An initiative is limited to being assigned to resource groups or subscriptions only

In this blog, we have explained the difference between Azure RBAC, Azure Policy, and Azure Blueprints services that come under Azure Governance.

Let’s try to understand all the services in-depth but before that let’s get an overview of Azure governance.

What comes to your mind when you see the word Governance? Is it a rule, or is it policy? Whatever it may be, don’t you think the company needs Governance to run effectively and efficiently. In the same way, our tech giant Microsoft Azure manages and monitors its resources, application, and technology with the help of “Azure Governance.”

Then, let’s begin to understand the term “Governance” in a general way, Governance is the term for the way a group of people such as a country does things. Many groups create a government to decide how things are to be done. Governance is also how government decision-making affects people in that nation.

On a similar note in an Azure cloud, Azure Governance can be described simply as mechanisms and processes to maintain control over your applications and resources in Azure.

Let’s have a look at the topics of discussion:

• • Azure Role-Based Access Control (RBAC)
  • Azure Policy
  • Azure Blueprints

Azure RBAC (Role-Based Access Control)

Azure RBAC (Role-Based Access Control) is the system that allows control over who has access to which Azure resources, and what those people can do with those resources. A role might be described as a collection of permissions.

Azure RBAC has many built-in roles, and you can create custom roles.

Here are four examples of built-in roles:

• Owner: Has full access to all resources, including the ability to delegate access to other users.
• Contributor: Can create and manage Azure resources.
• Reader: Can view only existing Azure resources.
• User Access Administrator: Can manage access to Azure resources.

Read: Azure Service Level Agreements

Scope of Azure RBAC 

Scope is the set of resources that access applies to. When you assign a role, it’s important to understand the scope so that you can grant a security principal just the access that it really needs. Scopes are structured in a parent-child relationship. Each level of hierarchy makes the scope more specific. You can assign roles at any of these levels of scope. The level you select determines how widely the role is applied. Lower levels inherit role permissions from higher.

• Azure management groups help you manage your Azure subscriptions by grouping them together.
• Azure subscriptions help you organize access to Azure resources and determine how resource usage is reported, billed, and paid for.
• Resource groups are containers that hold related resources for an Azure solution. A resource group includes those resources that you want to manage as a group.
• Resources are a manageable item in Azure. For example virtual machines, storage accounts, web apps, etc.

Azure Active Directory Roles

Azure AD also has its own set of roles, which apply mostly to users, passwords, and domains. These roles have different purposes.

Global Administrator: Can manage access to administrative features in Azure AD. A person in this role can grant administrator roles to other users, and they can reset a password for any user or administrator.

User Administrator: Can manage all aspects of users and groups, including support tickets, monitoring service health, and resetting passwords for certain types of users.

Billing Administrator: Can make purchases, manage subscriptions and support tickets, and monitor service health. Azure has detailed billing permissions in addition to Azure RBAC permissions.

Also Check: Our blog post on Azure Blue Green Deployment.

Azure Policy

Azure Policy
Policies are sets of rules that specify what can and cannot be created in either a single resource group or a full subscription. These can be used to ensure users are able to create and work with approved resources without creating over-provisioned machines racking up major costs on your Azure bill.

Azure Policy is a free Azure service that allows you to create policies, assign them to resources, and receive alerts or take action in cases of non-compliance with these policies.  Azure Policy allows you to define both individual policies and groups of related policies, known as initiatives.

The basic elements of Azure Policy are Policy Definition, Initiatives, and Initiative or Policy assignments.

Policy Definition explains resource compliance (following a rule order) and what effect to take when resources are non-compliant (failing to act in accordance with rules or regulations). Example: Restrict the list of locations where users can deploy resources.

The initiative is a collection of Azure policy definitions that are grouped together towards a specific goal or purpose in mind. Example: All policies that relate to billing can be grouped in one initiative.

Policy or initiative assignment: Describes where the policy is applied. Can be a resource group or subscription. Example: The policy to limit the list of locations where users can deploy resources is applied only to the finance team’s resource group, and not to the Dev team’s resource group.

An Azure Policy can be assigned at various levels. Policies can be applied at the management group, subscription, or resource group level.

Azure Policies and RBAC, both services work hand-in-hand to provide governance around your environment. Azure Policy is based on how scope works in Azure Resource Manager. RBAC grants access to users or groups within a subscription whereas policy is defined within the resource group or subscription. RBAC focuses on what resources the users can access and the policy is focused on the properties of resources.

Cloud blueprints are much like the blueprints used in the construction industry. They contain all the key information and bill of materials to successfully build and deploy applications in the cloud including server, software, storage, network, images, and firewall details, and most importantly how they all relate together.

Cloud blueprints are a method to offer customers a way to drive extraordinary levels of efficiency and effectiveness, increase the quality of service and reduce cost.

Azure Blueprints, a blueprint is a package or container for composing focus-specific sets of standards, patterns, and requirements related to the implementation of Azure cloud services, security, and design that can be reused to maintain consistency and compliance.

Azure Blueprints also allows you to quickly release new environments, adopting integrated components, and accelerating development time and delivery.

The blueprint consists of different artifacts like Role Assignments, Policy Assignments, Azure Resource Manager templates, and Resource Groups. After the creation, you must publish the blueprint (at the end of creation will be in the draft state) specifying versioning. Azure Blueprints is very useful for companies that use the infrastructure-as-code model as it contemplates the processes of continuous integration and continuous deployment.

Without any tools to allow you to tie all these requirements together, you end up with a deployment process that can take a long time because every team wants and needs to sign off on your deployment.  And it makes it difficult to replicate since in most cases it’s tied together with custom scripting.

Azure Blueprint allows you to create a way to package all these components together and makes it super easy to “stamp” your blueprint on any environment dev, test, prod, or other.

Conclusions

What is an initiative in Azure policy?

What term describes a group of policies across different resource group management groups and subscriptions?

What is the difference between Azure policy and initiative?

What can you use to deploy Azure resources across multiple subscriptions?