Designlet: Identity and Access Management for Azure VMware Solution

Introduction

Azure VMware Solution (AVS) private clouds are provisioned with VMware vCenter Server and NSX-T. They leverage vSphere role-based access control (RBAC) for management, flexibility, and enhanced security. After deployment customers are provided with credentials for the cloudadmin user for vCenter, and admin credentials for NSX-T Manager. Administrative access, or root, for ESXi hosts is restricted.

Summary and Considerations

Use Case

Identity and access management for vCenter Server and NSX-T in an Azure VMware Solution private cloud.

Pre-requisites

For configuring an external identity source:

  • Connectivity between on-premises and Azure VMware Solution
  • DNS resolution for on-premises Active Directory (AD)
  • If using AD with SSL, upload the certificate for AD authentication to an Azure Storage account as blob storage.
  • Grant access to Azure storage resource using a shared access signature (SAS)

For changing vCenter cloudadmin or NSX-T Manager admin passwords:

  • Consider and stop all services and third-party tools that connect or integrate via these accounts prior to changing the password(s).

General Considerations/Recommendations

The cloudadmin account should be used for emergency access only. It should not be used for regular administrative access or integration with other services.

The vsphere.local SSO domain is a managed resource; it does not support the creation and management of local users and groups.

Performance Considerations

If configuring an external identity source, consider deploying a domain controller inside of the AVS private cloud to avoid sending authentication and DNS traffic across the WAN.

Cost Implications

Egress charges may apply to traffic communicating from Azure VMware Solution to an on-premises environment.

Document Reference

VMware documentation for defined privileges

Best Practices for vCenter Roles and Permissions

Delegate access with shared assess signatures (SAS)

Last Updated

October 2021

 

VMware vCenter Server

By default, the vCenter Server uses a local account cloudadmin@vsphere.local, which is assigned to the CloudAdmin role. As an administrator of the AVS private cloud, you have access to this account. However, while it has near-admin privileges, it is not the same as it’s on-premises counterpart administrator@vsphere.local.

Administrators of the private cloud do not have access to the administrator@vsphere.local account, and because of this, cannot manage specific components of the vSphere environment such as adding identity sources via traditional methods, or managing clusters, hosts, datastores, and distributed virtual switches.

CloudAdmin Role

The CloudAdmin role allows you to manage most aspects of the private cloud, except the components that Microsoft supports and manages as part of the service. The CloudAdmin role has the following privileges:

Privilege

Description

Alarms

Acknowledge alarm
Create alarm
Disable alarm action
Modify alarm
Remove alarm
Set alarm status

Content Library

Add library item
Create a subscription for a published library
Create local library
Create subscribed library
Delete library item
Delete local library
Delete subscribed library
Delete subscription of a published library
Download files
Evict library items
Evict subscribed library
Import storage
Probe subscription information
Publish a library item to its subscribers
Publish a library to its subscribers
Read storage
Sync library item
Sync subscribed library
Type introspection
Update configuration settings
Update files
Update library
Update library item
Update local library
Update subscribed library
Update subscription of a published library
View configuration settings

Cryptographic operations

Direct access

Datastore

Allocate space
Browse datastore
Configure datastore
Low-level file operations
Remove files
Update virtual machine metadata

Folder

Create folder
Delete folder
Move folder
Rename folder

Global

Cancel task
Global tag
Health
Log event
Manage custom attributes
Service managers
Set custom attribute
System tag

Host

vSphere Replication

Manage replication

Network

Assign network

Permissions

Modify permissions
Modify role

Profile

Profile driven storage view

Resource

Apply recommendation
Assign vApp to resource pool
Assign virtual machine to resource pool
Create resource pool
Migrate powered off virtual machine
Migrate powered on virtual machine
Modify resource pool
Move resource pool
Query vMotion
Remove resource pool
Rename resource pool

Scheduled task

Create task
Modify task
Remove task
Run task

Sessions

Message
Validate session

Storage view

View

vApp

Add virtual machine
Assign resource pool
Assign vApp
Clone
Create
Delete
Export
Import
Move
Power off
Power on
Rename
Suspend
Unregister
View OVF environment
vApp application configuration
vApp instance configuration
vApp managedBy configuration
vApp resource configuration

Virtual machine

Change Configuration

Acquire disk lease
Add existing disk
Add new disk
Add or remove device
Advanced configuration
Change CPU count
Change memory
Change settings
Change swapfile placement
Change resource
Configure host USB device
Configure raw device
Configure managedBy
Display connection settings
Extend virtual disk
Modify device settings
Query fault tolerance compatibility
Query unowned files
Reload from paths
Remove disk
Rename
Reset guest information
Set annotation
Toggle disk change tracking
Toggle fork parent
Upgrade virtual machine compatibility

