Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Ignite 2016 11/16/2018 2:45 PM BRK3203

Published byAnastasia Cobb Modified over 6 years ago

Similar presentations

Presentation on theme: "Microsoft Ignite 2016 11/16/2018 2:45 PM BRK3203"— Presentation transcript:

1 Microsoft Ignite 2016 11/16/2018 2:45 PM BRK3203 Manage and control your applications with Microsoft Azure Resource Manager Mike Chen, Gaurav Bhatnagar Program Manager, Azure Resource Manager © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Challenges during transition from traditional mode to agile mode
Microsoft Ignite 2016 11/16/2018 2:45 PM Challenges during transition from traditional mode to agile mode Visibility of cloud assets Granular access control Cost Control Service Catalog Geo-Compliance © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 Agenda Organize your application Manage Access Control
Microsoft Ignite 2016 11/16/2018 2:45 PM Agenda Organize your application Manage Access Control Enforce IT Policy Policy regular Create experience Tags, other examples Roadmap Q&A © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Organize your resources
11/16/2018 2:45 PM Organize your resources © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 An application may have…
Microsoft Ignite 2016 11/16/2018 2:45 PM An application may have… Compute, Network, Storage resources Databases Web Apps Runbook automations Alert rules etc © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Over time You get lost Microsoft Ignite 2016 11/16/2018 2:45 PM
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 You wish to see fewer

8 Resource Group A folder of resource with same lifecycle
Unit of deployment Unit of access control resource groups can span regions resource groups can span services

9 Resource Group Payload
resourcegroups/{resource-group-name} { "location": "West US", "tags": { "tagname1": "tagvalue1" }

10 Pattern : application per resource group
Simple application Always updated together

11 Pattern : application tier per resource group
A tier of application Update independently Resource can interact with resources in other resource groups

12 Organize by Template Template deploys resources in one resource group
RG can be exported as template Template can redeployed to other resource groups

13 Tag when there are more apps
Tag is your metadata store Example: environment, e.g. dev/test/prod role, e.g. web/cache/db application Name, e.g. CRM department, e.g. finance/retail/legal responsible party, e.g. Bob Tags are essential for 3rd party management solutions

14 When you have tags

15 Enforce tags Set tags in approved template
Set tags at resource group level Use deny Policy to enforce tags Use audit Policy to audit resources missing tags Use append Policy to append default tags

16 Manage Access Control 11/16/2018 2:45 PM
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Control Role Based Access Control Audits Resource Policy
11/16/2018 2:45 PM Control Role Based Access Control Audits Resource Policy © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 Why RBAC? .. Microsoft Ignite 2015 11/16/2018 2:45 PM On-Premises
Azure Active Directory Azure Active Directory Users, Groups and Password Sync Sector 1 Sector 2 .. Region NA Region SA Division Mktg Division Sales Project 1 Project 2 Subscription per Sector Resource Group per Project Tags Region, Division, Project “Standard” VNet per Division in separate resource group Billing Tracked per Division Subnet On “standard” Vnet assigned to each Project IT Director’ Office Owners of Subscriptions Network Admins VNet Contributors of “standard” VNet RGs Infrastructure Admins and Support Virtual Machine Contributors of Project RGs and “standard” VNet RGs Project Team Roles Appropriate Role on Project RGs Express Route(s) © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Role Based Access Control
Allows secure access with granular permissions Assignable to users, groups, or service principals Interactive session Non-interactive session Built-in roles make it easy to get started Custom roles offer greater flexibility

20 Two Key Concepts Role Definitions Role Assignments
associate role definitions with an identity (e.g. user/group) at a scope (e.g. resource group) always inherited – subscription assignments apply to all resources Literal mapping for a Principal to a Role Definition on a Resource ex- Jim is a Storage Account Contributor on the Storage Account “Contoso-Storage-east” Role Definitions describes the set of permissions or actions (e.g. read actions) Permissions are declarations that include the Resource provider, Resource Type and an Action 3 basic actions – READ, WRITE, DELETE (wildcards supported) can be used in multiple assignments

