In this blog post, we would discuss about the Azure resource
hierarchy and how you can organize and manage them effectively from the point
of Security, management, and tracking the cost.
As we know that one needs to have an active Azure Subscription to create any resource in Azure account and once you have that then need to create a Resource Groups (RG) and then can create all other resources by putting them in RGs.
Now think from the perspective of an Org having multiple subscriptions, that is where you need a Scope above subscription to efficiently manage them and that is where can use Azure Management Groups. Here we can manage Access Policies & Compliance for these subscriptions as a single entity and whatever access, policy, or compliance you would configure would get inherited top-down.
How the four management-scope levels relate to each other
·
Management
groups: These
groups are containers that help you manage access, policy, and compliance for
multiple subscriptions. All subscriptions in a management group automatically
inherit the conditions applied to the management group.
·
Subscriptions: A subscription logically
associates user accounts and the resources that were created by those user
accounts. Each subscription has limits or quotas on the amount of resources you
can create and use. Organizations can use subscriptions to manage costs and the
resources that are created by users, teams, or projects.
·
Resource
groups: A a resource group is a logical container into which Azure resources like web apps,
databases and storage accounts are deployed and managed.
· Resources: Resources are instances of services that you create, like virtual machines, storage, or SQL databases.
Note: All Subscriptions within a single MG must the same AAD Tenant.
This was a simple example of Management group hierarchy; you
can create multiple Management Groups under Root Management Group for Azure
Actively Directory. The creation of other Management groups could be part of
your resource’s management planning to achieve one of the following,
·
Group your subscriptions: Easily manage
your Azure subscriptions by grouping them together and taking actions in bulk
·
Mirror your organization’s structure:
Create a hierarchy of Azure management groups tailored to your organization to
efficiently manage your subscriptions and resources
· Apply policies or access control to any service Use full platform integration to apply governance conditions such as policies, access controls, or full-fledged blueprints to any Azure service
Each Directory is given a single top-level management group
called the “Root Management group”. This Root management group is built into
the hierarchy to have all subscriptions part of that directory fold into it.
This is used to assign the global policies and Azure role assignment at the directory level. To mange access at this scope the Azure AD Global
administrator need to elevate themselves to have User Access Administrator role
of this root group initially. Once you have the permission then can assign any
Azure role to other directory users or Groups to manage the access, compliance
and related aspects.
A management group tree can support up to six levels of
depth however this limit doesn’t include root or subscription level. Keep in
mind that each MG or subscription can have only one parent, and all these
are within a single hierarchy in each directory.
Related Demo: How-to Create and manage Azure
Management Groups and related hierarchy.
Related reads:
Azure Management Groups And Hierarchy
That’s It….Thanks 😊
No comments:
Post a Comment