Microsoft Azure Managing Users & Resources with Azure Resource Manager
Module Overview Overview of Microsoft Azure Managing Users in Azure 4/5/2019 6:45 PM Module Overview Overview of Microsoft Azure Managing Users in Azure Provisioning Resources ARM Tools & Resources Azure ARM Templates © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Overview of Microsoft Azure
Understanding Azure Resources Azure resources are usage-based Office 365 is license based Azure subscription Account within Azure for a customer that can contain resources Once a subscription exists, resources can be provisioned within that subscription
Organizing Resources Resource Groups Tags Organize multiple resources Commonly used for projects Ex: Corporate website might include website, database, storage, CDN & an AAD tenant Useful for billing Tags Name-value pair Can be applied to resources Max 15 tags per resource Viewing resources by tag will span across all resource groups Useful for billing or management
Understanding Azure Billing All Azure resources are consumption based Pay for what you use Resources may have different rates for different usage and different regions Example: blob storage EAST US region: $0.0240/GB for first 1TB $0.0236/GB for next 49TB BRAZIL SOUTH region: $0.0326/GB for first 1TB $0.0320/GB for next 49TB
Resource Management: ASM & ARM Azure Service Management (ASM) Classic model New resources added to Azure do not support this model https://manage.windowsazure.com Azure Resource Management (ARM) Current management model Enables templated provisioning of resources https://portal.azure.com Both have REST APIs you can call… Directly using REST or Indirectly using web portals, PowerShell or the CLI
Managing Users in Azure
Role Based Access Control (RBAC) Enables fine-grained access management Users & groups within a subscription’s AAD can be added to roles Roles can be applied at various levels: Subscriptions Resource Groups Resource (websites / virtual machines / etc) Built-in roles Owner: full access & can manage delegated access & membership to other roles Contributor: create & manage all types of resources, but not manage role membership Reader: can view resources, but not make any changes
Understanding Users in Microsoft Azure Users within a customer’s AAD tenant must be explicitly granted permissions to manage Azure resources When partners create Azure subscriptions for customers, partner Admin Agents group assigned Azure subscription owner role for customer’s Azure subscription Partner Admin Agents can manage resources in the customer’s Azure subscription Partner can grant users in customer AAD tenant to a Azure tenant
CSP User Management in Microsoft Azure CSP Subscription Role | Contributor Role | Owner Role | Reader Azure Resources Direct Subscription Azure AD Tenant Admins by default do not have managements over Azure subscriptions in their tenant. X Role | Tenant Admin X Azure AD Tenant for Contoso Subscriptions belonging to Contoso in Microsoft Azure Legend Is member of Can manage Is partner of
CSP User Management in Microsoft Azure CSP Subscription Role | Contributor Role | Owner Role | Reader Azure Resources Direct Subscription Role | Tenant Admin User must be assigned role for a subscription before he/she can manage that subscription. Azure AD Tenant for Contoso Subscriptions belonging to Contoso in Microsoft Azure Legend Is member of Can manage Is partner of
CSP User Management in Microsoft Azure CSP Subscription Role | Contributor Role | Owner Role | Reader Azure Resources Direct Subscription When a CSP partner creates an Azure subscription for a customer tenant, the partner Admin Agents group is automatically assigned subscription owner role. Group | Admin Agents Role | Tenant Admin Azure AD Tenant for Wingtip (CSP Partner) Azure AD Tenant for Contoso Subscriptions belonging to Contoso in Microsoft Azure Legend Is member of Can manage Is partner of
CSP User Management in Microsoft Azure CSP Subscription Role | Contributor Role | Owner Role | Reader Azure Resources Direct Subscription Therefore, the partner Admin Agents group is able to manage resources in that subscription. Group | Admin Agents Role | Tenant Admin Azure AD Tenant for Wingtip (CSP Partner) Azure AD Tenant for Contoso Subscriptions belonging to Contoso in Microsoft Azure Legend Is member of Can manage Is partner of
