RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

Azure Governance
Features
IS306 - Cloud Computing
 RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

Learning Objectives
After completing this module, you'll be able to:

• Make organizational decisions about your cloud environment by using the Cloud Adoption
Framework for Azure.
• Define who can access cloud resources by using Azure role-based access control.
• Apply a resource lock to prevent accidental deletion of your Azure resources.
• Describe the functionality and usage of resource tags.
• Control and audit how your resources are created by using Azure Policy.
• Enable governance at scale across multiple Azure subscriptions by using Azure Blueprints.
 TABLE OF CONTENTS

01 02 03
Role Based Access
Resource Locks Resource Tags
Control (RBAC)

04 05 06
Cloud Adoption
Azure Policy Azure Blueprints
Framework for Azure
RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

01
Role Based
Access Control (RBAC)
What is Azure role-based access control
(Azure RBAC)?
RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

Role-Based Access Control

Access management for cloud resources is a

critical function for any organization that is
using the cloud. Azure role-based access
control (Azure RBAC) helps you manage who
has access to Azure resources, what they can
do with those resources, and what areas they
have access to.
RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

What can I do with Azure

RBAC? • Allow one user to manage virtual machines in
a subscription and another user to manage
virtual networks
• Allow a DBA group to manage SQL databases
in a subscription
• Allow a user to manage all resources in a
resource group, such as virtual machines,
websites, and subnets
• Allow an application to access all resources in
a resource group
 RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

How is Azure RBAC

enforced?
Azure RBAC is enforced on any action that's initiated against an
Azure resource that passes through Azure Resource Manager.
Resource Manager is a management service that provides a
way to organize and secure your cloud resources.

RBAC uses an allow model. When you're assigned a role,

RBAC allows you to perform certain actions, such as read, write,
or delete. If one role assignment grants you read permissions to
a resource group and a different role assignment grants you
write permissions to the same resource group, you have both
read and write permissions on that resource group.
RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

How do I manage Azure RBAC permissions?

Role based access control allows you

basically to define a permission for a
resource on a basis of which you can
specify what a particular resource is
allowed for. You can also grant or remove
access.
RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

How do I manage Azure RBAC permissions?

RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

How do I manage Azure RBAC permissions?

RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

How do I manage Azure RBAC permissions?

RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

How do I manage Azure RBAC permissions?

RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

How do I manage Azure RBAC permissions?

RBAC RESORCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

02
Resource Locks
What is the purpose of Resource Locks?
 RBAC RESORCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

Resource Locks
A resource lock prevents resources from being accidentally
deleted or changed.

Even with Azure role-based access control (Azure RBAC)

policies in place, there's still a risk that people with the right
level of access could delete critical cloud resources. Resource
locks prevent resources from being deleted or updated,
depending on the type of lock. Resource locks can be applied
to individual resources, resource groups, or even an entire
subscription. Resource locks are inherited, meaning that if
you place a resource lock on a resource group, all of the
resources within the resource group will also have the
resource lock applied.
RBAC RESORCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

Types of Resource Locks

• Delete means authorized users can still read
and modify a resource, but they can't delete
the resource.

• ReadOnly means authorized users can read a

resource, but they can't delete or update the
resource. Applying this lock is similar to
restricting all authorized users to the
permissions granted by the Reader role.
 RBAC RESORCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

How do I manage resource

locks?
• You can manage resource locks from
the Azure portal, PowerShell, the Azure
CLI, or from an Azure Resource
Manager template.

• To view, add, or delete locks in the

Azure portal, go to the Settings section
and select Locks.
RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

03 One way to organize related

resources is to place them in
their own subscriptions. You
can also use resource groups
Resource Tags to manage related resources.
Resource tags are another
way to organize resources.
Tags provide extra
What is Resource Tags? information, or metadata,
about your resources. This
metadata is useful for:
RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK
 RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

How do I manage resource tags?

● You can add, modify, or delete resource An example tagging structure
tags through PowerShell, the Azure CLI,
Azure Resource Manager templates, the
VECTORS
REST API, or the Azure portal.
● You can also manage tags by using
Azure Policy. For example, you can apply
tags to a resource group, but those tags
aren't automatically applied to the
resources within that resource group.
● You can also use Azure Policy to enforce
PHOTOS
tagging rules and conventions.
RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

04
Azure Policy

What is the purpose of Azure Policy?

RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

Azure Policy
Azure Policy is a service in Azure that
enables you to create, assign, and
manage policies that control or audit
your resources. These policies enforce
different rules across your resource
configurations so that those
configurations stay compliant with
corporate standards.
 RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

How does Azure Policy define

policies?
Azure Policy enables you to define both individual policies and
groups of related policies, known as initiatives. Azure Policy
evaluates your resources and highlights resources that aren't
compliant with the policies you've created. Azure Policy can also
prevent non-compliant resources from being created. Azure
Policies can be set at each level, enabling you to set policies on
a specific resource, resource group, subscription, and so on.

Additionally, Azure Policies are inherited, so if you set a policy at

a high level, it will automatically be applied to all of the
groupings that fall within the parent.
 RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

What are Azure Policy initiatives?

● Monitor unencrypted SQL Database in This policy monitors for unencrypted SQL
Security Center databases and servers.

VECTORS
● Monitor OS vulnerabilities in Security This policy monitors servers that don't satisfy
Center the configured OS vulnerability baseline.

This policy monitors for servers that don't

PHOTOS
● Monitor missing Endpoint Protection in have an installed endpoint protection agent.
Security Center
RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

05
Azure Blueprints

What is Azure Blueprints and their purpose?

 RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

Azure Blueprints

Azure Blueprints lets you standardize cloud

subscription or environment deployments. Instead of
having to configure features like Azure Policy for
each new subscription, with Azure Blueprints you can
define repeatable settings and policies that are
applied as new subscriptions are created. Azure
Blueprints lets you deploy a new Test/Dev
environment with security and compliance settings
already configured.
RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

What are artifacts?

Each component in the blueprint definition is known as an artifact.

It is possible for artifacts to have no Role assignments

additional parameters (configurations). An
example is the Deploy threat detection on Policy assignments
SQL servers policy, which requires no
additional configuration. Azure Resource Manager templates

Resource groups
Artifacts can also contain one or more
parameters that you can configure. The
following screenshot shows the Allowed
locations policy. This policy includes a
parameter that specifies the allowed
locations.
 RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

Azure Blueprints in action

When you form a cloud center of
excellence team or a cloud custodian team,
that team can use Azure Blueprints to scale
their governance practices throughout the
organization.

Blueprints are also versioned. Versioning

enables you to track and comment on Create an Azure blueprint
changes to your blueprint.
Assign the blueprint

Track the blueprint assignments

 RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

06
Cloud Adoption Framework for
Azure
What's in the Cloud Adoption Framework?
RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

Cloud Adoption
Framework for Azure
The Cloud Adoption Framework for Azure
provides you with proven guidance to help
with your cloud adoption journey. The Cloud
Adoption Framework helps you create and
implement the business and technology
strategies needed to succeed in the cloud.
 RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

Microsoft Cloud Adoption Framework for Azure

To help build your adoption strategy, the Cloud Adoption Framework breaks out each
stage into further exercises and steps. Let's take a brief look at each stage.

01 02 03
Define Strategy Plan Ready

• Define and document

your motivations • Digital estate • Azure setup guide
• Document business • Initial organizational • Azure landing zone
outcomes alignment • Expand the landing
• Evaluate financial • Skills readiness plan zone
considerations • Cloud adoption plan
• Understand technical
• Best practices
considerations
 RBAC RESOURCE LOCKS TAGS POLICY BLUEPRINTS CLOUD ADOPTION FRAMEWORK

To help build your adoption strategy, the Cloud Adoption Framework breaks out each
stage into further exercises and steps. Let's take a brief look at each stage.

04 05 06
Adopt Govern Manage
• Methodology • Establish a
• Migrate your first • Benchmark management baseline
workload • Initial governance • Define business
• Migration scenarios foundation commitments
• Best practices • Improve the initial • Expand the
management baseline
• Process governance • Advanced operations
improvements foundation and design principles
THANK YOU
FOR
LISTENING!