Internal Presenter Notes: What Attendees Should Take Away: Aka - Ms/Afun80 #Msignitethetour

Internal Presenter Notes: What Attendees Should Take Away
 Understand RBAC as a governance technology to

control permissions
 Understand Azure Policies as a governance technology
to control properties of deployed resources
 Understand management groups and blueprints as a
method of controlling RBAC and policies across
multiple subscriptions
aka.ms/AFUN80 #MSIgniteTheTour
Governance Fundamentals
Speaker name
Title
Resources
Session Resources Hub

aka.ms/AFUN80
Session Code on GitHub

aka.ms/AFUN80Repo
All Event Session Resources

aka.ms/mymsignitethetour
Governance allows you to enforce a set of
rules on how resources in the cloud are
configured
Azure Governance Challenges
Control which VMs specific users can manage in the Azure
portal
Limit VM deployment to specific VM SKUs
Ensure that resources are identified as either belonging to

production or development environments
Manage access, policy, and compliance across multiple
subscriptions
Ensure that new subscriptions apply existing policies

Tailwind Traders can overcome these
challenges by implementing Governance
technologies built into Azure
How does Tailwind Traders restrict users so
that they can only manage specific VMs
through the Azure portal?
Role Based Access Control
(RBAC) Demo
Role-based access control (RBAC)
Grant only the amount of access to users that they need to

perform their jobs.
Can also grant

access for
resources,
resource groups
or subscriptions.
Security Principal
Individuals represented as Azure AD users

Collections of individuals represented as
Azure AD groups
Services and applications represented by
Service Principals
Role Definition
A collection of permissions
Role definitions are defined as a set of
operations that can be performed
Examples: Read, Write, Delete
Scope
Access boundary
Assigned to:
• Management group
• Subscription
• Resource group
• Resource
Structured in parent-child relationship
• Access at parent scope is inherited at child
scope
Role Assignment
Azure RBAC Roles Vs Azure AD Admin Roles
Azure RBAC Roles Azure AD Administrator Roles

Use these to manage Use these to manage
permissions to Azure permissions to Azure AD
resources resources
Key RBAC Info
• Restrict who can perform what
operations on which resources
• Inherited to all children of the
assigned scope
• Can be applied to all levels of your
hierarchy, all scope types
• Custom roles allow you to change
the operations that a role can
perform
How does Tailwind Traders limit the VM
SKUs can be deployed to DS2_v2, DS3_v2
and DS4_v2?
Limit VM SKU through
Azure policy
How does Tailwind Traders ensure that
production and development resources are
identifiable?
Azure Tag Policy
Azure Policies Policy: A rule that will be enforced
Initiative: A collection of policies
Assignment: The scope where the policy applies
Azure Policy: Control and Audit Configuration
• Examples
• Enforce VM – Password settings
(min/max length, age, previous passwords)
• Audit: VM – Internal Configuration
• Enforce: Allowed Azure locations
• Enforce: Resource tags
• Enforce: Encryption of storage
Policy definition
$policy = New-AzureRmPolicyDefinition -Name costCenterTagPolicyDefinition -Descript
"Policy to deny resource creation if no costCenter tag is provided" -Policy '{
"if": {
"not" : {
"field" : "tags
"containsKey" : "costCenter"
}
},
"then" : {
"effect" : "deny"
}
aka.ms/AFUN80
}' #MSIgniteTheTour
Enforce naming convention
{
"if": {
"not": {
"field": "name",
"like": "namePrefix*nameSuffix"
}
},
"then": {
"effect": "deny"
}
Enforce VM SKUs of basic A series
"properties": {
"displayName": "Allowed VM Skus",
"description": “Specifies a set of VM SKUs that your org can deploy.“ },
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines“
},
{
aka.ms/AFUN80
"not": { #MSIgniteTheTour
Enforce VM SKUs using parameters
"properties": {
"displayName": "Allowed VM Skus",
"description": “Specifies a set of VM SKUs that your organization can deploy.",
"parameters": {
"listOfAllowedSKUs": {"type": "array"}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines“
Comparison Slide
RBAC Policy
• Focuses on actions that can • Focuses on the properties of
be taken at a specific scope resources during deployment
• “User has permission to and for already existing
deploy virtual machines” resources
• Default deny unless explicitly
• “Can deploy only DS series
allowed VMs if has the permission to
deploy VMs”
• Default allow unless explicitly
denied
Azure Policy repository
https://github.com/Azure/azure-policy/
How does Tailwind Traders ensure
that consistent policies apply across
multiple subscriptions?
Create Management
Group
Management Groups
• Allows you to organize access, policies and
compliance across multiple subscriptions
• Up to 10,000 management groups per
directory
• Management Group Tree can support up
to six levels of depth
Root Management Group
• Root management group allows for global
policies to be applied at the directory level
• Created automatically when you first
initiate management groups.
• Includes all subscriptions associated with
the default directory
• Azure AD Global Administrator cannot
assign RBAC roles through root
management group until they have
elevated themselves to User Access
Administrator
Management Group Hierarchy
How does Tailwind Traders ensure that
existing policies are applied to new
subscriptions?
Azure Blueprints
11 Ensure compliance
Azure Blueprints 22 Empower DevOps
Enabling quick, repeatable creation of fully governed environments 3 Manage costs
Streamline Enable compliant Lock foundational

