MANAGE: Controlling access to your Azure resourcesOctober 10, 2018
After you PLAN your migration and make the MOVE to the Microsoft cloud, you’ll need to ramp up on how to use it. So in our MANAGE series, we’re talking about best practices to optimize the Microsoft cloud.
In Azure, it’s easy for users to create, change, or delete resources. This is one of the perks of the platform, one that helps your organization stay fast and flexible. But to balance that out, you need to make sure that only the right people have access to the right resources. Otherwise, you might find yourself with an unexpectedly large monthly bill, missing data, or even system outages.
You need the right policies in place to:
- Control who has access to Azure resources, and what changes they can make
- Prevent unexpected costs by controlling who deploys new resources when
- Separate who controls production vs. non-production environments
- Prevent people from accidentally changing or deleting something important
Fortunately, Azure comes with an array of complimentary checks and balances to make sure you can control access—without slowing down your business. Specifically, you can:
- Set policies within a subscription
- Set permissions by role
- Block certain actions entirely
Set policies within a subscription
With Azure Resource Manager Policy, you can set rules that apply either to an entire subscription or to individual applications. For instance, you can:
- Block applications from using certain types of resources
- Limit the SKUs or service tier of another resource type
- Enforce or prevent the use of a certain Azure region
- Make sure people name and tag resources correctly
Set permissions by role
You can also use role-based access control to control the actions of a user or group. This is how you make sure that everyone has the right level of access to do their jobs—but no more. To do this, you create roles and define what actions they can (or can’t) take on what types of resources. Then after you’ve defined a role, you can apply it to specific users or groups (in Azure Active Directory). You can also apply roles across a subscription, resource group, or individual resource.
Block certain actions entirely
With Resource Locks, you can lock a subscription, resource group, or resource to prevent users from accidentally deleting or modifying critical resources. Unlike role-based access control, you use locks to apply a restriction across all users and roles. There are two types of locks:
- DoNotDelete, which allows all actions except delete. As an example, you might want to apply this type of lock to a storage account that contains critical data. To delete the data, you’d first need to remove the lock, which can be a useful checkpoint to verify that the action really is intended.
- ReadOnly, which lets people read it but blocks any updates or deletes.
Need help setting up access to resources in Azure? We at Binary Tree are standing by to help with this—and much more. We offer a range of managed services that mitigate the risks and take the guesswork out of adopting, managing, and leveraging the power of the Microsoft cloud. To get started, get in touch.
Source: Microsoft. Cloud Migration and Modernization Playbook. 2018.