Enterprise Agreement Roles

In this article, I`d like to consider some potential misrepresented configurations or privileged permissions as part of ea portal roles, which could pose a security risk to your Azure workloads and work environments. These roles are specific to managing Azure Enterprise Agreements and in addition to the built-in roles that Azure has to control access to resources. For more information, see Built-in Azure rolls. 1 An enterprise administrator must grant these permissions. If you`ve been granted permission to view monthly usage and department fees, but can`t see them, contact your partner. Enterprise or department administrators can change the “account holder” as described in this article. It allows these EA roles to change access at the subscription level as well. There are two scenarios: “By default, the account administrator” is also the service administrator for a new subscription. The `service administrator` has the appropriate access from a user who has the role of owner in the subscription area.” The service administrator” has access to the Azure portal. » Source: Classic subscription administrator roles, Azure rolls, and Azure AD-Rollen You can have multiple service administrators for each enterprise record. From my perspective, a complex setup of accounts and services on the EA portal has huge drawbacks compared to subscription and cost management options on the Azure portal.

Therefore, you should try to set up a minimum hierarchy with a minimum of users and delegation rolls. Keep it like this! The account holder can change the “Azure RBAC” entries and the “classic administrator roles” as the default service administrator. You can also change the “Service Administrator” if they are not yet assigned to the role. If you want to know how to save money with Azure reservations for Reserved VM Instances when registering the company, you can find more information about Azure EA-VM Reserved Instances. 1) EA registration transfer – is usually done on request when a new agreement is negotiated or there is consolidation of registrations, for example. B when one EA Portal customer is purchased by another. Registration transfers are only automated if the partner indicates in the ordering system that a transfer is to take place and provides the source and target registration numbers for date agreements (e.g. B source until December 31, 2016 and goal from January 1, 2017) If your enterprise administrator can`t support you, create a support case for the Azure Enterprise portal. Provide the following information: The department administrator can view the expense quota, but only the company administrator can update the quota amount. The company administrator and the department administrator will receive notifications as soon as the quota reaches 50%, 75%, 90% and 100%. As a result, the following escalation trajectories could be a potential scenario if organizations assign EA portal roles to lower privileged administrator accounts (for example.B.

licensing or purchasing service): after creating a department, the enterprise administrator can add division administrators and attach them to each of them. Departmental administrators can perform the following actions for their services: today, this top level and separate portal seem “obsolete”. Microsoft has moved more and more functionality into the Azure portal, for example.B. creating enterprise subscriptions for EA customers. And most organizations also use tags and “management groups” instead of creating a custom hierarchy (including departments or accounts) on the EA portal. In this example, I just added another user account as a “co-administrator” to the classic administrator roles. Ed Mondek has created an excellent graph that helps to understand the relationship, the assignment between the level of delegation, the roles and the area of eligibility. It also includes the administrative level and units of Azure (portal): Thus, administrators can set “Enterprise” and “Department” at the end (indirectly) “Service Administrator” by assigning a new “Account Owner” and thus the option to change permissions for certain subscriptions. . . .

Comments are closed.