Subscriptions & Resource Groups are one of the most important aspects when looking at how to deliver/provide cloud resources to your staff/students
Here are some best practice principles around providing Azure at your institution.
1. Create new major subscriptions to hold resource groups, according to broad categories
- Central IT
- Unit IT
- Research Groups
- Students and Student Project/Courses
2. Used Role Based Access Control
- Create new resource groups for newly on-boarded teams, instead of new subscriptions
- Resource groups allow you to implement role based access control so students can be contributors to services but not owners and IT staff can have overall control
- We have created a set of Role Based Access Control scripts at https://github.com/MSFTImagine/computerscience/tree/master/Scripts
Here are some example of how subscriptions can be associated to Azure Resource Groups , which then can be used to enforce access to Azure Cloud Services based on Azure Role Based access control - https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles
Azure Resource Groups
Resource groups are a new concept in the Azure Portal http://portal.azure.com
We think of them as "lifecycle boundaries," because when resources share a resource group, their lifecycles (from create, to update, to delete) are managed in an integrated way. Use resource groups to collect and manage all your application resources. Link resources across resource groups, share resources across lifecycle boundaries, and manage costs. View, monitor, and track your usage and billing for all the resources your application uses. New visuals show you every resource in the group, including any resources that are linked across groups.
https://docs.microsoft.com/en-gb/azure/azure-resource-manager/resource-group-portal
Azure Subscription for Admin Function
Azure Subscription for Research Functions
Azure Subscription for Student Labs/Resources
In terms of structure and management these groups can be built around the institutions Azure Active Directory or Office365 tenant to ensure only users of appropriate groups and team have access to the necessary resources.
Here is a an example of the types of users and role which they may undertake,
if your interested in learning more about Azure subscriptions in your institution please get in touch and we can introduce you to your institutions Microsoft account manager