Edit inventory

Create from existing
Create new
Move
Register
Remove
Unregister

Guest operations

Guest operation alias modification
Guest operation alias query
Guest operation modifications
Guest operation program execution
Guest operation queries

Interaction

Answer question
Back up operation on virtual machine
Configure CD media
Configure floppy media
Connect devices
Console interaction
Create screenshot
Defragment all disks
Drag and drop
Guest operating system management by VIX API
Inject USB HID scan codes
Install VMware tools
Pause or Unpause
Wipe or shrink operations
Power off
Power on
Record session on virtual machine
Replay session on virtual machine
Suspend
Suspend fault tolerance
Test failover
Test restart secondary VM
Turn off fault tolerance
Turn on fault tolerance

Provisioning

Allow disk access
Allow file access
Allow read-only disk access
Allow virtual machine download
Clone template
Clone virtual machine
Create template from virtual machine
Customize guest
Deploy template
Mark as template
Modify customization specification
Promote disks
Read customization specifications

Service configuration

Allow notifications
Allow polling of global event notifications
Manage service configuration
Modify service configuration
Query service configurations
Read service configuration

Snapshot management

Create snapshot
Remove snapshot
Rename snapshot
Revert snapshot

vSphere Replication

Configure replication
Manage replication
Monitor replication

vService

Create dependency
Destroy dependency
Reconfigure dependency configuration
Update dependency

vSphere tagging

Assign and unassign vSphere tag
Create vSphere tag
Create vSphere tag category
Delete vSphere tag
Delete vSphere tag category
Edit vSphere tag
Edit vSphere tag category
Modify UsedBy field for category
Modify UsedBy field for tag

Custom Roles

AVS supports custom roles with equal or lesser privileges to the CloudAdmin role.

Note: If you create roles with privileges greater that the CloudAdmin role, you won’t be able to assign or delete the role.

Creating Custom Roles

  1. Login to vCenter with cloudadmin@vsphere.local or a user account with the CloudAdmin role.
  2. Select Menu > Administration
  3. Under Access Control, select Roles
  4. Select the CloudAdmin role, and then the Clone role action icon
  5. Provide a name for the new role.
  6. Modify the privileges for the role and select OK.

Applying Custom Roles

Custom roles are applied to specific objects and can be propagated down from the parent. In this example, we’ll apply a custom role to a virtual machine folder object.

Note: Since local users and groups cannot be created in the vsphere.local SSO domain, you must have an external identity source configured to apply a custom role to a particular Active Directory user or group.

  1. Select Menu > VMs and Templates
  2. Right-click on the folder where you want to add the role and then Add Permission
  3. Select the Identity Source in the User drop-down
  4. Search for the user or group you want to add
  5. Select the role you want to apply to the user or group
  6. If necessary, check Propagate to children, and select OK

Change cloudadmin password

A complex password is automatically generated during the provisioning of your private cloud for cloudadmin@vsphere.local. This password can be obtained in the Azure portal by navigating to your Azure VMware Solution private cloud, then Manage > Identity.

The password for this account does not expire, but you can change it at any time via Azure Cloud Shell. Simply open a new session and execute the following command.

Note: Replace {SubscriptionID}, {ResourceGroup}, and {PrivateCloudName] with your information.

az resource invoke-action --action rotateVcenterPassword --ids "/subscriptions/{SubscriptionID}/resourceGroups/{ResourceGroup}/providers/Microsoft.AVS/privateClouds/{PrivateCloudName}" --api-version "2020-07-17-preview"

Consider and stop all services and third-party tools that connect or integrate via these accounts prior to changing the password(s). Services and tools may include, but are not limited to:

  • VMware HCX
  • VMware Site Recovery Manager
  • VMware Horizon
  • vRealize suite of products
  • Backup services
  • Monitoring services

These services will stop working and may cause the account to become locked after multiple authentication attempts if they continue to use the previous password. Services that leverage site pairs between multiple vCenter Servers such as VMware HCX and VMware Site Recovery Manager will require the site pair to be modified with the new password and re-established.

External Identity Source

The CloudAdmin role in vCenter Server allows administrators to assign Active Directory users and groups to the CloudAdmin role, or other custom roles. However, it does not have permission to add an LDAP or LDAPS identity source via traditional methods. Instead, the Azure Run command feature allows you to perform tasks that would normally require elevated privileges through a collection of PowerShell cmdlets such as:

  • Listing existing identity sources currently integrated with vCenter Server
  • Adding or removing Active Directory over LDAP identity sources, with or without SSL
  • Adding or removing existing Active Directory groups to the CloudAdmin role

Run commands can be accessed from within your Azure VMware Solution private cloud in the Azure portal under Operations > Run command. Afterwards, check Notifications or the Run Execution Status pane to see the progress and output.

