Resource access management in Azure

In what is resource governance?, you learned that governance refers to the ongoing process of managing, monitoring, and auditing the use of Azure resources to meet the goals and requirements of your organization. Before you move on to learn how to design a governance model, it's important to understand the resource access management controls in Azure. The configuration of these resource access management controls forms the basis of your governance model.

Let's begin by taking a closer look at how resources are deployed in Azure.

What is an Azure resource?

In Azure, the term resource refers to an entity managed by Azure. For example, virtual machines, virtual networks, and storage accounts are all referred to as Azure resources.

Figure 1. A resource.

What is an Azure resource group?

Each resource in Azure must belong to a resource group. A resource group is simply a logical construct that groups multiple resources together so they can be managed as a single entity. For example, resources that share a similar lifecycle, such as the resources for an n-tier application may be created or deleted as a group.

Figure 2. A resource group contains a resource.

Resource groups and the resources they contain are associated with an Azure subscription.

What is an Azure subscription?

An Azure subscription is similar to a resource group in that it's a logical construct that groups together resource groups and their resources. However, an Azure subscription is also associated with the controls used by Azure Resource Manager. What does this mean? Let's take a closer look at Resource Manager to learn about the relationship between it and an Azure subscription.

Figure 3. An Azure subscription.

What is Azure Resource Manager?

In how does Azure work? you learned that Azure includes a "front end" with many services that orchestrate all the functions of Azure. One of these services is Resource Manager, and this service hosts the RESTful API used by clients to manage resources.

Figure 4. Azure Resource Manager.

The following figure shows three clients: PowerShell, the Azure portal, and the Azure command line interface (CLI):

Figure 5. Azure clients connect to the Resource Manager RESTful API.

While these clients connect to Resource Manager using the RESTful API, Resource Manager does not include functionality to manage resources directly. Rather, most resource types in Azure have their own resource provider.

Figure 6. Azure resource providers.

When a client makes a request to manage a specific resource, Resource Manager connects to the resource provider for that resource type to complete the request. For example, if a client makes a request to manage a virtual machine resource, Resource Manager connects to the Microsoft.Compute resource provider.

Figure 7. Resource Manager connects to the Microsoft.Compute resource provider to manage the resource specified in the client request.

Resource Manager requires the client to specify an identifier for both the subscription and the resource group in order to manage the virtual machine resource.

Now that you have an understanding of how Resource Manager works, let's return to our discussion of how an Azure subscription is associated with the controls used by Azure Resource Manager. Before any resource management request can be executed by Resource Manager, a set of controls are checked.

The first control is that a request must be made by a validated user, and Resource Manager has a trusted relationship with Azure Active Directory (Azure AD) to provide user identity functionality.

Figure 8. Azure Active Directory.

In Azure AD, users are segmented into tenants. A tenant is a logical construct that represents a secure, dedicated instance of Azure AD typically associated with an organization. Each subscription is associated with an Azure AD tenant.

Figure 9. An Azure AD tenant associated with a subscription.

Each client request to manage a resource in a particular subscription requires that the user has an account in the associated Azure AD tenant.

The next control is a check that the user has sufficient permission to make the request. Permissions are assigned to users using role-based access control (RBAC).

Figure 10. Each user in the tenant is assigned one or more RBAC roles.

An RBAC role specifies a set of permissions a user may take on a specific resource. When the role is assigned to the user, those permissions are applied. For example, the built-in owner role allows a user to perform any action on a resource.

The next control is a check that the request is allowed under the settings specified for Azure resource policy. Azure resource policies specify the operations allowed for a specific resource. For example, an Azure resource policy can specify that users are only allowed to deploy a specific type of virtual machine.

Figure 11. Azure resource policy.

The next control is a check that the request does not exceed an Azure subscription limit. For example, each subscription has a limit of 980 resource groups per subscription. If a request is received to deploy an additional resource group once the limit has been reached, it is denied.

Figure 12. Azure resource limits.

The final control is a check that the request is within the financial commitment associated with the subscription. For example, if the request is to deploy a virtual machine, Resource Manager verifies that the subscription has sufficient payment information.

Figure 13. A financial commitment is associated with a subscription.


In this article, you learned about how resource access is managed in Azure using Azure Resource Manager.

Next steps

Now that you understand how resource access is managed in Azure, move on to learn how to design a governance model.