Azure Portal /Azure AD - Giving access to virtual machines and network

Azurebegginer 146 Reputation points
2020-05-25T15:27:01.857+00:00

Hello,

Hope you are well. We are moving a team of resouces (System admin, Network etc.) who are managing on-premise environment to managing azure environment.

Do I need to create their IDs in Azure AD first, than add these IDs to contributor role at resource group/resource level in Azure portal.

For example I have a resource group for virtual machines. So I create a Systemadmingroup (Assigned) in Azure AD and than create a user for system admin (Users1) and add it to Systemadmingroup group.

Than I add this group - Systemadmingroup to contribitor role for the resources group created for virtual machine.

Is this the right approach.

Please guide.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
6,981 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,103 questions
0 comments No comments
{count} votes

Accepted answer
  1. Stephane Budo 426 Reputation points
    2020-05-25T23:29:19.933+00:00

    Hi,

    Jai is correct in that you can create a sync between your on-premises Active Directory and Azure Active Directory using a tool called "AAD Connect". This tool will ensure that the users and groups you create and maintain on-premises are replicated to Azure.
    More information here:
    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect

    In regards to the management (and security) of each resources in Azure, there are a lot of different ways to structure this, but your approach is correct.
    Each resource in Azure has to be part of a Resource Group, each Resource Group has to be part of a Subscription and each Subscription has to be part of a Azure Active Directory (or tenancy).
    With that in mind, the security gets inherited down by default, so if you assign the contributor role to a user at the Subscription level, by default, this user will have contributor role to all the Resources Groups and Resources created in that Subscription. The same is true for each Resource Group, whereby if a user gets contributor access to a Resource Group, it will inherit contributor access to all the resources in the group, but NOT to any other Resource Group.
    This principle goes down to each resources.

    I would not recommend to assign permissions to a specific resource unless absolutely necessary as the management would quickly become a nightmare, so your approach to assign permissions at the Resource Group level is a good one. In the same way, it's also preferable to assign permissions to a User Group as opposed to individual users.
    If you wanted to compare it to an on-premises technology (analogy), think of it like a file share, containing folders, containing files (where files are resources, folders are resource groups and file shares are subscriptions). You would rarely assign permissions to a specific file, but instead assign permissions to folders based on group of users and not individual user accounts.

    This is known as RBAC (Role-Based Access Level). More information here:
    https://learn.microsoft.com/en-us/azure/role-based-access-control/overview

    Hope this helps, but let me know if you need any more clarification.

    Cheers,

    Stephane

    2 people found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Jai Verma 461 Reputation points
    2020-05-25T15:36:44.923+00:00

    I assume you are not syncing users and groups from on premises and wants to provision separate identity. In that situation, plan sounds good.

    Alternatively, you can sync your users and groups to cloud and leverage on premise group. Your life will be easy and you will get leaver, mover joiner out of the box.

    1 person found this answer helpful.
    0 comments No comments