Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[Azure Governance] Lesson 2 : Azure Locks

4,606 views

Published on

This is the Lesson 2 of the "Azure Governance - Free training" serie.

This document describes Azure Locks and lists all key items you should now when designing your Azure Lock Hierarchy.

Finally, the document describes all methods/tools (GUI & CLI) you can use to create and apply Azure Locks to your Subscriptions, Resource Groups and Azure Resources.

Published in: Technology
  • Be the first to comment

[Azure Governance] Lesson 2 : Azure Locks

  1. 1. Module 2 Azure Locks Azure Free Training Azure Governance Model By Hicham KADIRI January 20, 2018 A K&K Group Company
  2. 2. Contoso Ltd. About me Microsoft MVP • Windows Expert-IT Pro (2014-2015) • Cloud and Datacenter Management (2016) • Enterprise Mobility /RDS (2017) • CDCM /Azure (2018) Founder @BecomeITExpert.com Co-Founder @K&K Group Think {Cloud /DevOps /Security} IT Author (+10 eBooks) • RDS 2012 R2 and 2016 Pocket Consultant • RDS & OS Security & Hardening guide • Azure CLI 2.0 Pocket Consultant • GPO, PowerShell, AppLocker … Lead Cloud Architect /Az Expert • Working for several large companies and international group including Thales, Areva, Rabobank, Gemalto, Vinci, CE, BP…etc IT Blogger • hichamkadiri.wordpress.com • AskTheCloudExpert.wordpress.com • ~2millions views ☺ /hicham_kadiri /in/hichamkadiri TechNet Contributor (Top 0,5%) • MTFC (Microsoft Technical French Contributor) • MCC (Microsoft Community Contributor) Hicham KADIRI (aka #HK)
  3. 3. Document Objectives • Reminder about Azure Governance • Explains the importance of Locks in the Microsoft Azure environment • Keys items You Should Know • Azure Locks vs Azure RBAC • Required rights for Azure Locks • Azure GUI & CLI Tools you can use to create and Apply Azure Locks • DEMO : HowTo Lock your Azure Subscriptions, RG and Resources
  4. 4. Contoso Ltd. Reminder about Azure Governance #HK
  5. 5. Contoso Ltd. #HK
  6. 6. Contoso Ltd. Azure Locks Why it’s important ? #HK
  7. 7. Contoso Ltd. Microsoft Azure Locks What is it and Why it’s important ? • Azure Locks are an amazing way to protect your subscriptions, resource groups and Azure resources. • They ensure that what we have implemented is not changed, or worse, accidentally deleted. Important Note Azure Lock does not replace Azure RBAC. Cf next Slide ! #HK
  8. 8. Contoso Ltd. Azure Locks Keys items You Should Know #HK
  9. 9. Contoso Ltd. Microsoft Azure Locks What You Should Know : Lockable Objects • You can Lock : • Subscription • Resource Group • Resource #HK
  10. 10. Contoso Ltd. Microsoft Azure Locks What You Should Know : Lock Types • There are two Lock Types : • CanNotDelete ▪ You can “Read & Modify” the Resource ▪ You can’t Delete the Resource • Read-Only ▪ You can Read Resource Properties/Infos ▪ You can’t Delete or Modify Resource ▪ Important Note: ▪ Could have undesired results ! #HK
  11. 11. Contoso Ltd. Microsoft Azure Locks What You Should Know : Inheritance • When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence. #HK Resource Group inherits Locks from Subscriptions Resource (eg : Azure VM) inherits Locks from Subscriptions and Resource Groups
  12. 12. Contoso Ltd. Microsoft Azure Locks Hierarchy (ex) #HK
  13. 13. Contoso Ltd. Azure Locks Required « Rights » #HK
  14. 14. Contoso Ltd. Microsoft Azure Locks Required “Rights” • To create or delete management locks, you must have access to the following actions : • Microsoft.Authorization/* • Or Microsoft.Authorization/Locks/* Note Of the built-in roles, only Owner and User Access Administrator are granted those actions. #HK
