. Portal and APIs Feature manage.windowsazure.com portal.azure.com / ARM
Granularity
Subscription
Subscription, resource group, resource
Principal
User
User, directory group, application
Roles
Full control (or no access)
30+ Built-in roles
Custom roles

39. Resource Groups
RESOU R
CE G
OUP
Tightly coupled containers of multiple resources of similar or different types
Every resource *must* exist in one and only one resource group
Resource groups can span regions
Nesting of Resource Groups not supported
Only Subscription Owners can create resource groups

40. Azure Resource Manager
MICROSOFT AZURE
MICROSOFT AZURE STACK
Describe
Deploy
Control
RESOURCE
GROUP
App
Database
Compute
Network
Storage

41. Resource Group Lifecycle
Question:
Should these resources be in the same group or a different one?
Hint:
Do they have common lifecycle and management?
Answer:
Up to you.

42. Resource Groups and Hierarchy
11/13/2017
Resource Groups and Hierarchy
Subscription
Resource Group
Resource
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

43. Azure RBAC Overview 11/13/2017 9:37 PM
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

44. Least Privilege as a Model
11/13/2017
Least Privilege as a Model
Goal
Users can do the tasks their job requires
But no more than that
Best practices
Use the portal and ARM API
Assign the right role
Use resource groups
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

45. Role Based Access Control
Users
Groups
Service Principals
Azure Resources in Resource Groups
Authentication
& Authorization
Azure Active Directory
Azure Subscription

46. ARM Hierarchy and RBAC Roles
11/13/2017 9:37 PM
ARM Hierarchy and RBAC Roles
ARM provides a more granular Roles Based Access Control (RBAC) model for assigning administrative rights at the resource level.
Owner
Can perform all management operations for a resource and its child resources including access management and granting access to others.
Contributor
Can perform all management operations for a resource including create and delete resources. A contributor cannot grant access to other.
Reader
Has read-only access to a resource and its child resources. A reader cannot read secrets.
There are thirty-two built-in Azure RBAC roles for controlling access to Azure resources:
The Owner can perform all management operations for a resource and its child resources including access management or granting access to others.
The Contributor can perform all management operations for a resource including create and delete resources. A contributor cannot grant access to others.
The Reader has read-only access to a resource and its child resources. A Reader cannot read secrets.
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

47. Role Based Access Control

48. Key RBAC Concepts Role Definitions Role Assignments
associate role definitions with an identity (e.g. user/group) at a scope (e.g. resource group)
always inherited – subscription assignments apply to all resources
Role Definitions
describes the set of permissions (e.g. read actions)
can be used in multiple assignments

49. /subscriptions/{id}/resourceGroups/{name}/providers/…/sites/{site}
RBAC - Granular Scopes
/subscriptions/{id}/resourceGroups/{name}/providers/…/sites/{site}
subscription level – grants permissions to all resources in the sub
resource group level – grants permissions to all resources in the group
resource level – grants permissions to the specific resource

50. Roles for Azure subscription resources
Three primary roles:
Owner, Contributor, Reader
Permissions on all Azure resources
30+ resource-specific roles
Website contributor, Virtual machine contributor, etc.
Permissions scoped to resources and actions typically required by customers
Will add more as new Azure resources come online
Custom roles
Allows customers to take existing actions and create a custom RBAC role
Role must be loaded into each subscription

51. Built-in Roles BUILT-IN ROLE ACTIONS NOT ACTIONS
Owner (allow all actions) *
Contributor (allow all actions except writing or deleting role assignments)
Microsoft.Authorization/*/Write, Microsoft.Authorization/*/Delete
Reader (allow all read actions)
*/Read