List External Identity Sources

  1. In the Run command pane, select Packages > Get-ExternalIdentitySources
  2. Fill in the required fields and select Run

Required Field

Description

Retain up to

Retention period of the cmdlet output. The default value is 60 days.

Specify name for execution

Alphanumeric name. Example: getIdentitySources.

Timeout

The period after which a cmdlet exits if taking too long to finish.

Add Active Directory over LDAP

It is best practice to use Active Directory over LDAP with SSL, outlined in the next section, over this method.

  1. In the Run command pane, select Packages > New-AvsLDAPIdentitySource
  2. Fill in the required fields and select Run

Required Field

Description

Name

Friendly name of the identity source. Example: stickers.corp.

DomainName

FQDN of the domain.

DomainAlias

For Active Directory identity sources, the domain's NetBIOS name. Add the NetBIOS name of the AD domain as an alias of the identity source if you're using SSPI authentications.

PrimaryUrl

Primary URL of the external identity source.
Example: ldap://nyc-dc-01.stickers.corp:389

SecondaryUrl

Fall-back URL if there is a primary failure.

BaseDNUsers

The Base DN used to search for users.
Example: CN=users,DC=stickers,DC=corp

BaseDNGroups

The Base DN used to search for groups.
Example: CN=groups,DC=stickers,DC=corp

Credential

Credentials used for Active Directory authentication.

GroupName

Active Directory group that should be granted access to the CloudAdmin role.

Retain up to

Retention period of the cmdlet output. The default value is 60 days.

Specify name for execution

Alphanumeric name. Example: addIdentitySource.

Timeout

The period after which a cmdlet exits if taking too long to finish.

Add Active Directory over LDAP with SSL

Active Directory over LDAP with SSL is the preferred method for authentication.

Prior to configuring the identity source, you must upload the certificate(s) from your domain controller(s) for AD authentication to an Azure Storage account as blob storage. Access to the Azure storage resource will need to be granted using a shared access signature (SAS). The SAS strings for each certificate are supplied to the cmdlet as a parameter.

Note: Be sure to copy each SAS string, and store it in a secure location, when it’s created as they are no longer available when you leave the page.

The required fields are the save as above, with one addition.

  1. In the Run command pane, select Packages > New-AvsLDAPSIdentitySource
  1. Fill in the required fields and select Run

Required Field

Description

CertificateSAS

Path to SAS strings with the certificates for authentication to the AD source. If you're using multiple certificates, separate each SAS string with a comma.
Example: pathtocert1,pathtocert2.

Add/Remove Active Directory Group to/from the CloudAdmin Role

These cmdlets will allow you to add an existing Active Directory group to the CloudAdmin Role, which will provide the users within the group privileges equal to cloudadmin@vsphere.local. You can also remove Active Directory groups from this role.

To add a group:

  1. In the Run command pane, select Packages > Add-GroupToCloudAdmins
  1. Fill in the required fields and select Run

To remove a group:

  1. In the Run command pane, select Packages > Remove-GroupFromCloudAdmins
  1. Fill in the required fields and select Run

Required Field

Description

GroupName

Name of the Active Directory group to add or remove. Example: AVSAdmins

Retain up to

Retention period of the cmdlet output. The default value is 60 days.

Specify name for execution

Alphanumeric name. Example: addADGroup, removeADGroup.

Timeout

The period after which a cmdlet exits if taking too long to finish.

Remove Identity Sources

This cmdlet removes all existing external identity sources, in bulk. Use with caution.

  1. In the Run command pane, select Packages > Remove-ExternalIdentitySources
  2. Fill in the required fields and select Run

Required Field

Description

Retain up to

Retention period of the cmdlet output. The default value is 60 days.

Specify name for execution

Alphanumeric name. Example: removeIdentitySources.

Timeout

The period after which a cmdlet exits if taking too long to finish.

VMware NSX-T

By default, access to NSX-T Manager uses the local admin account, which has full privileges to manage:

  • Tier-0 (T0) gateway
  • Tier-1 (T1) gateways
  • Network segments (logical switches)
  • All services

It is not recommended to make any changes to the T0 gateway as this could result in poor network performance or loss of access entirely. Any changes to the T0 gateway should be requested through a support request via the Azure portal.

vSphere RBAC can be leveraged to manage access to NSX-T manager.

Note: At the time of this writing, changing the NSX-T Manager admin password is not supported. If a password change is necessary, please open a support request via the Azure portal. Changing this password may impact HCX services and require re-authentication.

Authors and Contributors

  • Jeremiah Megie, Principal Cloud Solutions Architect, Cloud Services, VMware

Changelog

The following updates were made to this guide:

Date

Description of Changes

2021/10/05

  • Designlet was published.

 

 

 

 

 

Filter Tags

Operations and Management Management Azure Services Azure VMware Solution Document Technical Guide