CSP User Management in Microsoft Azure CSP Subscription Role | Contributor Role | Owner Role | Reader Azure Resources Direct Subscription Partner can grant customer access to the Azure subscription by assigning customer a role to the subscription. Group | Admin Agents Role | Tenant Admin Azure AD Tenant for Wingtip (CSP Partner) Azure AD Tenant for Contoso Subscriptions belonging to Contoso in Microsoft Azure Legend Is member of Can manage Is partner of
DEMO Managing Users
Provisioning Azure Resources
Provisioning Azure Resources All Azure offerings are referred to as resources Virtual Machine Storage Website Database Some resources have dependencies SQL databases need a SQL server Virtual machine needs a virtual disk in a storage account, virtual network, IP, etc Unique billing per resource, per unit & per region Resources are added to resource groups
ARM Tools & Resources
Azure Resource Explorer https://resources.azure.com Discover the ARM APIs Get API documentation Make actual API calls directly in your own subscriptions
DEMO Azure Resource Explorer
Azure CLI with ARM https://azure.microsoft.com/documentation/articles/xplat-cli-azure-resource-manager/ Command-line interface Works on Windows & cross platform Scriptable with batch script (*.bat | *.cmd) or shell script (*.sh) files
DEMO Azure CLI and Azure Resource Manager
Azure PowerShell with ARM https://azure.microsoft.com/documentation/articles/powershell-azure-resource-manager/ Windows PowerShell interface Scriptable with script (*.ps1) files
DEMO Azure PowerShell and Azure Resource Manager
Azure ARM Templates
Azure ARM Templates Azure based applications commonly require combination of resources Database server & database Web server, storage, etc ARM templates enables provisioned deployment in a single, coordinated operation Greatly simplifies provisioning
Creating Azure ARM Templates Templates are JSON files <1MB Specify resources needed for the deployment Specify input parameters to define variability Visual Studio provides tools to assist template authoring
ARM Template Schema { "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "", "parameters": { }, "variables": { }, "resources": [ ], "outputs": { } } https://azure.microsoft.com/documentation/articles /resource-group-authoring-templates
Provisioning Templates with PowerShell // config variables $deployName = "Test Deployment" $RGName = "Contoso Corp Dev VM" $locname = "East US" $templateURI = "https:/…/template.json" // create a new resource group & provision a virtual // machine with dependencies New-AzureRmResourceGroup –Name $RGName –Location $locName New-AzureRmResourceGroupDeployment -Name $deployName -ResourceGroupName $RGName -TemplateUri $templateURI
Provisioning Templates with Azure CLI // config variables $deployName = "Test Deployment" $RGName = "Contoso Corp Dev VM" $locname = "East US" $templateURI = "https:/…/template.json" // create a new resource group & provision a virtual // machine with dependencies azure group create –n $RGName –l $locName azure group deployment create –n $deployName -g $RGName -f $templateURI
Provisioning Templates with REST API: Request HTTP PUT https://management.azure.com /subscriptions/{subscription-id} /resourcegroups/{resource-group-name} /providers/microsoft.resources /deployments/{deployment-name} ?api-version={api-version} HTTP REQUEST BODY: Includes either link to template / actual template
Provisioning Templates with REST API: Payload { "properties": { "templateLink": { "uri": "[..]/template.json", "contentVersion": "1.0.0.0", }, "mode": "Incremental", "parametersLink": { "uri": "http://[..]/parameters.json", }
Provisioning Templates with REST API: Payload { "properties": { "template": { // entire contents of a ARM template }
Get Status of Template Deployment Operations HTTP GET https://management.azure.com /subscriptions/{subscription-id} /resourcegroups/{resource-group-name} /providers/microsoft.resources /deployments/{deployment-name} /operations ?api-version={api-version}
Azure ARM Quickstart Templates Microsoft & community created templates Provision resources by changing input parameters & deploying template straight from the GitHub repo Public GitHub repository with searchable index on the Microsoft Azure site: https://azure.microsoft.com/documentation/templates
DEMO Provisioning Azure Resources with ARM Templates
Module Summary Overview of Microsoft Azure Managing Users in Azure 4/5/2019 6:45 PM Module Summary Overview of Microsoft Azure Managing Users in Azure Provisioning Resources ARM Tools & Resources Azure ARM Templates © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
4/5/2019 6:45 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.