{"id":622,"date":"2021-06-30T19:55:34","date_gmt":"2021-06-30T19:55:34","guid":{"rendered":"https:\/\/www.spktechfit.com\/?p=622"},"modified":"2021-06-30T19:55:34","modified_gmt":"2021-06-30T19:55:34","slug":"8-manage-subscriptions-and-governance","status":"publish","type":"post","link":"https:\/\/www.spktechfit.com\/?p=622","title":{"rendered":"8. Manage Subscriptions and Governance"},"content":{"rendered":"

Accounts, Subscriptions and Resource Groups<\/h1>\n
    \n
  1. Account<\/b>: this is a user or an application. This is the basis for authentication.<\/li>\n
  2. Tenant<\/b>: this is the organisation or the company
    \n–\u00a0 Usually a domain name is related to this.
    \n– a dedicated instance of Azure Active Directory
    \n– every Azure account is part of at least one tenant<\/li>\n
  3. Subscription<\/b>: an agreement with Microsoft to use AZURE services, and how you are going to pay for that. All Azure resources usage gets billed depending on the payment method of the subscription:
    \n– Free subscriptions
    \n– Pay as you go
    \n– Enterprise agreements
    \nNote: not every tenant needs to have a subscription and Tenants can have more than one subscription. <\/i><\/b><\/li>\n
  4. Resources<\/b>: this is any entity managed by Azure. EG: VM, web app, storage account, public IP address, network interface card, network security group etc\u2026<\/li>\n
  5. Resource Group: <\/b>\u00a0a way or organising resources. Similar to an OU in AD. All resources can only belong to the one Resource Group.
    \nIt is a way of separating projects , keeping unrelated items separate.<\/li>\n<\/ol>\n

    The Subscription Dashboard<\/h1>\n

    The subscription is the basis of billing. It gives a breakdown of the services and resources by cost. It can give you forecasts for your spending for the month.
    \nThis is where you make changes to credit cards etc\u2026<\/p>\n

    Assign Administrator permissions to Subscription<\/h1>\n

    You can add another user as admin of your subscription.<\/p>\n

    To do this:<\/p>\n

      \n
    • From within the Subscriptions dashboard, select “Access Control (IAM)”<\/li>\n
    • Click on “Add”<\/li>\n
    • Select the user you want to give access to<\/li>\n
    • Assign this user the “Contributor” role assignment. This will allow them to make changes to the subscription, but not assign permissions to other people.<\/li>\n<\/ul>\n

      There are 100s of role assignments to choose from and they can get very granular.<\/p>\n

      Cost Centre and Tagging<\/h1>\n

      Cost Analysis allows you to dig into the Locations and Resource Groups by what they are costing in the month.<\/p>\n

      Tagging<\/h2>\n

      You can create custom tags and then “Tag” resources. These are meta data you can attach to resources. You can then run reports per tag for costs etc… An example of using tags is:<\/p>\n

        \n
      • Billing code<\/li>\n
      • Created by<\/li>\n
      • Environment<\/li>\n<\/ul>\n

        Azure Policy<\/h1>\n

        You can use Azure Policy to define and enforce company standards and SLA’s across some or all of your companies resources.<\/p>\n

        There are some built in policies you can use:<\/p>\n

          \n
        • Require SQL Server 12.0<\/li>\n
        • Allowed Locations<\/li>\n
        • Allowed VM SKUs<\/li>\n
        • Allowed Resource Type<\/li>\n<\/ul>\n

          Assigning a policy<\/h2>\n

          You assign Policies through the Azure Portal by going to “Policy Assignments -> Assign Policy”.<\/p>\n

          The options you set are:<\/p>\n

            \n
          • Scope: Subscription or Resource Group<\/li>\n
          • Exclusions: you can exclude specific resources<\/li>\n
          • Policy Definition: Here you can select a built-in or custom policy. The built in policies can do things like:\n
              \n
            • Deploy threat protection<\/li>\n
            • Audit resources<\/li>\n
            • Set restrictions<\/li>\n<\/ul>\n<\/li>\n
            • Assignment name: set a name<\/li>\n<\/ul>\n

