Академический Документы
Профессиональный Документы
Культура Документы
aka.ms/AFUN80 #MSIgniteTheTour
Resources
aka.ms/AFUN80 #MSIgniteTheTour
Governance allows you to enforce a set of
rules on how resources in the cloud are
configured
aka.ms/AFUN80 #MSIgniteTheTour
Azure Governance Challenges
Control which VMs specific users can manage in the Azure
portal
aka.ms/AFUN80 #MSIgniteTheTour
How does Tailwind Traders restrict users so
that they can only manage specific VMs
through the Azure portal?
aka.ms/AFUN80 #MSIgniteTheTour
Role Based Access Control
(RBAC) Demo
aka.ms/AFUN80 #MSIgniteTheTour
aka.ms/AFUN80 #MSIgniteTheTour
Role-based access control (RBAC)
aka.ms/AFUN80 #MSIgniteTheTour
Role Definition
A collection of permissions
Role definitions are defined as a set of
operations that can be performed
aka.ms/AFUN80 #MSIgniteTheTour
Scope
Access boundary
Assigned to:
• Management group
• Subscription
• Resource group
• Resource
Structured in parent-child relationship
• Access at parent scope is inherited at child
scope
aka.ms/AFUN80 #MSIgniteTheTour
Role Assignment
aka.ms/AFUN80 #MSIgniteTheTour
Azure RBAC Roles Vs Azure AD Admin Roles
aka.ms/AFUN80 #MSIgniteTheTour
Key RBAC Info
• Restrict who can perform what
operations on which resources
• Inherited to all children of the
assigned scope
• Can be applied to all levels of your
hierarchy, all scope types
• Custom roles allow you to change
the operations that a role can
perform
aka.ms/AFUN80 #MSIgniteTheTour
How does Tailwind Traders limit the VM
SKUs can be deployed to DS2_v2, DS3_v2
and DS4_v2?
aka.ms/AFUN80 #MSIgniteTheTour
Limit VM SKU through
Azure policy
aka.ms/AFUN80 #MSIgniteTheTour
aka.ms/AFUN80 #MSIgniteTheTour
How does Tailwind Traders ensure that
production and development resources are
identifiable?
aka.ms/AFUN80 #MSIgniteTheTour
Azure Tag Policy
aka.ms/AFUN80 #MSIgniteTheTour
aka.ms/AFUN80 #MSIgniteTheTour
Azure Policies Policy: A rule that will be enforced
aka.ms/AFUN80 #MSIgniteTheTour
Azure Policy: Control and Audit Configuration
• Examples
• Enforce VM – Password settings
(min/max length, age, previous passwords)
• Audit: VM – Internal Configuration
• Enforce: Allowed Azure locations
• Enforce: Resource tags
• Enforce: Encryption of storage
aka.ms/AFUN80 #MSIgniteTheTour
Policy definition
$policy = New-AzureRmPolicyDefinition -Name costCenterTagPolicyDefinition -Descript
"Policy to deny resource creation if no costCenter tag is provided" -Policy '{
"if": {
"not" : {
"field" : "tags
"containsKey" : "costCenter"
}
},
"then" : {
"effect" : "deny"
}
aka.ms/AFUN80
}' #MSIgniteTheTour
Enforce naming convention
{
"if": {
"not": {
"field": "name",
"like": "namePrefix*nameSuffix"
}
},
"then": {
"effect": "deny"
}
aka.ms/AFUN80 #MSIgniteTheTour
Enforce VM SKUs of basic A series
"properties": {
"displayName": "Allowed VM Skus",
"description": “Specifies a set of VM SKUs that your org can deploy.“ },
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines“
},
{
aka.ms/AFUN80
"not": { #MSIgniteTheTour
Enforce VM SKUs using parameters
"properties": {
"displayName": "Allowed VM Skus",
"description": “Specifies a set of VM SKUs that your organization can deploy.",
"parameters": {
"listOfAllowedSKUs": {"type": "array"}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines“
aka.ms/AFUN80 #MSIgniteTheTour
Comparison Slide
RBAC Policy
• Focuses on actions that can • Focuses on the properties of
be taken at a specific scope resources during deployment
• “User has permission to and for already existing
deploy virtual machines” resources
• Default deny unless explicitly
• “Can deploy only DS series
allowed VMs if has the permission to
deploy VMs”
• Default allow unless explicitly
denied
aka.ms/AFUN80 #MSIgniteTheTour
Azure Policy repository
https://github.com/Azure/azure-policy/
aka.ms/AFUN80 #MSIgniteTheTour
How does Tailwind Traders ensure
that consistent policies apply across
multiple subscriptions?
aka.ms/AFUN80 #MSIgniteTheTour
Create Management
Group
aka.ms/AFUN80 #MSIgniteTheTour
aka.ms/AFUN80 #MSIgniteTheTour
Management Groups
• Allows you to organize access, policies and
compliance across multiple subscriptions
• Up to 10,000 management groups per
directory
• Management Group Tree can support up
to six levels of depth
aka.ms/AFUN80 #MSIgniteTheTour
Root Management Group
• Root management group allows for global
policies to be applied at the directory level
• Created automatically when you first
initiate management groups.
• Includes all subscriptions associated with
the default directory
• Azure AD Global Administrator cannot
assign RBAC roles through root
management group until they have
elevated themselves to User Access
Administrator
aka.ms/AFUN80 #MSIgniteTheTour
Management Group Hierarchy
aka.ms/AFUN80 #MSIgniteTheTour
How does Tailwind Traders ensure that
existing policies are applied to new
subscriptions?
aka.ms/AFUN80 #MSIgniteTheTour
Azure Blueprints
aka.ms/AFUN80 #MSIgniteTheTour
aka.ms/AFUN80 #MSIgniteTheTour
11 Ensure compliance
Blueprint
2
ARM Templates Secure
foundational
resources Subscription A
Policy Definitions Subscription B
1
4 Version and
Update
Blueprints
aka.ms/AFUN80 #MSIgniteTheTour
Azure Governance Technologies
Governance technology Function
Role Based Access Control Control what can be done and where it can be
done
Azure Policies Control the properties of resources during and
after deployment
Management Groups Collect together and managing multiple
subscriptions
Azure Blueprints Deploy resources, policies and RBAC controls
through a template
aka.ms/AFUN80 #MSIgniteTheTour
Azure Governance Challenges
Control which VMs specific users can manage in the Azure
portal
Azure Governance
aka.ms/AzGovernance
aka.ms/AFUN80 #MSIgniteTheTour
/MS Learn alert
Complete interactive learning
exercises, watch videos, and
practice and apply your new
skills.
aka.ms/AFUN80MSLearnCollection
aka.ms/AFUN80 #MSIgniteTheTour
/Microsoft Certification alert
Microsoft Certified:
Azure Fundamentals
aka.ms/AzureFunCert
aka.ms/AFUN80 #MSIgniteTheTour
Exclusive offer for Microsoft Ignite The Tour attendees Now is your chance
Free Certification Exam to stand out among your peers.
on fundamentals, role-based, or specialty certifications*
Get certified and prove your expertise to
employers and peers and get the recognition and
opportunities you've earned. Take advantage
of this offer by scheduling a free exam online
today.
aka.ms/AFUN80 #MSIgniteTheTour
Resources
aka.ms/AFUN80 #MSIgniteTheTour
Presenters
/Upcoming Session alert Please customize and use as
desired for you locale and related
sessions
aka.ms/AFUN80 #MSIgniteTheTour
Invent with purpose.