21 Access Inheritance and Resource Hierarchy
RG R R S RG R Role Assignment Role = ‘Owner’ Subject = AAD User Scope = Resource R RG Role Assignment Role = ‘Reader’ Subject = AAD Group Scope = Subscription R Role Assignment Role = ‘Contributor’ Subject = AAD User Scope = Resource Group

22 Built-in Roles Offer rich set of built-in roles to select from (40+)
Assignable to users, groups or services at different scopes Can’t be modified Top Used built-in roles – Reader, Contributor, Reader, DevTest Labs User, Virtual Machine Contributor

23 Built-in Role: Storage Account Contributor
ACTIONS DESCRIPTION Microsoft.Storage/storageAccounts/* Create and Manage Storage Accounts Microsoft.Authorization/*/read Read Roles and Role Assignments Microsoft.Resources/subscriptions/resourceGroups/read Read Resource Groups Microsoft.Resources/subscriptions/resourceGroups/deploments/* Create and Manage Resource Group Deployments Microsoft.Insights/alertRules/* Create and Manage Alert Rules Microsoft.Insights/diagnosticSettings/read Read Diagnostic settings Microsoft.Insights/diagnosticSettings/write Create Diagnostic settings Microsoft.Insights/diagnosticSettings/delete Delete Diagnostic settings Microsoft.Support/* Create and Manage Support tickets

24 Custom Roles Enhanced flexibility
Assignable to users, groups or services at different scopes Can be shared across multiple subscriptions in the same tenant

25 Who can View/Create/Update Custom Roles?
View - All built-in roles Microsoft.Authorization/roleDefinition/read operation Create/Update – Owners of subscriptions, resource groups and resources at that scope Microsoft.Authorization/roleDefinition/write operation

26 Custom Role - Sample Role Definition
11/16/2018 2:45 PM Custom Role - Sample Role Definition { "properties": { "roleName": "Virtual Machine Contributor", "type": "BuiltInRole", "description": "Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they’re connected to.", "assignableScopes": [ "/" ], "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Compute/availabilitySets/*", "Microsoft.Compute/locations/*", "Microsoft.Compute/virtualMachines/*", "Microsoft.Compute/virtualMachineScaleSets/*", ……..], "notActions": [ ] } ], "id": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd e/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", "type": "Microsoft.Authorization/roleDefinitions", "name": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c" © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27 Sample Role Assignments
{ "properties": { "roleDefinitionId": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd e/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", "principalId": "5ac c8c b bd191b", "scope": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd e/resourceGroups/Network/providers/Microsoft.Network/virtualNetworks/EASTUS-VNET-01/subnets/Devices-Engineering-ProjectRND", }, "id": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd e/resourceGroups/Network/providers/Microsoft.Network/virtualNetworks/EASTUS-VNET-01/subnets/Devices-Engineering-ProjectRND/providers/Microsoft.Authorization/roleAssignments/5eec22ee-ea5c-431e-8f41-82c560706fd2", "type": "Microsoft.Authorization/roleAssignments", "name": "5eec22ee-ea5c-431e-8f41-82c560706fd2" }

28 Audit history of RBAC activities

29 Azure RBAC Usage Microsoft Ignite 2015 11/16/2018 2:45 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30 Demo

31 Key Learnings from Enterprise Customers
Microsoft Ignite 2015 11/16/2018 2:45 PM Key Learnings from Enterprise Customers Organizational Accounts not LiveIds Resource Groups not Subscriptions Manage Access using Groups Least Privilege Keep a tab on Access Changes © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32 Access Control – some other ways
Audit Logs Resource Locks Sharing templates privately on portal

33 Azure Resource Policy

34 What is Resource Policy?
11/16/2018 2:45 PM What is Resource Policy? Define customized rule that governs the shape of your resource Deny the request or audit the request Monitor Policy events GA in 2016 April © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35 What does customer need?
Granular control over Azure resources for Asset management Geo-Compliance Cost control Configuration best practices Security IT pro friendly tool that seamless integrated with the platform to enforce IT policies compliance status for their resources

