“How do you organise the various accounts and roles?”. I am sure this question will surface whenever any company first venture into Azure cloud services. Azure had divided administration rights into multiple levels to help users delegate permissions and roles. Having an understanding of what is available will help anyone manage their cloud services in a comprehensive manner.
The following shows the various levels of administration rights, starting from the role with the most privilege access.
1. Account Administrator (AA)
This is the administrator that manages the Azure account. This administrator will have the rights to perform management tasks such as signing up for new subscriptions, cancelling subscriptions, turning on premium features, and billing administration. It is recommended to separate the AA from the other functional roles of Azure services.
It is also recommended to only maintain one Azure account to centralise the administration control. Eventually if companies decide to integrate Active Directory with Azure cloud services, they would want to avoid having multiple Azure accounts duplicating the Active Directory.
Furthermore, multiple subscriptions can be created within a single Azure account. Therefore if there is a need to separate the billing of Azure services, because the services are funded by different business units of the company, the AA can simply sign up multiple subscriptions within the Azure account, instead of signing up for multiple Azure accounts.
2. Service Administrator (SA)
This is the administrator that manages an Azure subscription. As mentioned above, within each Azure account there can be multiple subscriptions. Each subscription controls a distinct cloud environment that is entirely separate from other subscriptions within the account.
The SA role can be assigned by the AA using the Azure portal. As a best practice, the SA and AA should not be the same user account, to segregate administrative responsibilities from operational responsibilities.
The SA will have the rights to create cloud services within the subscription and manage those services, as well as delegate the same rights to other user accounts, using Azure Active Directory Role-Based Access Control (RBAC).
As the cost of each subscription will be reflected separately in the bill, subscriptions can be used to divide the cost incurred by different business units within the company, or the cost incurred by different project teams or even different development environments, depending on how creative your management is.
3. Owner, Contributor, and Reader
Within a subscription, resources can be created. The term resources refers to the various cloud service provided by Azure. These resources can be divided into logical groupings called resource groups. Some company may want to use resource grouping to separate their cloud services into staging environment and production environment.
Therefore the hierarchy is as follows: An Azure account managed by an AA can have multiple subscriptions, with each subscription managed by a SA. Subscriptions contain resource groups, which are logical grouping of resources. At each of these levels (subscription level, resource group level, and resource level), access permission can be delegated to individual users or groups of users, based on three different roles: Owner, Contributor, and Reader.
The Owner of a level will be able to manage cloud services at that level as well as delegate permission to other users. The Contributor will only be able to manage cloud services at a given level. The Reader will only be able to view the cloud services status from the management portal without the ability to make any changes. A user account with no permission at all will not be able to view anything even if the user login to the management portal.
For the system administrators, operators, and engineers of the company, they only require access to certain specific resources within the subscription for their day-to-day work, which can be granted using Azure AD RBAC. This will prevent the users from abusing their access rights and also prevent the company from incurring additional costs when users carelessly create cloud services.
Update 2017-03-05: I believe Azure now provides even more roles for finer control of access. You will have to check out Azure websites to find out more.
4. Other Access
Some companies may require their vendors to remotely access Azure cloud services to provide technical support. In some cases, they do not even require the access controls mentioned above. For example, if a vendor need to access an Azure VM, the company can simple allow Remote Desktop Connection (RDC) for the vendor, or even use commercial remote access tools such as Cisco Webex or GoToMeeting.
I hope these information will be helpful to anyone using Azure cloud services, to plan out how they would manage their cloud. More information available here:
- How to add or change Azure administrator roles
- Azure Role-Based Access Control