MST400-M02.pdf

MST400: Introduction to Microsoft Azure Administration Module 2: Governance and Compliance Dr. Hooshang Kazemi Azure Regions • Microsoft Azure is made up of datacenters located around the globe. These datacenters are organized and made available to end users by region. • A regionis a geographical area on the planet containing at least one, but potentially multiple datacenters. • Each Azure region is paired with another region within the same geography, together making a regional pair. MST400 MST400 Azure Subscriptions • An Azure subscription is a logical unit of Azure services that is linked to an Azure account. MST400 MST400 Getting a Subscription Enterprise agreements Any Enterprise Agreement customer can add Azure to their agreement by making an upfront monetary commitment to Azure. That commitment is consumed throughout the year by using any combination of the wide variety of cloud services Azure offers. Enterprise agreements have a 99.95% monthly SLA. Reseller Buy Azure through the Open Licensing program, which provides a simple, flexible way to purchase cloud services from your Microsoft reseller. If you already purchased an Azure in Open license key, you can activate a new subscription or add more credits. Partners Find a Microsoft partner who can design and implement your Azure cloud solution. These partners have the business and technology expertise to recommend solutions that meet the unique needs of your business. Personal free account With a free trial account, you can get started using Azure right away and you won’t be charged until you choose to upgrade. MST400 Cost Management • With Azure products and services, you only pay for what you use. • You can use Azure Cost Management and Billing features to conduct billing administrative tasks and manage cost. • Cost analysis. • Budgets. • Recommendations. • Exporting cost management data. MST400 MST400 Resource Tags • You can apply tags to your Azure resources to logically organize them by categories. Each tag consists of a name and a value. • • MST400 Each resource or resource group can have a maximum of 50 tag name/value pairs. Tags applied to the resource group are not inherited by the resources in that resource group. MST400 Cost Savings • Reservations help you save money by paying ahead. • Azure Hybrid Benefits is a pricing benefit for customers who have licenses with Software Assurance. • Azure Credits is monthly credit benefit that allows you to experiment with, develop, and test new solutions on Azure. • Azure regions pricing can vary from one region to another, even in the US. • Budgets help you plan for and drive organizational accountability. • Pricing Calculator provides estimates in all areas of Azure including compute, networking, storage, web, and databases. MST400 Azure Policy To make sure each department implements and deploys resources correctly, implementing Azure policy will ensures compliance measures. • Management group enables: • Organizational alignment for your Azure subscriptions through custom hierarchies and grouping. • Targeting of policies and spend budgets across subscriptions and inheritance down the hierarchies. • Compliance and cost reporting by organization (business/teams). MST400 Implementing Azure Policy • To implement Azure Policies, you can follow these steps. • Browse Policy Definitions. A Policy Definition expresses what to evaluate and what actions to take. Every policy definition has conditions under which it is enforced. For example, you could prevent VMs from being deployed if they are exposed to a public IP address. • Create Initiative Definitions. An initiative definition is a set of Policy Definitions to help track your compliance state for a larger goal. For example, ensuring a branch office is compliant. • Scope the Initiative Definition. You can limit the scope of the Initiative Definition to Management Groups, Subscriptions, or Resource Groups. • View Policy Evaluation results. Once an Initiative Definition is assigned, you can evaluate the state of compliance for all your resources. Individual resources, resource groups, and subscriptions within a scope can be exempted from having policy rules affect it. MST400 Demonstration - Azure Policy MST400 Role-Based Access Control - RBAC • RBAC is an Access management for cloud resources. • It manages who can have access to Azure resources, what they can do with those resources, and what areas they have access to. • Concepts related to RBAC • Security principal. Object that is requesting access to resources. • Role definition. Collection of permissions that lists the operations that can be performed. Examples: Reader, Contributor, Owner, User Access Administrator • Scope. Boundary for the level of access that is requested. Examples: management group, subscription, resource group, resource • Assignment. Attaching a role definition to a security principal at a particular scope. Users can grant access described in a role definition by creating an assignment . Deny assignments are currently read-only and can only be set by Azure. MST400 Role Definitions RBAC includes many built-in roles, can be assigned at different scopes, and allows you to create your own custom roles. The following lists four fundamental built-in roles: • Owner - Has full access to all resources, including the right to delegate access to others. • Contributor - Can create and manage all types of Azure resources, but can’t grant access to others. • Reader - Can view existing Azure resources. • User Access Administrator - Lets you manage user access to Azure resources. Note: Use NotActions to create a set of not allowed permissions. The Owner role means all (asterisk) actions, no denied actions When the built-in roles don't meet the specific needs of your organization, you can create your own custom roles. MST400 Role Assignment • A role assignment is the process of binding a role to a security principal at a particular scope, for the purpose of granting access. • A resource inherits role assignments from its parent resources. MST400 Differences between Azure RBAC roles and Azure AD roles MST400 Hierarchy of Roles in Azure This diagram depicts how the classic subscription administrator roles, Azure roles, and Azure AD roles are related at a high level. MST400 Thank you! MST400

Document Details

Tags

Related

Full Transcript

Upgrade to continue