environment creation development resources
Centralize environment Empower developers to create Ensure foundational
creation through templates fully governed environments resources cannot be
through self-service changed by subscription
Add resources, policies and owners
role access controls Create multiple dev-ready
environments and Manage locks through a
Track blueprint updates subscriptions from a centralize location
through versioning centralize location
Update locked resource
Leverage the integration with through blueprint
Azure Policy on the DevOps definition updates
lifecycle
aka.ms/AFUN80
© Microsoft Corporation
Azure
#MSIgniteTheTour
Azure Blueprints
Blueprint
2
ARM Templates Secure
foundational
resources Subscription A
Policy Definitions Subscription B
1
Cloud Create a Role-based access Subscription C

Blueprint controls
Engineer definition and
add artifacts
3
Custom Scripts*
Stamp out …
environments
Coming in June
4 Version and
Update
Blueprints
Azure Governance Technologies
Governance technology Function
Role Based Access Control Control what can be done and where it can be
done
Azure Policies Control the properties of resources during and
after deployment
Management Groups Collect together and managing multiple
subscriptions
Azure Blueprints Deploy resources, policies and RBAC controls
through a template
Azure Governance Challenges
Control which VMs specific users can manage in the Azure
portal
Limit VM deployment to specific VM SKUs
Ensure that resources are identified as either belonging to

production or development environments
Manage access, policy, and compliance across multiple
subscriptions
Ensure that new subscriptions apply existing policies

/Docs alert
Explore overviews, tutorials,
samples, and more.
Azure Governance
aka.ms/AzGovernance
Role Based Access Control

https://aka.ms/AzAccessControl
Azure Policy
aka.ms/AzurePolicies
Azure Blueprints
https://aka.ms/Az-Blueprints
/MS Learn alert
Complete interactive learning
exercises, watch videos, and
practice and apply your new
skills.
aka.ms/AFUN80MSLearnCollection
/Microsoft Certification alert
Microsoft Certified:
Azure Fundamentals
aka.ms/AzureFunCert
Get hired, stay ahead, and receive the

recognition you deserve
Exclusive offer for Microsoft Ignite The Tour attendees Now is your chance
Free Certification Exam to stand out among your peers.
on fundamentals, role-based, or specialty certifications*
Get certified and prove your expertise to
employers and peers and get the recognition and
opportunities you've earned. Take advantage
of this offer by scheduling a free exam online
today.
Learn more about Microsoft Certifications

Microsoft.com/Certifications
Begin with free online training

aka.ms/FreeExam_MSIgnite Microsoft.com/Learn
Limited to one (1) per attendee. Subject to terms and conditions.
Please see website for details.
*Free exams include only those with the following prefixes:
Find a Learning Partner to help you prepare
AI, AZ, DP, MB, MD, MS, and PL aka.ms/LearningPartner
Resources
Session Resources Get Certified

aka.ms/AFUN80
Session Code on GitHub You’re onaka.ms/AzureFunCert

Azure Fundamentals: your way
aka.ms/AFUN80Repo
to being certified!
aka.ms/app10certification
All Event Resources
aka.ms/mymsignitethetour
Presenters
/Upcoming Session alert Please customize and use as
desired for you locale and related
sessions
INSERT RELATED SESSION NAME

TIME Room/Location
INSERT RELATED SESSION NAME

TIME Room/Location
APPS40: Managing Delivery of Your App via DevOps

3:15 p.m. Room 305
Invent with purpose.

Internal Presenter Notes: What Attendees Should Take Away: Aka - Ms/Afun80 #Msignitethetour

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Internal Presenter Notes: What Attendees Should Take Away: Aka - Ms/Afun80 #Msignitethetour

Загружено:

Авторское право:

Доступные форматы

Internal Presenter Notes: What Attendees Should Take Away

 Understand RBAC as a governance technology to

Session Resources Hub

Session Code on GitHub

All Event Session Resources

Limit VM deployment to specific VM SKUs

Ensure that resources are identified as either belonging to

Ensure that new subscriptions apply existing policies

Grant only the amount of access to users that they need to

Can also grant

Individuals represented as Azure AD users

Examples: Read, Write, Delete

Azure RBAC Roles Azure AD Administrator Roles

Initiative: A collection of policies

Assignment: The scope where the policy applies

Azure Blueprints 22 Empower DevOps

Enabling quick, repeatable creation of fully governed environments 3 Manage costs

Streamline Enable compliant Lock foundational

Cloud Create a Role-based access Subscription C

Limit VM deployment to specific VM SKUs

Ensure that resources are identified as either belonging to

Ensure that new subscriptions apply existing policies

Role Based Access Control

Get hired, stay ahead, and receive the

Learn more about Microsoft Certifications

Begin with free online training

Session Resources Get Certified

Session Code on GitHub You’re onaka.ms/AzureFunCert

INSERT RELATED SESSION NAME

INSERT RELATED SESSION NAME

APPS40: Managing Delivery of Your App via DevOps

Вам также может понравиться