Enforcing Speed and Contr ...
    26 June 19

    Enforcing Speed and Control With Management Groups and Azure Blueprints

    Posted byMbong Ekwoge

    In my previous post, Enforcing Speed and Control Using Azure Policy, I described Azure Policy as a control service in Azure that enables you to create, assign, and manage polices. It also keeps resources compliant with corporate standards, industry/government regulations, and service level agreements.

    In this blog post, I will introduce you to Management Groups and Azure Blueprints, with regards to enforcing speed and control in Azure.

    Effectively implementing these steps would provide a suitable platform to enable you to proactively review governance effectiveness and identify areas or segments to improve upon. 

    image_preview-2Steps to Achieve Speed and Control in Azure


    Management Groups


    Blog Image 3

    The role of Management Groups

    Management groups are needed for unified policy, access management, and subscriptions.

    How do they achieve this?

    • Management groups act as containers for subscriptions.
    • Policies and access management can be scoped around management groups.
    • Policies applied to management groups are inherited by all subscriptions, resource groups, and resources within that management group.
    • Azure RBAC roles have no action on the management group, but are inherited by all child resources.
    Blog Image 4

    Example of a Management Group Hierarchy Tree

    It’s important to know that the Root Management Group is built into the hierarchy, and all management groups and subscriptions fold up into it. It cannot be moved or deleted, unlike other management groups.

    Creating Management Groups

    Before creating Management Groups, you need to understand the difference between managing resource access through Azure Active Directory and Azure Role Based Access Control

    Azure Active Directory(AAD) is Microsoft’s cloud-based identity access management service or identity-as-a-service.  It helps your employees sign-in to:

    • External resources, such as Microsoft Office 365, the Azure Portal, and other SaaS applications.
    • Internal resources, such as apps in your corporate network and intranet, along with any cloud apps developed by your own organization.


    Blog Image 5


    AAD does not grant access to Azure Resources (VMs, Storage Accounts, Management Groups, etc). Azure AD resources and Azure resources are secured independently from one another.

    Conversely, Azure RBAC Assignments are used to secure Azure resources, but do not grant access to AAD resources. 

    The only way you can use your user identity in AAD to gain access to Azure resources is by:

    1. Upgrading your role to Global Administrator in AAD.
    2. When you elevate your role, you are eligible to be assigned the User Access Administrator role in Azure at the root scope (/). This allows you to -
      1. view all resources
      2. assign access in any subscription or management group in the directory


    Blog Image 6


    Follow these steps to elevate access for the Global Administrator role to the User Access Administrator role using the Azure Portal:


    Blog Image 7


    When you set the toggle to Yes, you are assigned the User Access Administrator role in Azure RBAC at the root scope (/). This grants you permission to assign roles in all Azure subscriptions and management groups associated with this Azure AD directory.

    Note: This toggle is only available to users who are assigned the Global Administrator role in Azure AD.


    Blog Image 8


    In this example, the user "Chris" isn't assigned the Global Administrator role in AAD. Therefore, he cannot be upgraded to a User Access Administrator role.


    Blog Image 9


    Blog Image 10


    Once you sign-out and sign-in again, your dashboard should look similar to this:


    Blog Image 11


    Once you are done, it is recommended that you turn the toggle off.

    You can create the Management Group by using:

    • Azure Portal
    • PowerShell
    • Azure CLI

    Note: Currently, you can not use Resource Manager templates to create Management Groups.

    For example:

    1.) Create a Management Group Calle "FinanceGroup" with a display name of "Finance" using the Azure portal.


    Blog Image 12

    Creating a Management Group

    2.) Move all your existing subscriptions into the Finance management group.


    Blog Image 13

    Moving subscriptions into a Management Group

    3.) Apply an initiative that includes a number of policies that control and deploy specific VM extensions to support audit requirements.


