Reputation: 568
My company using several different products in Azure across multiple subscriptions, along with Azure Active Directory for authentication.
I would like our IT staff to have access to all products of certain types depending on their role. For example, the DBAs should have access to all Azure SQL Databases, regardless of the subscription or resource group.
My first thought was that this had to be done as part of the Azure AD Roles, but I'm unclear on how this could apply to specific product types. If there's a better way to do it outside of the AD Roles, I'd definitely like to know more.
Similar questions have been posted before (ex. Azure Active Directory Groups/Roles) but I wanted to check to see if there were updated solutions.
Upvotes: 1
Views: 290
Reputation: 59011
Im not sure how your linked answer is related to the question. I think you have to do two things:
Create Azure Active Directory Groups for each IT role. You can use attribute-based membership in Azure Active Directory to automatically add members to a group based on an attribute (e. g. role).
Iterate over your Azure Resources and grant the desired permission to your groups. E. g. using PowerShell iterate over your Azure Resources for each of your subscription and if the resource type is e. g. SQL Database, grant the Azure AD Group the desired permissions.
Upvotes: 2