              Creating Custom Policies<\/h2>\n

              You can create policy definition through “Policies -> Definitions”. The definitions are made up of JSON files. You can download samples of these from GitHub<\/p>\n

              Managing Policy by PowerShell<\/h2>\n

              Everything you can do in the portal you can do through PowerShell<\/p>\n

              You can use PowerShell on your machine or use the “CloudShell”.<\/p>\n

              You will need to install the AZ module on your machine.<\/p>\n

              To list policiy definitions:<\/b><\/p>\n

              Get-AzPolicyDefinition\r\nGet-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq \"Ausit missing tags on resources\" }<\/pre>\n
              Creating a policy using a definition:<\/b><\/p>\n
              New-AzPolicyAssignment -Name \"Checkingrules\" -DisplayName \"Checking the rules\" -scope $resourceGroup.iresourceid -PolicyDefinition $definition<\/pre>\n
               <\/p>\n
              Subscriptions and Management Groups<\/h1>\n
              You can have more than one subscription in the one tenant.<\/p>\n
              Management Groups<\/h2>\n
              These are basically OU’s that contain other management groups or subscriptions.\u00a0You can assign users to the Management Group and they will get access to the subscription underneath.<\/p>\n
               <\/p>\n
              Resource Groups and Resource Locks<\/h1>\n
              Resource Groups are basically an organisational structure for your resources. You can create as many as you need. The Resource Group name needs to be unique to your account.<\/p>\n
              They can contain things like:<\/p>\n
                \n
              • VMs<\/li>\n
              • VNets<\/li>\n
              • Network Security groups<\/li>\n
              • Disks<\/li>\n
              • Public IP Addresses<\/li>\n<\/ul>\n
                Things you can do at the Resource Group level:<\/p>\n
                  \n
                • Policies<\/li>\n
                • Locks<\/li>\n
                • Reports<\/li>\n
                • Deployments<\/li>\n<\/ul>\n
                  Deleting a Resource Group deletes all the resources inside it also!<\/i><\/b><\/p>\n
                  Resource Locks<\/h2>\n
                  A lock prevents you from changing or deleting the Resource Group. There are 2 types of locks:<\/p>\n
                    \n
                  1. No changes (Read Only) – this prevents you from making any changes or even stopping a VM<\/li>\n
                  2. No deletions<\/li>\n<\/ol>\n
                    You can add a lock by going to “Locks” in the Resource Group settings.<\/p>\n
                    Resource Group Policies<\/h1>\n
                    Go to Resource Group -> Policy – Assignments<\/p>\n
                    You ca assign policies such as “Allow Locations”. This only allows items in the Resource Group to be in certain locations.<\/p>\n
                    Move Resources<\/h1>\n
                    Items in a Resource Group can be moved to:<\/p>\n
                      \n
                    • Another Resource Group<\/li>\n
                    • Another Subscription<\/li>\n
                    • Another Location<\/li>\n<\/ul>\n
                      NOTE: when you change an items Resource Group its “Resource ID” will change. This is because the Resource Group name is part of the Resources ID. You need to update any scripts that may be using this Resource ID.<\/b><\/p>\n","protected":false},"excerpt":{"rendered":"
                      Accounts, Subscriptions and Resource Groups Account: this is a user or an application. This is the basis for authentication. Tenant: this is the organisation or the company –\u00a0 Usually a domain name is related to this. – a dedicated instance of Azure Active Directory – every Azure account is part of at least one tenant […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[13,3],"tags":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts\/622"}],"collection":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=622"}],"version-history":[{"count":2,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts\/622\/revisions"}],"predecessor-version":[{"id":624,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts\/622\/revisions\/624"}],"wp:attachment":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=622"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=622"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=622"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}