36 Today’s capability Policy Catalog Policy Events Tag Policy
Whitelist resource Types Whitelist locations Naming Convention VM Size/SKUs for other Resource Type, such as SQL, Web App VM Images Policy Events

37 How to define a policy { "if" : {
<condition> | <logical operator> }, "then" : { "effect" : "deny | audit | append" }

38 When does Evaluation happens?
PUT /{resource scope}/{RP namespace}/resourceType/resourceName Policy will be evaluated if an assignment is in place for the scope Policy 1 Policy 2 Policy 3 …. Scope Policy definition Request Policy Engine in ARM

39 What happens after a policy evaluation?
An Audit event is generated for policy evaluation results Caller Event details Failed Policy A request may be blocked or modified An alert can be generated based on events Resource Deployment Event Alert /RunBook

40 Policy Examples Tag Policies Naming Convention Approved Service
Approved SKUs Configuration Best Practices

41 Tag Enforcement Policy
{ "if": { "not": { "field": "tags.costCenter", "in": [ "department1", "department2", "department3" ] } }, "then": { "effect": "deny"

42 Tag : Append Default Tag
{ "if": { "allOf": [ "field": "tags", "exists": "true" }, "field": "tags.costCenter", "exists": "false" } ] "then": { "effect": "append", "details": [ { "field": "tags.costCenter", "value": "myDepartment" } ]

43 Naming Convention { "if" : { "not" : { "field" : "name",
"like" : "namePrefix*nameSuffix" } }, "then" : { "effect" : "deny"

44 Approved Services { { "if": { "field": "type", "not": {
11/16/2018 2:45 PM Approved Services { "if": { "not": { "anyOf": [ "field": "type", "like": "Microsoft.Resources/*" }, "like": "Microsoft.Compute/*" "like": "Microsoft.Storage/*" { "field": "type", "like": "Microsoft.Network/*" }, "like": "Microsoft.Web/*" } ] "then" : { "effect" : "deny" © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

45 Use Approved SKUs { "if": { "allOf": [ “field": “type",
“equals": "Microsoft.Storage/storageAccounts" }, "not": { "allof": [ "field": "Microsoft.Storage/storageAccounts/sku.name", "in": ["Standard_LRS", "Standard_GRS"] } ] "then": { "effect": "deny"

46 Use Approved Images { "if": { "not": { "allOf": [
"field": "Microsoft.Compute/virtualMachines/image.publisher", "in": ["publish1","publisher2"] }, "field": "Microsoft.Compute/virtualMachines/image.offer", "in": ["offer1","offer2"] { "field": "Microsoft.Compute/virtualMachines/image.sku", "in": ["sku1","sku2"] } ] }, "then": { "effect": "deny"

47 Aliases */SKU.name Microsoft.Compute Microsoft.Cache Microsoft.SQL
Microsoft.Compute/virtualMachines, Microsoft.Storage/storageAccounts, Microsoft.Web/serverFarms, Microsoft.Scheduler/jobcollections, Microsoft.DocumentDB/databaseAccounts, Microsoft.Cache/Redis, Microsoft.CDN/profiles Microsoft.Network/applicationGateway Microsoft.Compute Microsoft.Compute/virtualMachines/imagePublisher Microsoft.Compute/virtualMachines/imageOffer Microsoft.Compute/virtualMachines/imageSku Microsoft.Compute/virtualMachines/imageVersion Microsoft.Cache Microsoft.Cache/Redis/enableNonSslPort Microsoft.Cache/Redis/shardCount Microsoft.SQL Microsoft.SQL/servers/version Microsoft.SQL/servers/databases/requestedServiceObjectiveId Microsoft.SQL/servers/databases/requestedServiceObjectiveName Microsoft.SQL/servers/databases/edition Microsoft.SQL/servers/databases/elasticPoolName Microsoft.SQL/servers/elasticPools/dtu Microsoft.SQL/servers/elasticPools/edition

48 Monitoring Policy events

49 Policy Usage

50 Who assign Policy? Subscription Owners Resource Group Owners

51 Most popular Policies Append Tags - Accounting
Locations – geo-compliance Service curation – security, cost control Naming convention

