Azure Governance and Compliance

John

The following is from Azure Administrator Training lab for AZ-103

Management Groups

If your organization has several subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions.Azure management groups provide a level of scope above subscriptions. You organize subscriptions into containers called “management groups” and apply your governance conditions to the management groups. Management group enable:

  • Organizational alignment for your Azure subscriptions through custom hierarchies and grouping.
  • Targeting of policies and spend budgets across subscriptions and inheritance down the hierarchies.
  • Compliance and cost reporting by organization (business/teams).

 

 

All subscriptions within a management group automatically inherit the conditions applied to the management group. For example, you can apply policies to a management group that limits the regions available for virtual machine (VM) creation. This policy would be applied to all management groups, subscriptions, and resources under that management group by only allowing VMs to be created in that region.

✔️ Management groups is a relatively new concept in Azure. For more information, you can see: Organize your resources with Azure management groups –https://docs.microsoft.com/en-us/azure/azure-resource-manager/management-groups-overview

 

Creating Management Groups

You can create the management group by using the portal, PowerShell, orAzure CLI. Currently, you can’t use Resource Manager templates to create management groups.

 

  • The Management Group ID is the directory unique identifier that is used to submit commands on this management group. This identifier is not editable after creation as it is used throughout the Azure system to identify this group.
  • The Display Name field is the name that is displayed within the Azure portal. A separate display name is an optional field when creating the management group and can be changed at any time.

Within PowerShell, use the New-AzManagementGroup cmdlet:

New-AzManagementGroup -GroupName 'Contoso'

To show a different name for the management group within the Azure portal, add the DisplayName parameter with the desired string:

New-AzManagementGroup -GroupName 'Contoso' -DisplayName 'Contoso Development'

Azure Subscriptions

An Azure subscription is a logical unit of Azure services that is linked to anAzure account. Billing for Azure services is done on a per-subscription basis.If your account is the only account associated with a subscription, then you are responsible for billing. Subscriptions help you organize access to cloud service resources. They also help you control how resource usage is reported, billed, and paid for. Each subscription can have a different billing and payment setup, so you can have different subscriptions and different plans by department, project, regional office, and so on. Every cloud service belongs to a subscription, and the subscription ID may be required for programmatic operations.

Azure accounts Subscriptions have accounts. An Azure account is simply an identity in AzureActive Directory (Azure AD) or in a directory that is trusted by Azure AD, such as a work or school organization. If you don’t belong to one of these organizations, you can sign up for an Azure account by using your MicrosoftAccount, which is also trusted by Azure AD.

Getting access to resources Every Azure subscription is associated with an Azure Active Directory. Users and services that access resources of the subscription first need to authenticate with Azure Active Directory. Typically to grant a user access to your Azure resources, you would add them to the Azure AD directory associated with your subscription. The user will now have access to all the resources in your subscription. This is an all-or-nothing operation that may give that user access to more resources than you anticipated.

✔️ Do you know how many subscriptions your organization has? Do you know how resources are organized into resource groups?

 

Getting a Subscription

There are several ways to get an Azure subscription: Enterprise agreements,Microsoft resellers, Microsoft partners, and a personal free account.

Enterprise agreements

Any Enterprise Agreement customer can add Azure to their agreement by making an upfront monetary commitment to Azure. That commitment is consumed throughout the year by using any combination of the wide variety of cloud services Azure offers from its global datacenters. Enterprise agreements have a 99.95% monthly SLA.

Reseller

Buy Azure through the Open Licensing program, which provides a simple, flexible way to purchase cloud services from your Microsoft reseller. If you already purchased an Azure in Open license key, activate a new subscription or add more credits now.

Partners

Find a Microsoft partner who can design and implement your Azure cloud solution. These partners have the business and technology expertise to recommend solutions that meet the unique needs of your business.

Personal free account

With a free trial account you can get started using Azure right away and you won’t be charged until you choose to upgrade.

