This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This article builds on the information found in Identity and access management and Azure VMware Solution identity concepts.
Use this information to examine design considerations and recommendations for identity and access management that's specific to the deployment of Azure VMware Solution.
Identity requirements for Azure VMware Solution vary according to its implementation in Azure. The information provided in this article is based on the most common scenarios.
After you deploy Azure VMware Solution, the new environment's vCenter contains a built-in local user called cloudadmin. This user is assigned to the CloudAdmin role with several permissions in vCenter Server. You can also create custom roles in your Azure VMware Solution environment using the principle of least privilege with role-based access control (RBAC).
As part of the identity and access management enterprise-scale landing zone, deploy an Active Directory Domain Services (AD DS) domain controller in the identity subscription.
Limit the number of users that you assign the CloudAdmin role. Use custom roles and least privilege to assign users to Azure VMware Solution.
Use caution when rotating cloudadmin and NSX admin passwords.
Limit Azure VMware Solution role-based access control (RBAC) permissions in Azure to the resource group where it's deployed, and the users who need to manage Azure VMware Solution.
Only configure vSphere permissions with custom roles at the hierarchy level if needed. It's better to apply permissions at the appropriate VM folder or resource pool. Avoid application of vSphere permissions at or above the datacenter level.
Update Active Directory Sites and Services to direct Azure and Azure VMware Solution AD DS traffic to the appropriate domain controllers.
Use the Run command in your private cloud to:
Add an AD DS domain controller as an identity source for vCenter Server and NSX-T Data Center.
Provide lifecycle operation on the vsphere.local\CloudAdmins group.
Create groups in Active Directory and use RBAC to manage vCenter Server and NSX-T Data Center. You can create custom roles and assign Active Directory groups to the custom roles.
Learn about network topology and connectivity for an Azure VMware Solution enterprise-scale scenario. Examine design considerations and best practices about networking and connectivity with Microsoft Azure and Azure VMware Solution.
Training
Module
Design solutions for identity and access management - Training
You learn about various strategies for managing identities and access to resources, including hybrid and multicloud scenarios, external identities, and conditional access.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.