Enterprise-scale identity and access management for Azure VMware Solution

This article builds on the information found in Identity and access management and Azure VMware Solution identity concepts.

Use this information to examine design considerations and recommendations for identity and access management that's specific to the deployment of Azure VMware Solution.

Identity requirements for Azure VMware Solution vary according to its implementation in Azure. The information provided in this article is based on the most common scenarios.

Design considerations

After you deploy Azure VMware Solution, the new environment's vCenter contains a built-in local user called cloudadmin. This user is assigned to the CloudAdmin role with several permissions in vCenter Server. You can also create custom roles in your Azure VMware Solution environment using the principle of least privilege with role-based access control (RBAC).

Design recommendations

  • As part of the identity and access management enterprise-scale landing zone, deploy an Active Directory Domain Services (AD DS) domain controller in the identity subscription.

  • Limit the number of users that you assign the CloudAdmin role. Use custom roles and least privilege to assign users to Azure VMware Solution.

  • Use caution when rotating cloudadmin and NSX admin passwords.

  • Limit Azure VMware Solution role-based access control (RBAC) permissions in Azure to the resource group where it's deployed, and the users who need to manage Azure VMware Solution.

  • Only configure vSphere permissions with custom roles at the hierarchy level if needed. It's better to apply permissions at the appropriate VM folder or resource pool. Avoid application of vSphere permissions at or above the datacenter level.

  • Update Active Directory Sites and Services to direct Azure and Azure VMware Solution AD DS traffic to the appropriate domain controllers.

  • Use the Run command in your private cloud to:

    • Add an AD DS domain controller as an identity source for vCenter Server and NSX-T Data Center.

    • Provide lifecycle operation on the vsphere.local\CloudAdmins group.

  • Create groups in Active Directory and use RBAC to manage vCenter Server and NSX-T Data Center. You can create custom roles and assign Active Directory groups to the custom roles.

Next steps

Learn about network topology and connectivity for an Azure VMware Solution enterprise-scale scenario. Examine design considerations and best practices about networking and connectivity with Microsoft Azure and Azure VMware Solution.