Reputation: 568
Azure Active Directory Roles Across Subscriptions
My company using several different products in Azure across multiple subscriptions, along with Azure Active Directory for authentication.
I would like our IT staff to have access to all products of certain types depending on their role. For example, the DBAs should have access to all Azure SQL Databases, regardless of the subscription or resource group.
My first thought was that this had to be done as part of the Azure AD Roles, but I'm unclear on how this could apply to specific product types. If there's a better way to do it outside of the AD Roles, I'd definitely like to know more.
Similar questions have been posted before (ex. Azure Active Directory Groups/Roles) but I wanted to check to see if there were updated solutions.
Upvotes: 1
Views: 290
Answers (1)
Reputation: 59011
Im not sure how your linked answer is related to the question. I think you have to do two things:
Create Azure Active Directory Groups for each IT role. You can use attribute-based membership in Azure Active Directory to automatically add members to a group based on an attribute (e. g. role).
Iterate over your Azure Resources and grant the desired permission to your groups. E. g. using PowerShell iterate over your Azure Resources for each of your subscription and if the resource type is e. g. SQL Database, grant the Azure AD Group the desired permissions.
Upvotes: 2
Related Questions
- Permission Based instead of Role Based
- Azure AD application - List subscription with role assignment
- Azure role assignments to a AD group for a subscription
- How to assign role to an Azure service principal from different subscription?
- Azure AD Enterprise Application - Application Role mapping
- Azure management groups permissions over subscription
- One login for multiple Azure subscriptions?
- Using organizational AD for multiple Azure subscriptions
- How can I delegate administrative access to a second Azure AD directory on my subscription?
- Azure Active directory Roles Management