RBAC – Marty Nickison II

Let’s assume you are working on a new project with a team of 10 Information Technology professionals.

A company (let’s call it Nickison II, LLC) is buying part of another company (we’ll call this company Marty’s). The deal includes a total transfer of ownership for six applications. Let’s call these applications Quickbooks Desktop, WordPress (local install and configuration], Office 365, Dynamics CRM, Microsoft SQL Server 2016, and Teams (with the phone service add-on).

The team is now assembled, and the work on planning begins. Everyone (including yourself) is excited to start this major company initiative.

In the initial discussions, the election of tenet admins takes place. No one volunteers for the task, so you and the resident Microsoft Azure cloud guru are nominated to be tenet admins.

You are now thinking, “What in the world did I just get signed up for?!”

The good news is this:
What you need to accomplish this task is not work-intensive.

The bad news is this:
Once you become a tenet admin, you have the rights to do almost ANYTHING in the tenet rights assignment arena … and with such privilege comes massive amounts of responsibility and accountability.

So, what exactly is meant by “tenet admin”?

Basically, you will grant rights in the Microsoft Azure tenet to assign rights to any resource (people, deployment, services, and so much more) and be able to change the assignment rights level at any time as you wish. In most cases, your user account to the specific Azure tenet will have its rights increased to Owner role access (in some more restrictive deployments, the account will be elevated to co-contributor level).

So, in essence, you have volunteered to be a top-level admin for the tenet.

Others will now call you when new account access to the tenet needs to be established (for new users or services). Additionally, expect to have emails sent to you when access needs to be adjusted or removed. The latter, for example, could be the result of people leaving the project or company altogether.

To be frank, a tenet admin is someone who has owner or co-contributor access to a tenet. With this right in place, the person in question can now administer access to the tenet.

One of the more commonly-discussed ideas in the migration space is “control of the tenet.” However, there is not a lot of discussion about this important aspect of Microsoft Azure migration in courses. Let’s fix that deficiency by discussing what control of the tenet means in-depth.

First, a tenet is an instance of Azure AD combined with the resources that utilize this specific Azure Active Directory instance. For each tenet in the Microsoft Azure cloud, there exists a Microsoft Azure Active Directory instance that is specifically allocated to it. All the resources (virtual machines, network security groups, M365 [Office 365], etc.) that are related to that Azure AD instance are also built as resources (members) of the tenet.

Now that we understand what a tenet is, we can quickly discuss what is meant by control of the tenet. Let me start with a short story.

Imagine you decided to learn more about Microsoft Azure. You have a credit card and sign-up for the free tier (a small subset of all the available resources in Azure that you can use for free). You name the subscription. Furthermore, you set up billing so that when the monthly bill reaches $20 USD (by accident), all the resources are turned off for the month. You are quite the cost-conscious person!

You want to share your work with three fellow IT technicians who are also learning more in Azure. You have their email addresses and full names, so you create three new Azure Active Directory guest accounts.

The next question is:
How will rights in this tenet be assigned?

You need to have ‘owner’ and ‘co-contributor’ user Role-Based Access Controls (RBAC) set up and add each account to the subscription. How will you set this up?

When we discuss control of the tenet, we refer to the person who will have owner user RBAC rights and Global Administrator resource rights in the Azure AD. In this instance, you decide that you alone will have control of the tenet. All of the other technicians will each have ‘co-contributor’ user RBAC with all the subscriptions added to their accounts with the Azure AD resource role set to ‘Global Reader.’

In this way, your colleagues can see all the data yet be unable to change it. Only you will have the right to change things across the board.

So, simply stated, control of the tenet refers to the person/people who can make any changes in the Azure tenet they desire and get the changes to save and be implemented.

This question will be important for any migrations to Microsoft Azure you run into. Who will have control of the tenet? Will it be the CISO (Cyber Security Chief Officer), CIO (Chief in Information Technology department), the Cloud Administration team or the IT Support team? Or will it perhaps be the IT Management or even a third-party MSP (Managed Services Provider)?

The answer is contingent on the perspectives of all the stakeholders.