    Blog Image 14

    Applying policies to a Management Group's subscriptions

    Using Azure PowerShell, here's how I define a similar Management Group:


    Blog Image 15


    The GroupName is a unique identifier being created. This ID is used by other commands to reference this group and it cannot be changed later.


    Blog Image 16


    If you want the Management Group to show a different name within the Azure portal, add the DisplayName parameter.

    Blog Image 17


    The new Management Group is created under the root management group.

    To specify a different Management Group as the parent, use the Parentld parameter. To get the parent ID, I query all Management Groups using the Get command.


    image_preview (1)


    The next step is to create a parent ID variable that will store the parent ID of the higher level Management Group.


    Blog Image 18


    Lastly, I create the new sub-Management Group and, using the parent ID, assign it as a sub-group to the Finance Management Group.


    Blog Image 19


    Azure BluePrints

    Azure Blueprints is intended to assist with environment setup. Such environments often include:

    • Azure Resource Groups
    • Role Assignments
    • Different Policies
    • Resource Manager Template Deployments
    Blueprints are essentially packages that pull these types of resources and artifacts together. The package contains resources defined to meet your standards, compliance requirements, and company policies. 


    Blog Image 21

    Creating Azure BluePrints

    Most resources in Azure have a natural lifecycle.  Blueprints in Azure BluePrints are no different, as they are created and then deployed. When they are no longer needed, they are deleted.  As such, Azure BluePrints supports typical lifecycle operations and even builds upon them. Azure BluePrints provides support for continuous integration and continuous deployment pipelines for companies that manage infrastructure as code.

    The typical Azure BluePrint lifecycle consists of:

    • Creation of a blueprint
    • Publishing of the blueprint
    • Creating or editing a new version of the blueprint
    • Publishing a new version of the blueprint
    • Deletion of a specific version of the blueprint
    • Deleting the blueprint altogether


    Blog Image 22

    Azure BluePrints are made up of artifacts. Resources supported as artifacts include -

    • policy assignments
    • role assignments
    • Azure Resource Manager templates
    • Resource Groups


    Blog Image 23


    Policy Assignments provide a means for applying policy to a subscription to which a blueprint is assigned. The policy must be within the scope of the blueprint containing the policy.


    Blog Image 24


    Azure BluePrints can pass parameters to policies, initiatives, or Resource Manager templates. The author must decide on a value to define the blueprint parameter when creating the assignment, or allow the value of the parameter to be specified when the blueprint is being assigned to a subscription.


    Blog Image 25


    Role Assignments provide a means for adding existing users or groups to a built-in role. This is done to ensure the correct people have the proper access to Azure resources.


    Blog Image 26


    Azure Resource Group Templates are useful when designing complex environments, such as those managed with Azure Automation State Configuration. Leveraging templates makes standardization of such environments far easier than building them individually.


    Blog Image 27


    Resource Groups allow an administrator to organize resources and to structure them as needed. They also serve as scope limiters for policy assignment artifacts, role assignment artifacts, and Azure Resource Manager templates.


    Blog Image 28


    To get you started with deploying Azure BluePrints, Microsoft provides you with 5 sample blueprints you can customize to suit your cloud environment. My favorite is the ISO 27001: Shared Services blueprint. It deploys and configures Azure Infrastructure and Policies mapped to specific ISO controls.


    Blog Image 29


    The image below provides an overview of the breadth and depth of the ISO 27001 accreditation process.


    Blog Image 30


    The Shared Services sample consists of more than 50 Policy Assignments and Resource Manager Templates you can configure to meet ISO 27001 requirements.


    Blog Image 31


    With the Shared Services template, you could easily verify compliance in less than one hour!

    In my next post, I'll give you step-by-step advice on how to utilize Resource Graph and Azure Monitor, as well as how to Autoscale. 

    Learn more about Microsoft Azure with your All Access Pass




    Hey! Don’t miss anything - subscribe to our newsletter!

    © 2022 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo