AZ-900 Microsoft Azure Fundamentals Exam

Policy and Access Management

In Azure, managing access to resources is crucial, and this is primarily handled through Microsoft Entra ID and Azure role-based access control (RBAC). Microsoft Entra ID acts as a directory service, storing user accounts and passwords, while Azure RBAC is the authorization system that controls what users can do with Azure resources. Understanding how these systems work together is key to managing your Azure environment effectively.

When adding users to an Azure subscription, it's important to first determine the business hierarchy and the level of access each user needs. For example, IT staff might need admin access to monitor security, while developers might only need access to specific resource groups. The scope of access refers to the set of resources a user can access, and this can range from the entire subscription to individual resources.

Azure RBAC provides several built-in roles that define different levels of access. The Owner role grants full access to manage all resources and assign roles, while the Contributor role grants full access to manage resources but not to assign roles. The Reader role allows users to view resources but not make changes. There are also more specific roles, such as the Virtual Machine Contributor, which allows users to manage virtual machines. These roles can be assigned at different scopes, such as management groups, subscriptions, or resource groups.

In addition to Azure roles, there are also Microsoft Entra roles that manage resources within the directory itself, such as users, groups, and domains. Examples include the Global Administrator, who has full access to all administrative features, and the User Administrator, who can create and manage users and groups. It's important to distinguish between Azure roles, which manage Azure resources, and Microsoft Entra roles, which manage the directory itself.

Classic subscription administrator roles, such as the Account Administrator, Service Administrator, and Co-Administrator, also exist, but they are being phased out in favor of Azure RBAC. The Account Administrator manages billing, while the Service Administrator manages services within the Azure portal. Co-Administrators have similar access to the Service Administrator. It's important to note that the Service Administrator and Co-Administrators are assigned the Owner role at the subscription scope.

Scenarios and Use Cases for Management Groups

Management groups in Azure are designed to help organizations manage their Azure subscriptions more efficiently. They provide a way to organize subscriptions into a hierarchical structure, allowing for consistent application of policies and access controls. This is particularly useful for large enterprises with multiple departments, environments, or regulatory requirements.

One common scenario is in large organizations with many departments. For example, a company might have separate departments for finance, marketing, and IT. Each department could have its own set of Azure subscriptions. By using management groups, the company can create a hierarchy that reflects this structure. The root management group could represent the entire organization, with child management groups for each department. This allows the company to apply policies and access controls at the departmental level, ensuring that each department has the appropriate level of access and resources.

Another use case is managing different environments, such as development, testing, and production. A company might have separate Azure subscriptions for each of these environments. Management groups can be used to create a hierarchy that reflects these environments. For example, a root management group could represent the entire organization, with child management groups for development, testing, and production. This allows the company to apply different policies and access controls to each environment, ensuring that development and testing environments are not subject to the same restrictions as production environments.

Management groups are also beneficial for organizations that need to comply with specific regulatory requirements. For example, a company might need to ensure that all resources in a particular region comply with certain data residency requirements. By using management groups, the company can create a hierarchy that reflects these requirements. A management group can be created for each region, and policies can be applied to ensure that all resources within that region comply with the necessary regulations. This simplifies compliance management and reduces the risk of non-compliance.

In addition to these scenarios, management groups can also simplify user access management. By moving multiple subscriptions under a management group, you can create a single Azure role assignment on the management group. This role assignment will then be inherited by all the subscriptions under that management group. This means that users can have access to everything they need with a single assignment, rather than having to manage access across multiple subscriptions. This simplifies access management and reduces the risk of errors.

Hierarchy and Structure of Management Groups

Management groups in Azure are a way to organize and manage multiple Azure subscriptions. They allow you to apply access controls, policies, and compliance settings across many subscriptions at once. Management groups form a hierarchical structure, which means they can be nested within each other, creating a tree-like organization. This structure helps businesses manage their Azure resources more efficiently.

The hierarchy starts with a single root management group, which is the top-level container. All other management groups and subscriptions are placed under this root. You can create additional management groups under the root or under other management groups, forming a nested structure. This nesting allows you to reflect your organization’s structure, such as departments, teams, or environments (e.g., development, testing, production).

Within this hierarchy, subscriptions are placed under management groups. A subscription can only belong to one management group at a time. When a subscription is moved to a management group, it automatically inherits the access controls and policies defined at that level. This inheritance simplifies management and ensures consistency across all subscriptions within the group.

