We will talk about Azure Policies and auditing, resource tagging, managing subscriptions, locking down resources and role based access controls.<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.tunecom.be\/stg_ba12f\/wp-content\/uploads\/2020\/01\/image-2.png\")
<\/figure><\/div>\n\n\n\n
What’s it all about? Policies on Azure? And more!<\/h5>\n\n\n\n
As stated before, this is probably the most important pillar, so what is it exactly? So, comparable with group policies you say? Not exactly, with Azure Policies we can do so much more and on different levels.<\/p>\n\n\n\n Before we start deploying policies, we need some kind of hierarchy to which we can apply our policies. And as with traditional group policies, we needed organizational units to group our resources into logical containers.<\/p>\n\n\n\n A management group is a logical container that can have policies<\/strong>, blueprints <\/strong>and role based access controls<\/strong> applied. Subscriptions can be added to a management group, so they can inherit the settings that are being applied to a management group. Below example provided by Microsoft<\/a>, shows you how you can organize management groups, subscriptions and resource groups per Business Unit, Geo-location and environment type.<\/p>\n\n\n\n When on-boarding your first subscription into your tenant, it will be added to your root management group. <\/p>\n\n\n\n Best practice <\/strong>is to create a management group attached to the root management group and start from there. As with group policies, you usually start with a new OU and apply policies on that level. You never start with changing the default domain policies.<\/p>\n\n\n\n The following powershell demonstrates how to create a very simple management group hierarchy.<\/p>\n\n\n\n In the previous example, we’ve added our production and development subscription to a management group. By adding our subscriptions to a management group, we can start defining our rules of play at 2 levels.<\/p>\n\n\n\n A subscription is a billing and management boundary to deploy your resources in and manage them via the right set of role based access controls.<\/p>\n\n\n\n Your subscription(s) are linked to your Azure AD tenant and can be made available to your Administrators by delegating permissions on a per subscriptions basis.<\/p>\n\n\n\n Our previous example provisioned a Production and Development subscription. With RBAC we can assign our developers the Contributor role to the Development subscription, so they can deploy and manage their resources. That same developer can only be granted a Read-Only role, to make sure no changes are being made on our production platform. If we really want to utilize the power of Azure we will deploy the roles on management group level, so every subscription in the PRD and DEV managemen group is inheriting the right set of roles and permissions.<\/p>\n\n\n\n And yes, Role Based Access Control is exactly what is states. We are giving access to a set of resources based on the specific role a security principal has. A security principal<\/a> can be one of the following.<\/p>\n\n\n\n Now how does this work in Azure? RBAC is applied at 2 levels.<\/p>\n\n\n\n As an example, you can have a global administrator within your Azure Active Directory tenant. That global administrator<\/a> will have the ability to perform everything within your Azure AD tenant. However, that same global administrator, doesn’t necessarily have the same amount of power within your Azure Subscriptions. Your Azure Subscriptions or Management Groups are using their own built-in roles. If you want your global administrator to have all the keys to the kingdom, you’ll have to grant him Subscription Owner rights within your Azure Subscription.<\/p>\n\n\n\n Below is an overview of the Global Administrator permissions<\/a>.<\/p>\n\n\n\n Below is an overview of the Azure Owner permissions<\/a>.