Azure AD Roles versus RBAC in Azure
- Owner
This role has full access to all the resources and can delegate access to others. - Contributor
This role can create and manage all types of resources, but can’t grant access to other users and groups. - Reader
This role can view existing Azure resources.
Centralized Logging?
Create a log analytics workspace - and send all logs from all subcriptions to that workspace.
Azure Monitoring? - Azure Monitor can handle three types of activities
- Activity Logs -
- Metrics (Performance Metrics) - Time Series , just like perf counters in windows servers. Performance metrics can be sent to Event Hub or Stream Analytics
- Diagnostics (Specific Resource Diagnostics) - Particular Resource Level Diagnostics - e.g. a Secret retrieved from Azure Key Vault
Metrics Based Alerts
Metrics can be performance related (as discussed above) or even based on log averages (log based metrics).. Alerts can be created for either built in performance metrics or log based metrics.
Azure Alerting?
Azure Monitor has an alerting feature. Alerts can be SMS, email, or any endpoint - e.g. an ARM template
Use Case - Need the on-prem domain to be resolvable from all subscriptions?
Solution - Place DCs in each of the two primary subscriptions (PROD and NON PROD) in Azure.
Use Case - Splitting the on premises address space (/19) into two address spaces - one for the PROD subscription and another for the NON PROD (PRE PROD).
Use case - Moving resources from one subscription to another – Azure has a new feature that allows you to move resources across subscriptions
Leave a Reply