Forum Discussion
2 IT Departments split in Azure
You are on the right track! This can be accomplished technically within one subscription and using Role Based Access Control. One item to consider is if you want detailed breakdown of billing you may want to split resources across two subscriptions. If you don't you will have to tag resources to disseminate costs. RBAC is the preferred and best method to accomplish this. Chavoos
Bryan Haslip
Thanks Bryan,
That being said, we would prefer to separate the billing for external and internal. BUT at the same time use tagging as for example:
For both Subscriptions
Multiple Resource groups, as each client will need its own resource group and under each resource group, tags will need to be associated with certain resources.
However the 2 departments should not be able to see each others billing. (I'm of the assumption that this too will be done using RBAC)
I hope this makes sense?
That makes perfect sense! Hopefully I did not convey that it was one or the other with the split subscription and tagging. You can certainly use both and I would suggest it.
As for limiting the view into the billing information you can certainly do this by using some of the predefined roles within Azure RBAC. The other option is you can create your own role with very specific privileges tailored to your exact need. Same rules apply that these are inherited to any nested resources. Example would be if they have that role on a resource group it would be automatically inherited to the resources contained within. One of the awesome features of RBAC is it can be applied to individual resources. One other suggestion is to create groups and assign the roles to those. This will help as things grow to keep track of permissions!
Hopefully you find this helpful!