52 Things Coming Pre-flight validation
Built-in Policy with parameter support Policy on Portal

53 11/16/2018 2:45 PM Policy Demo © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

54 Free IT Pro resources To advance your career in cloud technology
Microsoft Ignite 2016 11/16/2018 2:45 PM Free IT Pro resources To advance your career in cloud technology Plan your career path Microsoft IT Pro Career Center Cloud role mapping Expert advice on skills needed Self-paced curriculum by cloud role $300 Azure credits and extended trials Pluralsight 3 month subscription (10 courses) Phone support incident Weekly short videos and insights from Microsoft’s leaders and engineers Connect with community of peers and Microsoft experts Get started with Azure Microsoft IT Pro Cloud Essentials Demos and how-to videos Microsoft Mechanics Connect with peers and experts Microsoft Tech Community © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

55 Please evaluate this session
11/16/2018 2:45 PM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

56 11/16/2018 2:45 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Microsoft Ignite 2016 11/16/2018 2:45 PM BRK3203"

Similar presentations

Review DirectQuery in SSAS 2016, best practices and use cases

Review DirectQuery in SSAS 2016, best practices and use cases
Learn how the cloud is accelerating network transformation

Learn how the cloud is accelerating network transformation
C# and VB code-focused development with Visual Studio

C# and VB code-focused development with Visual Studio
2/20/2018 7:04 PM BRK1038 Meet Azure Information Protection customers and learn about their success stories Jeffrey Kalfut Strategy & Architecture Manager,

2/20/2018 7:04 PM BRK1038 Meet Azure Information Protection customers and learn about their success stories Jeffrey Kalfut Strategy & Architecture Manager,
BRK1017 Taking your hybrid management and security strategy to the cloud with Operations Management Suite Jeremy Winter and Srini Chandrasekar.

BRK1017 Taking your hybrid management and security strategy to the cloud with Operations Management Suite Jeremy Winter and Srini Chandrasekar.
Enterprise grade security in your Hadoop clusters on Azure

Enterprise grade security in your Hadoop clusters on Azure
Microsoft Ignite 2016 4/30/2018 9:28 PM BRK3174

Microsoft Ignite /30/2018 9:28 PM BRK3174
Extending IT Best Practices to Microsoft Azure

Extending IT Best Practices to Microsoft Azure
Transform yourself and build your IT cloud career path

Transform yourself and build your IT cloud career path
Deliver business insights with Microsoft Dynamics AX and Power BI

Deliver business insights with Microsoft Dynamics AX and Power BI
Examine information management in Cortana Intelligence

Examine information management in Cortana Intelligence
Develop, debug and deploy containerized applications with Docker

Develop, debug and deploy containerized applications with Docker
Build interactive data analysis environments using Apache Spark

Build interactive data analysis environments using Apache Spark
Microsoft 2016 6/2/2018 3:42 PM BRK3129 Query Big Data using the Expanded T-SQL footprint with PolyBase in SQL Server 2016 Casey Karst Program Manager.

Microsoft /2/2018 3:42 PM BRK3129 Query Big Data using the Expanded T-SQL footprint with PolyBase in SQL Server 2016 Casey Karst Program Manager.
BRK3288-Discover data-driven apps that learn and adapt

BRK3288-Discover data-driven apps that learn and adapt
Microsoft 2016 6/4/2018 8:21 AM BRK3082 Build solutions and apps with Microsoft OneDrive API and Microsoft Graph API Ryan Gregg Principal Program Manger,

Microsoft /4/2018 8:21 AM BRK3082 Build solutions and apps with Microsoft OneDrive API and Microsoft Graph API Ryan Gregg Principal Program Manger,
Windows Server* 2016 & Intel® Technologies

Windows Server* 2016 & Intel® Technologies
Conduct a successful pilot deployment of Microsoft Intune

Conduct a successful pilot deployment of Microsoft Intune
Review the Nutanix Cloud Platform System Standard solution

Review the Nutanix Cloud Platform System Standard solution
Microsoft Ignite 2016 9/11/2018 1:18 AM BRK4017

Microsoft Ignite /11/2018 1:18 AM BRK4017

Similar presentations

Ads by Google