<\/p>\n\n\n\n As an administrator, I would love to have the keys to the kingdom, for demo purposes, the below powershell script gives you an idea on how to assign the required roles to a user. <\/p>\n\n\n\n Best practice <\/strong>is to assign roles to a security principal based on the least privilege principle. <\/a><\/p>\n\n\n\n Taking the above into account, we’ve made our environment ready with the following structure.<\/p>\n\n\n\n Now that we have our management structure up and running, let’s see how we can make use of Azure Policy to start locking down our environment.<\/p>\n\n\n\n Locking down… sounds like a plan, so let’s look at Resource Locks. There are 2 types of resource locks:<\/p>\n\n\n\n Where can this be applied?<\/p>\n\n\n\n When can this be applied?<\/p>\n\n\n\n You can apply a lock during the creation of the specific subscription, resource groups or resource. A lock can be applied via powershell or through the portal on existing resources. Or you can leverage Azure Policy to apply locks at scale.<\/p>\n\n\n\n Let us walk through the steps in order to make sure that a Delete lock is being applied to all of our resources.<\/p>\n\n\n\n For the sake of this blogpost series, I won’t dig too deep into Azure Policies and how the policy structure is being assembled. My colleague @ThomasVanLaere <\/a>has made a detailed blog-post on Azure Policy, make sure to check that one out as well.<\/p>\n\n\n\n We will make use of a predefined Azure Policy and let’s alter this one to meet our needs. What are our needs?<\/p>\n\n\n\n Below Policy Definition is exactly what we need to Audit and deploy is a resource lock is not available on our resource groups.<\/p>\n\n\n Now let’s apply this via Azure Policy. Create a new policy definition Select a scope, since we are going to remediate a setting, we are forced to select a subscription. As of writing, management groups don’t support remediation tasks yet. Enter your details and create a new category if you like.<\/p>\n\n\n\n Now paste in the previous code <\/p>\n\n\n\n And here we go, we have our custom policy definition ready to be assigned.<\/p>\n\n\n\n Now navigate to policy assignments and select assign policy<\/p>\n\n\n\n Select your policy, enter a description and click next.<\/p>\n\n\n\n We have no parameters that need to be defined, so let’s continue.<\/p>\n\n\n\n Next up, yes we would like to remediate our policy. And this requires a managed identity in order to modify our settings. When applying a remediation task via the Azure Portal, the managed identity will receive the required permissions that are required to perform it’s remediating tasks.<\/p>\n\n\n\n Final step, review and create!<\/p>\n\n\n\n Now let’s wait for the assignment to kick in and review our compliance state. <\/p>\n\n\n\n It can take up to 30 minutes before your policy is evaluated. Once the policy is evaluated you see a compliance or non-compliance report.<\/p>\n\n\n\n In this case.. all our resource groups are compliant.<\/p>\n\n\n\n Now that we’ve seen our first policy at work, it’s time to take a look at resource tags. And how we can benefit from applying a right set of tags to our environment. The below list represents a series of tags that we commonly use in our Azure environments.<\/p>\n\n\n\n
Azure Governance allows you to define <\/strong>the rules <\/strong>of play to all <\/strong>your subscriptions <\/strong>within your Azure AD tenant<\/strong>. As with typical on-premises scenario’s, you would deploy group policies <\/strong>within your Windows Server Active Directory estate in order to meet your corporate requirements<\/strong> and standards<\/strong>. And most of all to make sure you’re gaining a certain amount of control <\/strong>over your infrastructure<\/strong>.<\/p>\n\n\n\nManagement Groups<\/h5>\n\n\n\n
![\"\"](\"https:\/\/www.tunecom.be\/stg_ba12f\/wp-content\/uploads\/2020\/01\/VDC-Governance-ManagementGroups.png\")