✔️ Which subscription model are you most interested in? For more information, you can see:

Solution providers – https://www.microsoft.com/en-us/solution-providers/home

 

Subscription Usage

Azure offers free and paid subscription options to suit different needs and requirements. The most commonly used subscriptions are:

  • Free
  • Pay-As-You-Go
  • Enterprise Agreement
  • Student

 

Azure free subscription

An Azure free subscription includes a $200 credit to spend on any service for the first 30 days, free access to the most popular Azure products for 12months, and access to more than 25 products that are always free. This is an excellent way for new users to get started. To set up a free subscription, you need a phone number, a credit card, and a Microsoft account. Note: Credit card information is used for identity verification only. You won’t be charged for any services until you upgrade.

Azure Pay-As-You-Go subscription

A Pay-As-You-Go (PAYG) subscription charges you monthly for the services you used in that billing period. This subscription type is appropriate for a wide range of users, from individuals to small businesses, and many large organizations as well.

Azure Enterprise Agreement

An Enterprise Agreement provides flexibility to buy cloud services and software licenses under one agreement, with discounts for new licenses andSoftware Assurance. It’s targeted at enterprise-scale organizations.

Azure for Students subscription

An Azure for Students subscription includes $100 in Azure credits to be used within the first 12 months plus select free services without requiring a credit card at sign-up. You must verify your student status through your organizational email address.

 

Subscription User Types

An Azure account determines how Azure usage is reported and who theAccount Administrator is. Accounts and subscriptions are created in theAzure Account Center. The person who creates the account is the AccountAdministrator for all subscriptions created in that account. That person is also the default Service Administrator for the subscription.

Subscription User Types

There are three roles related to Azure accounts and subscriptions:

 

Administrative role Limit Summary
Account Administrator 1 per Azure account Authorized to access the Account Center (create subscriptions, cancel subscriptions, change billing for a subscription, changeServiceAdministrator). This role has full control over the subscription and is the account that is responsible for billing.
Service Administrator 1 per Azure subscription Authorized to accessAzure ManagementPortal for all subscriptions in the account. By default, same as the AccountAdministrator when a subscription is created. This role has control over all the services in the subscription.
Co-Administrator 200 per subscription (in addition to ServiceAdministrator) Same as ServiceAdministrator but can’t change the association of subscriptions to Azure directories.


Account administrator

The Account Administrator for a subscription is the only person with access to the Account Center. The Account Administrator does not have any other access to services in that subscription; they need to also be the ServiceAdministrator or a Co-Administrator for that. For security reasons, theAccount Administrator for a subscription can only be changed with a call toAzure support. The Account Administrator can easily reassign the ServiceAdministrator for a subscription at the Account Center at any time.

Service Administrator and Co-Administrator

The Service Administrator is the first Co-Administrator for a subscription.Like other Co-Administrators, the Service Administrator has management access to cloud resources using the Azure Management Portal, as well as tools like Visual Studio, other SDKs, and command line tools like PowerShell.The Service Administrator can also add and remove other Co-Administrators. Additionally, Co-Administrators can’t delete the Service Administrator from the Azure Management Portal. Only the Account Administrator can change this assignment at the Account Center. The Service Administrator is the only user authorized to change a subscription’s association with a directory in theAzure Management Portal.

✔️ Account Administrators using a Microsoft account must log in every 2years (or more frequently) to keep the account active. Inactive accounts are cancelled, and the related subscriptions removed. There are no login requirements if using a work or school account.

 

Check Resource Limits

Azure provides the ability to see the number of each network resource type that you’ve deployed in your subscription and what your subscription limits are. The ability to view resource usage against limits is helpful to track current usage, and plan for future use. In this example, there are two PublicIP Addresses in South Central US and the limit is 60.

 

The limits shown are the limits for your subscription. If you need to increase a default limit, there is a Request Increase link. You will complete and submit the support request. All resources have a maximum limit listed in Azure limits.If your current limit is already at the maximum number, the limit can’t be increased.

 

Resource Tags

You can apply tags to your Azure resources to logically organize them by categories. Each tag consists of a name and a value. For example, you can apply the name “Environment” and the value “Production” or“Development” to your resources. After creating your tags, you associate them with the appropriate resources. With tags in place, you can retrieve all the resources in your subscription withthat tag name and value. This means, you can retrieve related resources from different resource groups.

