IMPORTANT: You will need three subscriptions (absolute minimum of two) to deploy Enterprise Scale. All subscriptions need to be in the same tenant.
Minimum RBAC permissions required at root scope (i.e. above Tenant Root Group):
- User Access Administrator
There is a set of checks to ensure that you have required permissions. Complete these before the hack.
You will need to have a GitHub ID for the hack, and your laptop should be setup with the right tooling.
You should complete the setup in advance of the hack.
Open up a new tab for the page
- GitHub ID
- Linux environment
- Binaries (git and jq)
- Azure CLI
- Visual Studio Code
- Remote Development pack for WSL
- Additional extensions
- Terraform (optional)
You can skip the Packer install if you wish.
Tenant level permissions
This hack will require someone in the team to have high levels of access as we will be working with security groups, management groups and RBAC and policy assignments. You will need someone in you team to have Global Admin in your Azure AD tenant
Follow the instructions to elevate the Global Admin to
- enable User Access Administrator at the tenant root
- add Owner role to allow the tenant scope template to work
Please test that you have the correct AAD and subscription permissions in advance of the hack.
If you get any error messages (e.g. Insufficient privileges to complete the operation) then speak to the Global Admin and/or Owner to request that your access permissions are increased.
The root (/) permissions can removed after the initial deployment as long as the security principal has the appropriate management group and subscription level permissions for lifecycle management.
Run through the following tests to check your permissions.
Login to the right context
az login az account show
az account set --subscription <subscription_id>if you need to switch.
Set default location and grab subscription scope
export AZURE_DEFAULTS_LOCATION=uksouth subscriptionScope=/subscriptions/$(az account show --query id --output tsv)
The location will only be defaulted for the current session. Use
az configure --defaults location=uksouthto persist the default.
az ad group create --display-name eshack-deleteme --mail-nickname junk groupObjectId=$(az ad group show --group eshack-deleteme --query objectId --output tsv)
If you cannot create objects in AAD then it is possible to work around it. Or request others to create AAD objects for you.
az account management-group create --name eshack-deleteme mgScope="/providers/Microsoft.Management/managementGroups/eshack-deleteme"
az group create --name eshack-deleteme
az role assignment create --role Reader --assignee $groupObjectId --scope $mgScope az role assignment create --role Reader --assignee $groupObjectId
az policy assignment create --name eshack-deleteme --policy 0a914e76-4921-4c19-b460-a2d36003525a --scope $mgScope az policy assignment create --name eshack-deleteme --policy 0a914e76-4921-4c19-b460-a2d36003525a
The following code block will tidy everything up from the checks.
az group delete --name eshack-deleteme --yes az policy assignment delete --name eshack-deleteme --scope $mgScope az policy assignment delete --name eshack-deleteme az role assignment delete --role Reader --assignee $groupObjectId --scope $mgScope az role assignment delete --role Reader --assignee $groupObjectId az ad group delete --group eshack-deleteme az account management-group delete --name eshack-deleteme
If you are attending an Enterprise Scale partner hack and need a basic overview of using git, or a grounding in the basic concepts in Enterprise Scale, then use these links:
|Git 101 Basics||Grounding on Git with Scott Hanselman|
|Git Pull Requests Explained||Pull requests or PRs in Git|
|Enterprise Scale Learning Path||Microsoft Learn modules for Enterprise Scale|
OK, if you have reached here with no errors then you should be good to go!
Help us improve
Azure Citadel is a community site built on GitHub, please contribute and send a pull requestMake a change