<\/figure><\/div>\n\n\n\nPowershell script<\/h5>\n\n\n
\n###########\n#\n# Let us define our variables here\n#\n###########\n\n$ParentGroupname = "Contoso_Management_Group"\n$ITManagementGroupname = "IT_OPS_Management_Group"\n$PRDManagementGroupname = "Production_Environment_Management_Group"\n$DEVManagementGroupname = "Development_Environment_Management_Group"\n\n###########\n#\n# Create the parent management group which is located just below the root management group\n#\n###########\n\n$ParentGroup = New-AzManagementGroup -GroupName $ParentGroupname -DisplayName $ParentGroupname\n$parentobject = Get-AzManagementGroup -GroupName $ParentGroupname\n$ParentID = $ParentGroup.ParentId\n\n###########\n#\n# Create the IT Operations management group as a member of the parent group\n#\n###########\n\n$ITGroup = New-AzManagementGroup -GroupName $ITManagementGroupname -DisplayName $ITManagementGroupname -ParentObject $parentobject\n$ITGroupObject = Get-AzManagementGroup -GroupName $ITManagementGroupname\n\n###########\n#\n# Create the Production and Development management groups as a member of the IT Operations management group\n#\n###########\n\n$PRDGroup = New-AzManagementGroup -GroupName $PRDManagementGroupname -DisplayName $PRDManagementGroupname -ParentObject $ITGroupObject\n$DEVGroup = New-AzManagementGroup -GroupName $DEVManagementGroupname -DisplayName $DEVManagementGroupname -ParentObject $ITGroupObject\n\n\n###########\n#\n# Move our subscriptions to the correct management group\n#\n###########\n\n$PRDsubscription = Get-AzSubscription | where {$_.Name -eq "Azure IT Ops Prd"}\n$DEVsubscription = Get-AzSubscription | where {$_.Name -eq "Azure IT OPS Dev"}\n\n\nNew-AzManagementGroupSubscription -GroupName $PRDGroup.Name -SubscriptionId $PRDsubscription.SubscriptionId\nNew-AzManagementGroupSubscription -GroupName $DEVGroup.Name -SubscriptionId $DEVsubscription.SubscriptionId\n\n###########\n#\n# End of script\n#\n###########\n<\/pre>\n\n\nSubscriptions<\/h5>\n\n\n\n
RBAC (Role Based Access Controls)<\/h5>\n\n\n\n
![\"Security](\"https:\/\/docs.microsoft.com\/en-us\/azure\/role-based-access-control\/media\/overview\/rbac-security-principal.png\")
<\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/www.tunecom.be\/stg_ba12f\/wp-content\/uploads\/2020\/01\/image.png\")
<\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/www.tunecom.be\/stg_ba12f\/wp-content\/uploads\/2020\/01\/image-1-300x101.png\")
<\/figure><\/div>\n\n\n\nPowershell script (credits to Steve K\u00f6nig for the password generator<\/a> included in this script )<\/h5>\n\n\n
\n###########\n#\n# Connect to your Azure AD Tenant\n#\n###########\n\n$MyAzureADTenant = Connect-AzureAD\n$tenantname = $MyAzureADTenant.TenantDomain\n\n###########\n#\n# Define our new admin user\n#\n###########\n\n$DisplayName = "MyAdmin"\n$MailNickName = "MyAdmin"\n$CompanyName = "MyCompany"\n$UPN = $MailNickName + "@" + $tenantname\n\n###########\n#\n# Generate a new complex password\n#\n###########\n\nfunction Get-RandomCharacters($length, $characters) {\n $random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length }\n $private:ofs=""\n return [String]$characters[$random]\n}\n \nfunction Scramble-String([string]$inputString){ \n $characterArray = $inputString.ToCharArray() \n $scrambledStringArray = $characterArray | Get-Random -Count $characterArray.Length \n $outputString = -join $scrambledStringArray\n return $outputString \n}\n \n$password = Get-RandomCharacters -length 5 -characters 'abcdefghiklmnoprstuvwxyz'\n$password += Get-RandomCharacters -length 1 -characters 'ABCDEFGHKLMNOPRSTUVWXYZ'\n$password += Get-RandomCharacters -length 1 -characters '1234567890'\n$password += Get-RandomCharacters -length 1 -characters '!"\u00a7$%&\/()=?