Perhaps one of the best uses of tags is to group billing data. When you download the usage CSV for services, the tags appear in the Tags column.For example, you could group virtual machines by cost center and production environment.

There are a few things to consider about tagging:

  • Each resource or resource group can have a maximum of 15 tag name/value pairs.
  • Tags applied to the resource group are not inherited by the resources in that resource group.

✔️ If you need to create a lot of tags you will want to do that programmatically. You can use PowerShell or the CLI.

 

Billing

The Pricing Calculator provides estimates in all areas of Azure including compute, networking, storage, web, and databases.

Billing Alerts help you monitor and manage billing activity for your Azure accounts. Billing alerts is available from the Account portal. You can set up a total of five billing alerts per subscription, with a different threshold and up to two email recipients for each alert. Monthly budgets are evaluated against spending every four hours. Budgets reset automatically at the end of a period.

Reservations helps you save money by pre-paying for one-year or three-years of virtual machine, SQL Database compute capacity, Azure Cosmos DB throughput, or other Azure resources. Pre-paying allows you to get a discount on the resources you use. Reservations can significantly reduce your virtual machine, SQL database compute, Azure Cosmos DB, or other resource costs up to 72% on pay-as-you-go prices. Reservations provide a billing discount and don’t affect the runtime state of your resources.

Budgets help you plan for and drive organizational accountability. With budgets, you can account for the Azure services you consume or subscribe to during a specific period. They help you inform others about their spending to proactively manage costs, and to monitor how spending progresses over time.When the budget thresholds you’ve created are exceeded, only notifications are triggered. None of your resources are affected and your consumption isn’t stopped. You can use budgets to compare and track spending as you analyze costs.

For more information, you can see: Pricing Calculator – https://azure.microsoft.com/en-us/pricing/calculator/

 

RBAC Concepts

Managing access to resources in Azure is a critical part of an organization’s security and compliance requirements. Role-based access control (RBAC) is the capability for you to grant appropriate access to Azure AD users, groups, and services. RBAC is configured by selecting a role (the definition of what actions are allowed and/or denied), then associating the role with a user, group or service principal. Finally, this combination of role and user/group/service principal is scoped to either the entire subscription, a resource group, or specific resources within a resource group.

RBAC Roles

A role is a collection of actions that can be performed on Azure resources. A user or a service can perform an action on an Azure resource if they have been assigned a role that contains that action. There are many built-in roles.Three of the most common roles are Owner, Contributor and Reader.

 

Role name Description
Owner Owner can manage everything, including access.
Contributor Contributors can manage everything except access.
Reader Readers can view everything but can’t make changes.

 

Using the Portal to implement RBAC You can use the Azure Portal to make your role assignments. In this example, the Contoso Blue AD resource group shows on the Access Control (IAM) blade the current roles and scopes. You can add or remove roles as you need. You can add synced users and groups to Azure roles, which enables organizations to centralize the granting of access.

✔️ Users and groups are sourced from Azure Active Directory, which is commonly populated with credentials from on-premises directories, such asActive Directory. Note that RBAC access that you grant at parent scopes is inherited at child scopes.

 

Administrator Permissions

Using Azure AD, you can designate separate administrators to serve different functions. Administrators can be designated in the Azure AD portal to perform tasks such as adding or changing users, assigning administrative roles, resetting user passwords, managing user licenses, and managing domain names.

Global administrator

The global administrator has access to all administrative features. By default, the person who signs up for an Azure subscription is assigned the global administrator role for the directory. Only global administrators can assign other administrator roles.

Viewing role membership

You can see and manage all the members of the administrator roles in theAzure Active Directory portal. When you’re viewing a roles members, you can see the complete list of permissions granted by the role assignment. This includes links to relevant documentation to help guide you through managing directory roles.

 

Role Assignment

Access does not need to be granted to the entire subscription. Roles can also be assigned for resource groups as well as for individual resources. In AzureRBAC, a resource inherits role assignments from its parent resources. So if a user, group, or service is granted access to only a resource group within a subscription, they will be able to access only that resource group and resources within it, and not the other resources groups within the subscription. As another example, a security group can be added to the Reader role for a resource group, but be added to the Contributor role for a database within that resource group.