  15. 15. Contoso Ltd. Difference between Azure Locks & Azure RBAC #HK
  16. 16. Contoso Ltd. Difference between Azure Locks vs Azure RBAC • Azure Role-Based Access Control (RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. Azure RBAC helps you manage access for users, groups, service principals. • Unlike Role-Based Access Control, you use Azure Locks to apply a restriction across all users and roles. • Useful Link • Visit the following link to read more about Azure RBAC : https://docs.microsoft.com/bs-latn-ba/azure/role-based-access-control/ #HK
  17. 17. Contoso Ltd. Azure GUI & CLI Tools you can use To create and apply Locks #HK
  18. 18. Contoso Ltd. Azure GUI & CLI Tools you can use To create and apply Azure Locks • Azure Locks can be created and applied using different GUI & CLI Tools : • GUI : ▪ Azure Portal • CLI ▪ Windows PowerShell (using AzureRM Module) ▪ Azure CLI 2.0 #HK
  19. 19. Contoso Ltd. HowTo Lock Your Azure Subscriptions, RG and Resources #HK
  20. 20. Contoso Ltd. Create & Apply your Azure Locks using Azure Portal
  21. 21. Contoso Ltd. HowTo #1 Lock your Az Subscriptions, RG and Resources via Azure Portal • Connect to Azure Portal • https://portal.azure.com • Go to Subscriptions blade and select the Subscription you want to Lock • Then click on “Resource Locks” • Click “Add” and add your Azure Lock • You have to enter the following infos : ▪ Lock Name ▪ Lock Type : ▪ Delete ▪ Read-only ▪ Notes (Lock Description) #HK
  22. 22. Contoso Ltd. Important Note Lock your Az Subscriptions, RG and Resources via Azure Portal • If you want to create and apply Locks to Resource Groups or a specific Azure Resource, just Select your RG ou Azure Resource to lock and then, click on “Locks”. Finally click “Add” and enter the following infos : • Lock Name • Lock Type ▪ Delete ▪ Read-Only • Lock Notes (description) #HK
  23. 23. Contoso Ltd. Create & Apply your Azure Locks using AzureRM Module
  24. 24. Contoso Ltd. Important Note Lock your Az Subscriptions, RG and Resources via Azure Portal • The New-AzureRmResourceLock Cmd-let is used to create a new Azure Lock. • In the following example, a new Lock will be created and applied to hk-confident-rg resource group #HK
  25. 25. Contoso Ltd. Important Note Lock your Az Subscriptions, RG and Resources via AzureRM Module • If you want to create and apply Locks to a specific Azure Resource, you have to add –ResourceType parameter • In the following example, a new Azure Lock will be created and applied to “hk-prod-website” resource. This is an Azure WebSite, a “Microsoft.web/sites” resource type is specified/used : #HK New-AzureRmResourceLock -LockName « hk-prod-website-lock" -LockLevel CanNotDelete -LockNotes "This Lock prevents accidental deletion of HK-Web-Prod-WebSite resource" -ResourceName « hk- prod-website" -ResourceType "microsoft.web/sites"
  26. 26. Contoso Ltd. Create & Apply your Azure Locks using Azure CLI 2.0
  27. 27. Contoso Ltd. HowTo #3 Lock your Az Subscriptions, RG and Resources via Azure CLI • The Az Lock Create Command is used to create a new Azure Lock. • In the following example, a new Lock will be created and applied to hk-confident-rg resource group #HK
  28. 28. Contoso Ltd. Do you have any Azure Project (Design/Architecture/Migration)? If yes, feel free to contact us Your Contacts Hicham KADIRI Lead Cloud Architect /Azure Advisor & Microsoft MVP hicham.kadiri@k-nd-k-group.com +33 (0)6 52 97 72 84 Mohsine CHOUGDALI Key Account Manager mohsine.chougdali@k-nd-k-group.com +33 6 66 26 55 15 A K&K Group Company
  29. 29. Contoso Ltd. #HK o_O /hicham_kadiri /in/hichamkadiri Subscribe to my Blog hichamkadiri.wordpress.com
  30. 30. Contoso Ltd. End of Lesson Hope this Helps ☺

×