Remove From My Forums

delegating user/permissions management for Azure resources

Question
0

Sign in to vote
Hello All,

We have an internal IT group which is responsible for managing our corporate AD. That AD ('\\zytex) is synched with AzureAD for authentication to our Office365 subscriptions.

We do have several Azure subscriptions containing dev/test and production resources that we would like to control access to. \\zytex users are visible and can be assigned roles and permissions to our subscriptions in Azure Portal.

We would like to delegate the ability to create permission groups for Azure and add/remove \\zytex users to those permissions groups to a few developers instead of requiring internal IT to be involved.

We have been looking at administrative units and self-service groups, but we are unsure of the best way to implement our requirements.

please suggest the best practices.
- Edited by Tekbloke Friday, July 20, 2018 5:38 PM highlighted the focused points
Friday, July 20, 2018 5:36 PM

Answers

1

Sign in to vote
If you're planning to control access to subscription resources for users, then you should be using RBAC in this case. However, if you want to allow users to create and manage their own groups and control access to resources in Azure AD, use self-service group management. Refer to - https://docs.microsoft.com/en-us/microsoft-365/enterprise/identity-self-service-group-management and https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-manage-groups

-----------------------------------------------------------------------------------------------------------------------------------
If this answer was helpful, click “Mark as Answer” and Up-Vote. To provide additional feedback on your forum experience, click here
- Proposed as answer by SadiqhAhmed-MSFTMicrosoft employee Friday, July 20, 2018 8:03 PM
- Marked as answer by Tekbloke Monday, July 23, 2018 2:27 PM
Friday, July 20, 2018 8:03 PM
1

Sign in to vote
@Tekbloke, For your use case, RBAC should be a good fit - https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles. However, based on your requirement and scenario specific demand you might have to use multiple features together.

-----------------------------------------------------------------------------------------------------------------------------------
If this answer was helpful, click “Mark as Answer” and Up-Vote. To provide additional feedback on your forum experience, click here
- Proposed as answer by SadiqhAhmed-MSFTMicrosoft employee Tuesday, July 24, 2018 3:54 PM
- Marked as answer by Tekbloke Tuesday, July 31, 2018 2:29 PM
Tuesday, July 24, 2018 3:54 PM

All replies

1

Sign in to vote
If you're planning to control access to subscription resources for users, then you should be using RBAC in this case. However, if you want to allow users to create and manage their own groups and control access to resources in Azure AD, use self-service group management. Refer to - https://docs.microsoft.com/en-us/microsoft-365/enterprise/identity-self-service-group-management and https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-manage-groups

-----------------------------------------------------------------------------------------------------------------------------------
If this answer was helpful, click “Mark as Answer” and Up-Vote. To provide additional feedback on your forum experience, click here
- Proposed as answer by SadiqhAhmed-MSFTMicrosoft employee Friday, July 20, 2018 8:03 PM
- Marked as answer by Tekbloke Monday, July 23, 2018 2:27 PM
Friday, July 20, 2018 8:03 PM
0

Sign in to vote

@Tekbloke, Just checking in if you have had a chance to see our previous response. If this answers your query, do click “Mark as Answer” and Up-Vote for the same. And, if you have any further query do let us know.

Sunday, July 22, 2018 6:36 PM
0

Sign in to vote

thank you Sadiq...was just wondering which one do you suggest the best from the above 2 links...and are there any best practices for the same ?

Monday, July 23, 2018 2:29 PM
1

Sign in to vote
@Tekbloke, For your use case, RBAC should be a good fit - https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles. However, based on your requirement and scenario specific demand you might have to use multiple features together.

-----------------------------------------------------------------------------------------------------------------------------------
If this answer was helpful, click “Mark as Answer” and Up-Vote. To provide additional feedback on your forum experience, click here
- Proposed as answer by SadiqhAhmed-MSFTMicrosoft employee Tuesday, July 24, 2018 3:54 PM
- Marked as answer by Tekbloke Tuesday, July 31, 2018 2:29 PM
Tuesday, July 24, 2018 3:54 PM
0

Sign in to vote

@Tekbloke, Checking in to see if the above suggestions helped or you need further assistance on this issue. If that answers your query, do click “Mark as Answer” and Up-Vote for the same.

Friday, July 27, 2018 8:53 PM

Answered by:

delegating user/permissions management for Azure resources

Question

Answers

All replies