Role Assignment

A role assignment is created that associates a security principal to a role. The role is further used to grant access to a resource scope. This decoupling allows you to specify that a specific role has access to a resource in your subscription and add/remove security principals from that role in a loosely connected manner. Roles can be assigned to the following types of Azure AD security principals:

  • Users. Roles can be assigned to organizational users that are in theAzure AD with which the Azure subscription is associated. Roles can also be assigned to external Microsoft accounts that exist in the same directory.
  • Groups. Roles can be assigned to Azure AD security groups. A user is automatically granted access to a resource if the user becomes a member of a group that has access. The user also automatically loses access to the resource after getting removed from the group. A best practice is to manage access through groups by assigning roles to those groups and adding users – instead of assigning roles directly to users.
  • Service principals. Service identities are represented as service principals in the directory. They authenticate with Azure AD and securely communicate with one another. Services can be granted access to Azure resources by assigning roles through the Azure module forWindows PowerShell to the Azure AD service principal representing that service.

 

Role Definitions

Role definitions Each role is a set of properties defined in a JSON file. This role definition includes Name, Id, and Description. It also includes the allowable permissions (Actions), denied permissions (NotActions), and scope (read access, etc.) for the role. For example,

Name: Owner ID: 8e3af657-a8ff-443c-a75c-2fe8c4bcb65 IsCustom: False Description: Manage everything, including access to resources Actions: {*} NotActions: {} AssignableScopes: {/}

In this example the Owner role means all (asterisk) actions, no denied actions, and all (/) scopes. This information is available with the Get-AzureRmRoleDefinition cmdlet.

Actions and NotActions

The Actions and NotActions properties can be tailored to grant and deny the exact permissions you need. Review this table to see how Owner, Contributor, and Reader are defined.

Built-in Role Action NotActions
Owner (allow all actions) *
Contributor (allow all actions except writing or deleting role assignment) * Microsoft.Authorization/*/Delete,Microsoft.Authorization/*/Write,Microsoft.Authorization/elevateAccess/Action
Reader (allow all read actions) */read

Scope your role Defining the Actions and NotActions properties is not enough to fully implement a role. You must also properly scope your role. The AssignableScopes property of the role specifies the scopes (subscriptions, resource groups, or resources) within which the custom role is available for assignment. You can make the custom role available for assignment in only the subscriptions or resource groups that require it, and not clutter the user experience for the rest of the subscriptions or resource groups.

* /subscriptions/[subscription id] * /subscriptions/[subscription id]/resourceGroups/[resource group name] * /subscriptions/[subscription id]/resourceGroups/[resource group name]/[resource]

Example 1 Make a role available for assignment in two subscriptions.

“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e”, “/subscriptions/e91d47c4-76f3-4271-a796-21b4ecfe3624”

Example 2 Makes a role available for assignment only in the Network resource group.

“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Network”

User Accounts

In Azure AD, all users who require access to resources must have a user account. A user account is an Azure AD user object that contains all the information that’s required to authenticate and authorize the user during the sign‑in process and build the user’s access token. To view the Azure AD users, simply access the All users blade.

Notice the Source in the above screenshot. There are different sources depending on the types of identity, including:

  • Cloud identities (Azure Active Directory). Users that only exist in AzureAD. For example, administrator accounts or users you are managing yourself.
  • Directory-synchronized identities (Windows Server AD). Users brought in to Azure through a synchronization activity using Azure AD Connect.These are users that exist in Windows Server AD.
  • Guest users (Azure Active Directory). Users from outside Azure. For example, Google and Microsoft accounts.

✔️ Have you given any thought as to the type of users you will need?

 

Adding User Accounts

There are multiple ways to add cloud identities to Azure AD.

Azure Portal

You can add new users through the Azure Portal. In addition to Name andUser name, there is profile information like Job Title and Department.

Azure PowerShell

You can use the PowerShell New-AzADUser command to add cloud-based users.

