Attending an Azure Landing Zones partner hack? Get these done before it starts and then check you have the right access.
IMPORTANT: You will need three subscriptions (absolute minimum of two) to deploy an Azure Landing Zone. All subscriptions need to be in the same tenant.
Minimum RBAC permissions required at root scope (i.e. above Tenant Root Group):
- User Access Administrator
There is a set of checks to ensure that you have required permissions. Complete these before the hack.
You will need to have a GitHub ID for the hack, and your laptop should be setup with the right tooling.
You should complete the setup in advance of the hack.
Open up a new tab for the page
- GitHub ID
- Linux environment
- Binaries (git and jq)
- Azure CLI
- Visual Studio Code
- Remote Development pack for WSL
- Additional extensions
- Terraform (optional)
You can skip the Packer install if you wish.
Tenant level permissions
This hack will require someone in the team to have high levels of access as we will be working with security groups, management groups and RBAC and policy assignments. You will need someone in you team to have Global Admin in your Azure AD tenant
Follow the instructions to elevate the Global Admin to
- enable User Access Administrator at the tenant root
- add Owner role to allow the tenant scope template to work
Please test that you have the correct AAD and subscription permissions in advance of the hack.
If you get any error messages (e.g. Insufficient privileges to complete the operation) then speak to the Global Admin and/or Owner to request that your access permissions are increased.
Alternatively you may need to create a separate tenant and generate a few Microsoft IDs and trial subscriptions.
The root (/) permissions can removed after the initial deployment as long as the security principal has the appropriate management group and subscription level permissions for lifecycle management.
Run through the following tests to check your permissions.
Login to the right context
az login az account show
az account set --subscription <subscription_id>if you need to switch.
Set default location and grab subscription scope
export AZURE_DEFAULTS_LOCATION=uksouth subscriptionScope=/subscriptions/$(az account show --query id --output tsv)
The location will only be defaulted for the current session. Use
az configure --defaults location=uksouthto persist the default.
az ad group create --display-name eshack-deleteme --mail-nickname junk groupObjectId=$(az ad group show --group eshack-deleteme --query objectId --output tsv)
If you cannot create objects in AAD then it is possible to work around it. Or request others to create AAD objects for you.
az account management-group create --name eshack-deleteme mgScope="/providers/Microsoft.Management/managementGroups/eshack-deleteme"
az group create --name eshack-deleteme
az role assignment create --role Reader --assignee $groupObjectId --scope $mgScope az role assignment create --role Reader --assignee $groupObjectId
az policy assignment create --name eshack-deleteme --policy 0a914e76-4921-4c19-b460-a2d36003525a --scope $mgScope az policy assignment create --name eshack-deleteme --policy 0a914e76-4921-4c19-b460-a2d36003525a
The following code block will tidy everything up from the checks.
az group delete --name eshack-deleteme --yes az policy assignment delete --name eshack-deleteme --scope $mgScope az policy assignment delete --name eshack-deleteme az role assignment delete --role Reader --assignee $groupObjectId --scope $mgScope az role assignment delete --role Reader --assignee $groupObjectId az ad group delete --group eshack-deleteme az account management-group delete --name eshack-deleteme
If you are attending an Azure Landing Zones partner hack and need a basic overview of using git, or a grounding in the basic concepts in Azure Landing Zones, then use these links:
|Git 101 Basics||Grounding on Git with Scott Hanselman|
|Git Pull Requests Explained||Pull requests or PRs in Git|
|Azure Landing Zones Learning Path||Microsoft Learn modules for Azure Landing Zones|
OK, if you have reached here with no errors then you should be good to go!
Help us improve
Azure Citadel is a community site built on GitHub, please contribute and send a pull requestMake a change