Management groups are related to other Azure resource organization concepts. Here’s how they fit together:

• Management Groups: Organize subscriptions into a hierarchy.
• Subscriptions: Represent a billing boundary and a logical grouping of resources.
• Resource Groups: Group related resources within a subscription.
• Resources: Individual Azure services, like virtual machines or databases.

Moving subscriptions between management groups is possible, but it requires specific permissions. You need write permissions on both the source and target management groups, as well as on the subscription itself. This ensures that only authorized users can change the organization of subscriptions. If the subscription inherits the Owner role from the current management group, you can only move it to another management group where you also have the Owner role.

In summary, management groups provide a flexible and powerful way to organize and manage Azure subscriptions. Their hierarchical structure, combined with inheritance of policies and access controls, makes it easier to manage large and complex Azure environments. Understanding how management groups relate to subscriptions, resource groups, and resources is crucial for effective Azure management.

Purpose and Benefits of Management Groups

Management groups in Azure are designed to help organize and manage multiple Azure subscriptions. They provide a way to apply governance policies and manage access controls across several subscriptions at once. This hierarchical structure allows for consistent management of resources across an entire organization.

Management groups are useful for large organizations that have many Azure subscriptions. Instead of managing each subscription individually, you can group them based on your organizational structure, such as by department, region, or project. This makes it easier to apply policies and manage access at a higher level.

Key benefits of using management groups include:

• Improved Governance: Apply policies at the management group level that are inherited by all subscriptions within that group.
• Policy Enforcement: Ensure consistent compliance across multiple subscriptions by enforcing policies at the management group level.
• Streamlined Resource Management: Manage access and resources more efficiently by grouping subscriptions logically.

By using management groups, organizations can ensure that all their Azure resources are managed consistently and securely. This reduces the administrative overhead and helps maintain compliance with organizational policies. Management groups provide a flexible and scalable way to manage Azure resources as an organization grows.

Understanding Azure Management Groups

Azure Management Groups are a way to organize and manage multiple Azure subscriptions. If your organization has many subscriptions, management groups help you efficiently control access, policies, and compliance across all of them. When you organize subscriptions into management groups, the rules you set apply to all subscriptions within that group. This is called inheritance, where settings flow down from the management group to its subscriptions.

Management Group Hierarchy

You can create a flexible structure of management groups and subscriptions to organize your resources. This structure is like a tree, with a root management group at the top. Under the root, you can have other management groups, and under those, you can have subscriptions. This allows you to apply policies at different levels. For example, you can set a policy at a high-level management group that limits where virtual machines can be created. This policy will then apply to all subscriptions and resources under that group.

Key Features of Management Groups

Management groups provide several important features:

• They allow for enterprise-grade management at scale.
• All subscriptions within a management group must trust the same Microsoft Entra tenant.
• They enable you to apply policies that are inherited by all nested groups and subscriptions.
• They allow you to manage user access to multiple subscriptions through a single role assignment.

Root Management Group

Every Azure directory has a single, top-level root management group. All other management groups and subscriptions are part of this root group. The root management group is important because it allows you to apply global policies and Azure role assignments at the directory level. Initially, only Microsoft Entra Global Administrators can access and manage the root management group. After gaining access, they can assign roles to other users to manage the hierarchy.

Moving Management Groups and Subscriptions

You can move management groups and subscriptions within the hierarchy. To do this, you need specific permissions, such as write permissions on the child subscription or management group, and write access on both the target and existing parent management groups. However, if you are moving to or from the root management group, these permissions are not required. It's important to note that Azure Resource Manager caches the management group hierarchy, so changes may not appear immediately in the Azure portal.

Auditing and Custom Roles

Management groups are supported in Azure Monitor activity logs, allowing you to track changes and events. You can also define custom roles that can be assigned at the management group scope. These custom roles will then be available for assignment on that management group and any resources under it. However, there are limitations to using custom roles, such as only being able to define one management group in the assignable scopes of a new role.

Conclusion

In summary, management groups in Azure provide a powerful way to organize and manage multiple subscriptions. They allow for the application of policies and access controls across a hierarchy of subscriptions, which is particularly useful for large organizations with complex structures. By understanding the hierarchical nature of management groups, their relationship with subscriptions and resource groups, and the benefits they offer in terms of governance and resource management, you can effectively manage your Azure environment. The ability to apply policies and manage access at different levels, along with the inheritance of these settings, makes management groups an essential tool for maintaining consistency and compliance across your Azure resources.