# Create a password object $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile # Assign the password $PasswordProfile.Password = "<Password>" # Create the new user New-AzADUser -AccountEnabled $True -DisplayName "Abby Brown" -PasswordProfile $PasswordProfile -MailNickName "AbbyB" -UserPrincipalName "AbbyB@contoso.com"

✔️ Users can also be added to Azure AD through Office 365 Admin Center,Microsoft In tune admin console, and the CLI. Which of the options mentioned in this topic do you prefer?

 

Bulk User Accounts

There are several ways you can use PowerShell to import data into your directory, but the most commonly used method is to use a CSV file. This file can either be manually created, for example using Excel, or it can be exported from an existing data source such as a SQL database or an HR application.

If you are going to use a CSV file here are some things to think about:

  • Naming conventions. Establish or implement a naming convention for usernames, display names and aliases. For example, a user name could consist of last name, period, first name: Smith.John@contoso.com.
  • Passwords. Implement a convention for the initial password of the newly created user. Figure out a way for the new users to receive their password in a secure way. Methods commonly used for this a regenerating a random password and emailing it to the new user or their manager.

The steps for using the CSV file are very straightforward. Use the reference link to see a sample PowerShell script.

  1. Use Connect-AzAccount to create a PowerShell connection to your directory You should connect with an admin account that has privileges on your directory.
  2. Create a new Password Profile for the new users. The password for the new users needs to conform to the password complexity rules you have set for your directory.
  3. Use Import-CSV to import the csv file. You will need to specify the path and file name of the CSV file.
  4. Loop through the users in the file constructing the user parameters required for each user. For example, User Principal Name, DisplayName, Given Name, Department, and Job Title.
  5. Use New-AzADUser to create each user. Be sure to enable each account.

For more information, you can see: Importing data into my directory – https://docs.microsoft.com/en-us/powershell/azure/active-directory/importing-data?view=azureadps-2.0

 

Group Accounts

A group helps organize users to make it easier to manage permissions.Groups can be easily added through the portal. There are two types ofgroups: security groups and distribution groups.

  • Security groups are security‑enabled and are used to assign permissions and control access to various resources.
  • Distribution groups are used mainly by email applications and are not security enabled. You can easily add groups in the portal.

Adding Groups You can also use PowerShell to add a group with the New-AzADGroup command.

New-AzADGroup -Description “Marketing” -DisplayName “Marketing” -MailEnabled $false -SecurityEnabled $true -MailNickName “Marketing”

Adding Members to Groups There are two ways to add members to Azure groups.

  • Directly Assigned. In this situation you create the group then you manually add individual user accounts to the group.
  • Dynamically Assigned. In this situation you create rules to enable attribute-based dynamic memberships for groups based on characteristics. For example, if a user’s Department is Sales, then they are dynamically assigned to the Sales group. You can set up a rule for dynamic membership on security groups or Office 365 groups. This feature requires an Azure AD Premium P1 license.

 

Adding Group Members

Using Azure Active Directory, you can add and remove group members.

  • From the Groups page, search for and select the group you want to add the member to.
  • Select Members from the Manage area.
  • Select Add members, and then search and select each of the members you want to add to the group.

 

Adding group members with PowerShell

# Create a new group New-AzAdgroup -DisplayName Developers -MailNickname Developers # Retrieve the group ObjectId for the Developers group Get-AzADGroup -DisplayName Developers # Retrieve the user ObjectId for Chris Green Get-AzureADUser # Add the user to the group Add-AzADGroupMember -ObjectId <group ObjectId> -RefObjectId <user ObjectId> # Verify the members of the group Get-AzAdGroupMember -GroupObjectId <group ObjectId>

Adding a Group Owner

Azure Active Directory (Azure AD) groups are owned and managed by group owners. Group owners are assigned to manage a group and its members by are source owner (administrator). Group owners aren’t required to be members of the group. After a group owner has been assigned, only a resource owner can add or remove owners. In some cases, you as the administrator might decide not to assign a group owner. In this case, you become the group owner. Additionally, owners can assign other owners to their group, unless you’ve restricted this in the group settings.

  • Select Azure Active Directory, select Groups, and then select the group for which you want to add an owner.
  • Select Add owners, and then search for and select the user that will be the new group owner.

