Jun 12 2019 02:46 AM
Good Day All,
I do hope someone here could point me in the correct direction in finding an answer. I am a noob on the Azure platform so please go easy hahaha.
I work for a large corporate, within this organization we have 2 IT departments.
So i have done my research and I understand that this can be split using 2 different subscriptions, and things like RBAC. But how and what would be the best way to do this?
Please advise if possible
Jun 14 2019 08:31 AM - edited Jun 14 2019 08:32 AM
You are on the right track! This can be accomplished technically within one subscription and using Role Based Access Control. One item to consider is if you want detailed breakdown of billing you may want to split resources across two subscriptions. If you don't you will have to tag resources to disseminate costs. RBAC is the preferred and best method to accomplish this. @Chavoos
Jun 19 2019 02:02 AM
@Bryan Haslip
Thanks Bryan,
That being said, we would prefer to separate the billing for external and internal. BUT at the same time use tagging as for example:
For both Subscriptions
Multiple Resource groups, as each client will need its own resource group and under each resource group, tags will need to be associated with certain resources.
However the 2 departments should not be able to see each others billing. (I'm of the assumption that this too will be done using RBAC)
I hope this makes sense?
Jun 19 2019 06:31 AM
That makes perfect sense! Hopefully I did not convey that it was one or the other with the split subscription and tagging. You can certainly use both and I would suggest it.
As for limiting the view into the billing information you can certainly do this by using some of the predefined roles within Azure RBAC. The other option is you can create your own role with very specific privileges tailored to your exact need. Same rules apply that these are inherited to any nested resources. Example would be if they have that role on a resource group it would be automatically inherited to the resources contained within. One of the awesome features of RBAC is it can be applied to individual resources. One other suggestion is to create groups and assign the roles to those. This will help as things grow to keep track of permissions!
Hopefully you find this helpful!
Jun 19 2019 12:08 PM
Jul 01 2019 05:56 AM
Thank you all for the advice, we are currently busy looking at the options as well as the best practices and will try to incorporate this.
It seems that the RBAC way is where we will do the split as this is how our "mothership" does it on that side
thank you all once again
Jul 02 2019 02:26 AM
Hi, sounds like a scenario i heard about some times.
To go ahead with 2 Subscriptions for the Cost separation sounds like a good way and also pairing this with tagging of ressources to maybe split those costs a bit more visual afterwards is a common and well known way.
While using two Subscriptions you can use Azure Management Groups for the global Management of those Subscriptions, when it is wanted. A Management Layer above pure RBAC if you want.
https://docs.microsoft.com/en-us/azure/governance/management-groups/index
I don't know how your Azure Resources will be managed, maybe Dept. 1 will manage only their Stuff and Dept. 2 may manage only their Stuff, but maybe there will be Admins working in both Subscriptions as they are responsible for Network or Monitoring. Then for those Admins those Management Groups might be more useful instead of give them RBAC rights on each single Resource.
Especially Network should always be well documented and communicated between those two Depts as they otherwise might ran in big Problems. Also with the linking of OnPremise components.
Hope i could have been a bit helpful.
Kind Regards, Peter
Jul 02 2019 02:46 AM
Jul 02 2019 02:50 AM
Ok, understood.
I strongly recommend that there is a platform, whatever (Wiki, Teams Channel, ...) where the Admins of both Subscriptions can communicate and discuss about experience, new Features, Problems and grab some KnowHow from each other Team.