Azure Management Groups
12 TopicsCan global administrator of a azure AD tenant access other tenant that it did not create?
Let sat there are two global administrators in an azure AD called original.org. Admin 1 and Admin 2 are global administratorsin orignal.org. Admin 1 creates a new Azure AD tenant called dev.org,... Does Admin 2 have any ability to create users in dev.org? I am confused because global admin can give themselves user access administrator role and make themselves owners,... Cannot this owner have access to any new tenant created from the root tenant? This seems to conflict with an understanding that a global administrator who creates a new Azure AD tenant is the first user and other users such as Admin 2 would have to be invited?6.2KViews0likes3CommentsMicrosoft Monitoring Agent being reinstalled by Automanage
As MMA (Microsoft Monitoring Agent) will be retired on August 2024 I decided to go AMA (Azure Monitoring Agent) right away, even though it is known some of its functionalities still on preview. So I uninstalled MMA via script below (with a foreach targeting all my machines), I also assigned Azure policies to not have MMA installed on my environment and all the policies for self-configuring AMA (DCRs, Workspaces, etc). $app = Get-WmiObject -ClassName Win32_Product | Where-Object { $.name -eq "Microsoft Monitoring Agent" } $app.Uninstall() Problem is my machines were reinstalling MMA out of the blue. So I went all the way down to hunt the culprit of doing that: GPO, SCCM, Scripts, you name it. I finally found out Azure Automanage was the one reinstalling MMA so I had to disable it from my environment. Are any of you aware of this issue? Most important: is there a way to have Automanage working without reinstalling MMA? In my case Automanage helps a lot as I don't need to apply lots and lots of settings manually but as it is reinstalling MMA I cannot enable it. senagangbealexandredebargisAzure Management Groups
I want to move an entire subscription to a different management group. There are multiple resources in the subscription. Mainly, the subscription contains VMs, VNETs and other related resources where they are used for Active Directory architecture. These are mainly domain controllers. Please suggest, if I want to move this subscription and others subscriptions dedicated mainly for Active Directory, what are the pros and cons of having this. What will be the impact to resources in terms of Active Directory architecture and downtime?Solved1.5KViews0likes3CommentsMSP Azure Lighthouse - cannot access Azure Policies deployed at Management Group Level
Hi, We're an MSP company that provides Azure services to other companies. We're using Azure Lighthouse to allow team members to access the client's Azure Subscriptions. Currently, we've ran into an issue that when Azure Policies are deployed at a Management Group level, we don't have visibility to them. The reason is that Azure Lighthouse gives us access at the Subscription level and not a Management Group level. If Azure Policy is deployed at a Management Group level, we won't be able to see or edit it. Has anyone else encountered this? Does anyone know how to access Management Groups through Azure Lighthouse? Or if there is another way to configure this for a Service Provider? Regards, JosephMicrosoft CAF reasoning being using intermediary management root group over the default root managem
All, Hope someone can elaborate and provide some insights on the following. Looking atCloud Adoptation Framework for Azurethere's a recommnedation to create an intermediate root management group rather than using the default root management group. I don’t really understand the benefits. For example: "which purposely avoids the usage of the root group so that organizations can move existing Azure subscription into the hierarchy." What does that even mean? Can’t I move subscription around different management groups anyway? I’ve also found the followinghttps://www.linkedin.com/pulse/azure-architectural-designing-best-practices-amit-kumar/ Quoting from this post: “The Management Group should be defined in such a way that there should be intermediate root management group between Tenant root and other management groups. Compliance & Policies should be applied at intermediate root MG and this will not alter the main root Management group at the top level.” But alter in what why? What’s the difference altering the intermediate management group rather than the default one, since policies, RBAC would cascade in a waterfall fashion from top to all child management groups/subscriptions anyway? Regardless if it’s the default management group or an intermediate one. Would really appreciate if someone could enlighten me on this!1.7KViews1like2CommentsIs it possible to view secure scores within multiple management groups at the same time?
The "Secure Score Over Time" workbook has the option to view an "Aggregated score for all selected subscriptions" graph, I am wondering if it is possible to view this graph for multiple subscriptions across multiple management groups.How to restrict multiple users access to specific subscription under multi subscription Model?
Elaborated question:How to restrict multiple users access to specific subscription when they are a member of the management group ? Scenario : I am having a Multi-subscription which is organised by management group for easy governance and management under a single tenant. When i Say Multi-Subscription , i mean 500+ subscription under a single tenant, Now i have all 500+ subscription whose IAM is inherited with Management AD group that is created on Azure Active Directory . I want to restrict few users from this Management AD group getting access to few subscription which has sentitive data. How to achieve this is my question ?3.4KViews0likes1CommentWe have built an open-source multi-cloud governance CLI
Dear community, To make governance and management in the cloud easier, we've been working on a CLI that allows you to govern your cloud accounts across Azure and AWS & GCP. We would love to learn more about what you would be looking for when governing your clouds altogether. For now, we've focused on the following points: Viewing cloud accounts across all clouds, including tags. Viewing costs across all clouds Viewing IAM resources per cloud account (including inherited rights) Analyzing tagging density across all clouds (e.g. answering "Which subscriptions are missing the CostCenter tag?") We would love to learn more about what you would be looking for in such a free tool, and what problems and challenges you work on when governing your (multiple) clouds. I hope it is okay to share its GitHub link, which you can find here. Thank you, and looking forward to your replies! (P.S. If you're interested, I would be willing to help you use it in a 1:1 session. The tool directly integrates with your `az` CLI)1KViews0likes0Comments