}][{@#*+'\n \n \n$password = Scramble-String $password\n\n###########\n#\n# Store the password in a password profile\n#\n###########\n\n\n$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile\n$PasswordProfile.Password = $Password\n\n###########\n#\n# Create my new admin user\n#\n###########\n\n\nNew-AzureADUser -DisplayName $DisplayName -CompanyName $CompanyName -UserPrincipalName $UPN -AccountEnabled $true -PasswordProfile $PasswordProfile -MailNickName $MailNickName\n$User = Get-AzureADUser -ObjectId $UPN\n\n###########\n#\n# Assign the Azure AD Global Administrator Role\n#\n###########\n\n$GlobalAdminRole = Get-AzureADDirectoryRole | Where-Object {$_.displayname -eq 'Company Administrator'}\nAdd-AzureADDirectoryRoleMember -ObjectId $GlobalAdminRole.ObjectId -RefObjectId $User.ObjectId\n\n###########\n#\n# !!! Login with an account that has subcription owner permissions in order to add a new security principal to the role\n# Grant permissions to my Azure Subscription within my Parent Management Group\n#\n###########\n\n$MyAzureSubscriptionAccount = Login-AzAccount\n$MyAzureSubscription = Get-azsubscription\nNew-AzRoleAssignment -SignInName $UPN -RoleDefinitionName "Owner" -Scope "\/providers\/Microsoft.Management\/managementGroups\/$($ParentGroupname)"\n\n\n###########\n#\n# End of script\n#\n###########\n\n\n<\/pre>\n\n\nTime for a small recap<\/h5>\n\n\n\n
Let’s continue, Resource Locks<\/h5>\n\n\n\n
Now what is a resource lock and how is it applied.<\/p>\n\n\n\nAzure Policy<\/h5>\n\n\n\n
\n{\n "mode": "All",\n "policyRule": {\n "if": {\n "allOf": [\n {\n "field": "type",\n "equals": "Microsoft.Resources\/subscriptions\/resourceGroups"\n },\n "then": {\n "effect": "deployIfNotExists",\n "details": {\n "type": "Microsoft.Authorization\/locks",\n "existenceCondition": {\n "field": "Microsoft.Authorization\/locks\/level",\n "equals": "CanNotDelete"\n },\n "roleDefinitionIds": [\n "\/providers\/Microsoft.Authorization\/roleDefinitions\/0000-0000-0000-0000-0000000"\n],\n "deployment": {\n "properties": {\n "mode": "incremental",\n "template": {\n "$schema": "https:\/\/schema.management.azure.com\/schemas\/2015-01-01\/deploymentTemplate.json",\n "contentVersion": "1.0.0.0",\n "parameters": {\n "location": {\n "type": "string"\n }\n },\n "resources": [\n {\n "type": "Microsoft.Authorization\/locks",\n "apiVersion": "2017-04-01",\n "name": "ResourceLock",\n "properties": {\n "level": "CanNotDelete",\n "notes": "Prevent accidental deletion of resource groups"\n }\n }\n ]\n }\n }\n }\n }\n}\n}\n<\/pre>\n\n\n
<\/p>\n\n\n\n![\"\"](\"https:\/\/www.tunecom.be\/stg_ba12f\/wp-content\/uploads\/2020\/01\/image-3.png\")
<\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/www.tunecom.be\/stg_ba12f\/wp-content\/uploads\/2020\/01\/image-4.png\")
<\/figcaption><\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/www.tunecom.be\/stg_ba12f\/wp-content\/uploads\/2020\/01\/image-5.png\")
<\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/www.tunecom.be\/stg_ba12f\/wp-content\/uploads\/2020\/01\/image-6.png\")
<\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/www.tunecom.be\/stg_ba12f\/wp-content\/uploads\/2020\/01\/image-7.png\")
<\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/www.tunecom.be\/stg_ba12f\/wp-content\/uploads\/2020\/01\/image-8.png\")
<\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/www.tunecom.be\/stg_ba12f\/wp-content\/uploads\/2020\/01\/image-9.png\")
<\/figcaption><\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/www.tunecom.be\/stg_ba12f\/wp-content\/uploads\/2020\/01\/image-10.png\")
<\/figcaption><\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/www.tunecom.be\/stg_ba12f\/wp-content\/uploads\/2020\/01\/image-11.png\")
<\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/www.tunecom.be\/stg_ba12f\/wp-content\/uploads\/2020\/01\/image-12.png\")
<\/figcaption><\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/www.tunecom.be\/stg_ba12f\/wp-content\/uploads\/2020\/01\/image-13.png\")
<\/figure><\/div>\n\n\n\nReady for TAGS<\/h5>\n\n\n\n