52. Virtual Machine Contributor
Actions
 Access
Microsoft.Storage/storageAccounts/read
Read storage accounts
Microsoft.Storage/storageAccounts/listKeys/action
List storage account keys
Microsoft.Network/virtualNetworks/read
Read virtual networks
Microsoft.Network/virtualNetworks/subnets/join/action
Join virtual network subnets
Microsoft.Network/loadBalancers/read
Read load balancers
Microsoft.Network/loadBalancers/backendAddressPools/join/action
Join load balancer backend address pools
Microsoft.Network/loadBalancers/inboundNatRules/join/action
Join load balancer inbound NAT Rules
Microsoft.Network/publicIPAddresses/read
Read network public IP addresses
Microsoft.Network/publicIPAddresses/join/action
Join network public IP addresses
Microsoft.Network/networkSecurityGroups/read
Read network security groups
Microsoft.Network/networkSecurityGroups/join/action
Join network security groups
Microsoft.Network/networkInterfaces/*
Create and manage network interfaces
Microsoft.Network/locations/*
Create and manage network locations
Microsoft.Network/applicationGateways/backendAddressPools/join/action
Join network application gateway backend address pools
Microsoft.Compute/virtualMachines/*
Create and manage virtual machines
Microsoft.Compute/availabilitySets/*
Create and manage compute availability sets
Microsoft.Compute/locations/*
Create and manage compute locations
Microsoft.Authorization/*/read
Read authorization
Microsoft.Resources/subscriptions/resourceGroups/read
Read subscription resource groups
Microsoft.Resources/subscriptions/resourceGroups/resources/read
Read subscription resource groups resources
Microsoft.Resources/subscriptions/resourceGroups/deployments/*
Create and manage subscription resource group deployments
Microsoft.Insights/alertRules/*
Create and manage Insights alert rules
Microsoft.Support/*
Create and manage support tickets

53. Resource Groups and Access Management
11/13/2017
Resource Groups and Access Management
Example
Best practices
Organize resources to meet access management requirements
Grant access at resource group when appropriate
Benefits
More granularity
Aligns with resource-specific roles
Ongoing manageability
Marketing Subscription
Solution 1 Resource Group
Virtual machine
Storage account
Solution 2 Resource Group
Virtual machine
Storage account
SQL Server
Shared Infrastructure Resource Group
Virtual Network
Finance Subscription
Solution A Resource Group
Web app
SQL Server
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

54. Assigning Resource-specific Roles
Requirement
Map existing organizational roles (web, DB…) to their cloud solutions
Many Azure resources that work together are peers in the same resource group
Virtual machine and storage account, web app and AppInsights
To fully manage a resource, a user may also need to manage its related peers
Best Practice
Assign resource-specific role on the resource group
Alternative
Assign access to each resource individually

55. Example RBAC Assignment
11/13/2017
Example RBAC Assignment
Requirement (example)
User needs to manage “Web app A” and related resources such as “Application Insights B”
User shouldn’t manage “Virtual Machine C” or “Storage account D”
Best practice
Assign Web app contributor and Application Insights Component Contributor role on ‘Solution 1 resource group’
Alternative: Two assignments
Contributor role on ‘Virtual Web App” and
Application Insights Component Contributor role on “App Insights B”
Marketing Subscription
Solution 1 Resource Group
Web app A
Assigning role Web app contributor on Solution 1 resource group
Conveys permissions on web apps and Application Insights instances in the resource group
Does not convey permissions on virtual machines or storage accounts
Application Insights B
Virtual Machine C
Storage account D
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

56. Azure Active Directory Integration
Best practice
All organizational Azure subscriptions use the same Azure AD for access control.
I.e., don’t have each subscription in the organization relying on its own Default directory.
Benefits
Manageability
Compliance
Litware Azure AD
Marketing Subscription
Resource Group 1
Resource
Resource
Resource Group 2
Resource
Resource
Finance Subscription
Resource Group A
Resource
Resource

57. RBAC Audit Logs and Resource Management Locks
11/13/2017
RBAC Audit Logs and Resource Management Locks
Role assignment changes are captured in events where the ResourceProviderName is Microsoft.Authorization.
Azure Resource Manager provides the ability to restrict operations on resources through resource management locks.
Resource locks are policies which enforce a lock level at a particular scope.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

58. Azure Resource Manager Resource Locks
11/13/2017
Azure Resource Manager Resource Locks
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

59. Resource Locks Accidents happen. Resource locks help prevent them :)
Resource locks allow administrators to create policies which prevent write actions or prevent accidental deletion.

60. Key Concepts Resource lock Lock level Scope:
Policy which enforces a "lock level" at a particular scope
Lock level
Type of enforcement; current values include CanNotDelete and ReadOnly
Scope:
The realm to which the lock level is applied. Expressed as a URI; can be set at the resource group, or resource scope.

61. Azure Resource Manager Policy Management
11/13/2017
Azure Resource Manager Policy Management
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

62. Azure Resource Manager Policies: Key Concepts
Polices are a default allow system
Policies are described via Policy Definitions
Policy definitions can be created to restrict the actions that can be performed or require the actions to meet a scenario before they can be performed
Policies are applied via Policy Assignments

63. Azure Resource Manager Policies: Scenarios
Chargeback: Require departmental tags
Geo Compliance: Ensure resource locations
Service Curation: Select your service catalog
Convention: Enforce naming

64. Policy Versus RBAC Designed to work together
User must get past RBAC restrictions first
Policy can restrict the actions you can perform in addition to RBAC rights

65. Policy Definition Language: Basic Structure
{ "if": { <condition> | <logical operator> }, "then": { "effect": "deny | audit" }
Policy Definition Language: Basic Structure {
"if": {
<condition> | <logical operator> },
"then": {
"effect": "deny | audit" }

66. Policy Definition Language: Putting it Together{
Policy Definition Language: Putting it Together {
"if": {
"not": {
"field": "location",
"in": ["northeurope", "westeurope"] } },
"then": {
"effect": "deny"

67. 11/13/2017 9:37 PM
Key Decisions
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

68. Key Decisions Identify a Subscription Model
Establish “first subscription” using new model
Identify key RBAC roles within your organization
Start small, expand later
Focus on built-in roles
Identify who will be managing the subscription

69. 11/13/2017 9:37 PM
Next Steps
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

70. Next Steps Subscription Design Key Decisions Approval (24 hours)
Subscription Design doc Authoring
Subscription Design doc Approval (5 days)

71. 11/13/2017 9:37 PM
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

72. Correlating Azure Products and Regions
11/13/2017 9:37 PM
Correlating Azure Products and Regions
Features and Regions
Ensure your feature is available in the region you wish to deploy
Preview and General Availability (GA)
Understand differences in support, costs and available geographies
Special Regions
MAG/China
Full suite of Azure services may not be currently available and have timelines for certification and availability
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

73. Subscription Consumers
Customer Managed
When the Azure subscription is provisioned using the customer-owned account models described earlier in this document where the customer organization deploys and manages Azure workloads on their own.
Cloud Service Provider (CSP) Managed
When the Azure subscription is provisioned by Cloud Solution Provider who manages end customer Azure subscriptions

74. Subscriptions per Customer (CSP Managed)
One or more subscription per specific customer where a separate service deployment for a given customer may be assigned a dedicated subscription.
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

75. CSP Subscription Connection Models
Service Providers will be required to connect their customers to their CSP Azure subscriptions in one of two ways:
“Connect-Through”
“Connect-To”
These models are heavily dependent on decisions around network connectivity and identity integration scenarios.

76. CSP Managed – Connect Through
Provider creates a direct connection between their datacenter and the provisioned customer Azure subscription using Site-to-Site using the provider’s network.
This connectivity scenario requires that the customer passes through a provider network to access CSP provisioned Azure subscription services, using a network connection that is created, owned and managed by the service provider.
For these customers it is assumed that the provider has a previously established tenant identity store which would then be replicated into Azure Active Directory for management of their CSP subscription
Key drivers for this scenario include where a given partner or service provider has an established relationship with the customer, the customer is consuming provider services currently or the partner has a desire to provide a combination of provider-hosted and Azure-hosted solutions to provide flexibility and address customer challenges which cannot be satisfied by Azure services alone
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

77. CSP Managed – Connect To
Provider creates a direct connection between their datacenter and the provisioned customer Azure subscription using Site-to-Site VPN (or in the future over an Express Route connection) using the customer’s network.
This connectivity scenario requires that the customer connects directly through a customer network to access CSP provisioned Azure subscription services, using a direct network connection that is created, owned and managed either wholly or in part by the customer.
For these customers it is assumed that the provider does not currently have a tenant identity store established and would assist the customer in replicating their current identify store into Azure Active Directory for management of their CSP subscription.
Key drivers for this scenario include where a given partner or service provider has an established relationship with the customer, the customer is consuming provider services currently or the partner has a desire to provide services that are based solely Azure-hosted solutions without the need for an existing provider datacenter or infrastructure.
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.