Scribd
Upload
2 views

comp9

This document outlines two tasks for managing Azure subscriptions using management groups. The first task involves creating and configuring a management group to organize subscriptions and manage access, while the second task focuses on reviewing and assigning the Virtual Machine Contributor role to a Help Desk group. Best practices are emphasized, such as assigning roles to groups rather than individuals.

Uploaded by

bikash_shrest5
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
2 views

comp9

This document outlines two tasks for managing Azure subscriptions using management groups. The first task involves creating and configuring a management group to organize subscriptions and manage access, while the second task focuses on reviewing and assigning the Virtual Machine Contributor role to a Help Desk group. Best practices are emphasized, such as assigning roles to groups rather than individuals.

Uploaded by

bikash_shrest5
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

Task 1: Implement Management Groups

In this task, you will create and configure management groups. Management groups
are used to logically organize and segment subscriptions. They allow for RBAC and
Azure Policy to be assigned and inherited to other management groups and
subscriptions. For example, if your organization has a dedicated support team for
Europe, you can organize European subscriptions into a management group to provide
the support staff access to those subscriptions (without providing individual
access to all subscriptions). In our scenario everyone at the Help Desk will need
to create a support request across all subscriptions.

Sign in to the Azure portal - https://portal.azure.com.

Search for and select Microsoft Entra ID.

In the Manage blade, select Properties.

Review the Access management for Azure resources area. Ensure you can manage access
to all Azure subscriptions and management groups in the tenant.

Search for and select Management groups.

On the Management groups blade, click + Create.

Create a management group with the following settings. Select Submit when you are
done.

Setting Value
Management group ID az104-mg1 (must be unique in the directory)
Management group display name az104-mg1
Refresh the management group page to ensure your new management group displays.
This may take a minute.

Note: Did you notice the root management group? The root management group is built
into the hierarchy to have all management groups and subscriptions fold up to it.
This root management group allows for global policies and Azure role assignments to
be applied at the directory level. After creating a management group, you would add
any subscriptions that should be included in the group.

Task 2: Review and assign a built-in Azure role


In this task, you will review the built-in roles and assign the VM Contributor role
to a member of the Help Desk. Azure provides a large number of built-in roles.

Select the az104-mg1 management group.

Select the Access control (IAM) blade, and then the Roles tab.

Scroll through the built-in role definitions that are available. View a role to get
detailed information about the Permissions, JSON, and Assignments. You will often
use owner, contributor, and reader.

Select + Add, from the drop-down menu, select Add role assignment.

On the Add role assignment blade, search for and select the Virtual Machine
Contributor. The Virtual machine contributor role lets you manage virtual machines,
but not access their operating system or manage the virtual network and storage
account they are connected to. This is a good role for the Help Desk. Select Next.

Did you know? Azure originally provided only the Classic deployment model. This has
been replaced by the Azure Resource Manager deployment model. As a best practice,
do not use classic resources.

On the Members tab, Select Members.

Note: The next step assigns the role to the helpdesk group. If you do not have a
Help Desk group, take a minute to create it.

Search for and select the helpdesk group. Click Select.

Click Review + assign twice to create the role assignment.

Continue on the Access control (IAM) blade. On the Role assignments tab, confirm
the helpdesk group has the Virtual Machine Contributor role.

Note: As a best practice always assign roles to groups not individuals.

Did you know? This assignment might not actually grant you any additional
privileges. If you already have the Owner role, that role includes all permissions
associated with the VM Contributor role.

You might also like