Add a group owner in PowerShell

# Get the group ObjectId Get-AzADGroup # Get the owner (user) RefObjectId Get-AzADUser # Add the user as a group owner Add-AzADGroupOwner -ObjectId <group ID> -RefObjectId <user ID> # Verify group ownership Get-AzADGroupOwner -ObjectId <group ID>

Azure Policy

Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce different rules over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy does this by running evaluations of your resources and scanning for those not compliant with the policies you have created. The main advantages of Azure policy are in the areas of enforcement and compliance, scaling, and remediation.

  • Enforcement and compliance. Turn on built-in policies or build custom ones for all resource types. Real time policy evaluation and enforcement.Periodic and on-demand compliance evaluation.
  • Apply policies at scale. Apply policies to a Management Group with control across your entire organization. Apply multiple policies and aggregate policy states with policy initiative. Define an exclusion scope.
  • Remediation. Real time remediation, and remediation on existing resources.

Azure Policy will be important to you if your team runs an environment where you need to govern:

  • Multiple engineering teams (deploying to and operating in the environment)
  • Multiple subscriptions
  • Need to standardize/enforce how cloud resources are configured
  • Manage regulatory compliance, cost control, security, or design consistency

For more information, you can see: Azure Policy Documentation – https://docs.microsoft.com/azure/azure-policy/

 

Implementing Azure Policy

To implement Azure Policies, you can follow these steps.

  1. Browse Policy Definitions. A Policy Definition expresses what to evaluate and what actions to take. Every policy definition has conditions under which it is enforced. And, it has an accompanying effect that takes place if the conditions are met. For example, you could prevent VMsfrom being deployed if they are exposed to a public IP address.
  2. Create Initiative Definitions. An initiative definition is a set of PolicyDefinitions to help track your compliance state for a larger goal. For example, ensuring a branch office is compliant.
  3. Scope the Initiative Definition. You can limit the scope of the InitiativeDefinition to Management Groups, Subscriptions, or Resource Groups.
  4. View Policy Evaluation results. Once an Initiative Definition is assigned, you can evaluate the state of compliance for all your resources. Individual resources, resource groups, and subscriptions within a scope can be exempted from having policy rules affect it.Exclusions are handled individually for each assignment.

✔️ Even if you have only a few Policy Definitions, we recommend creatingan Initiative Definition.

 

Policy Definitions

There are many Built-in Policy Definitions for you to choose from. Sorting byCategory will help you locate what you need. For example,

  • The Allowed Virtual Machine SKUs enables you to specify a set of virtual machine SKUs that your organization can deploy.
  • The Allowed Locations policy enables you to restrict the locations that your organization can specify when deploying resources. This can be used to enforce your geo-compliance requirements.

If you don’t see what you need you can add a Policy Definition. The easiest way to do this is to Import a policy from GitHub. New Policy Definitions are added almost every day.

✔️ Policy Definitions have a specific JSON format. As a Azure Administrator you will not need to create files in this format, but you may want to take a look just, so you are familiar.

 

Create Initiative Definitions

Once you have determined which Policy Definitions you need, you create anInitiative Definition. This definition will include one or more policies. There is a pick list on the right side of the New Initiative definition page (not shown)to make your selection.

✔️ Can you see how this will require some planning to organize your policies?

 

Scope the Initiative Definition

Once our Initiative Definition is created, you can assign the definition to establish its scope. A scope determines what resources or grouping of resources the policy assignment gets enforced on.

You can select the Subscription, and then optionally a Resource Group.

✔️ Currently, an Initiative Definition can have up to 100 policies.

 

Determine Compliance

Once your policy is in place you can use the Compliance blade to review non-compliant initiatives, non-compliant policies, and non-compliant resources.

When a condition is evaluated against your existing resources and found true, then those resources are marked as non-compliant with the policy. Although you don’t see the evaluation logic in the Azure portal, the compliance state results are shown. The compliance state result is either compliant or non-compliant.

✔️ Policy evaluation happens about once an hour, which means that if you make changes to your policy definition and create a policy assignment then it will be re-evaluated over your resources within the hour.

For more information, you can see: Video – Azure Resource Manager (ARM) Policies & RBAC –

 

 

References