Identity and Access Management Services for Azure VMware Solution
Identity & Access Management
Identity and Access Management Services
Identity and Access Management (IAM) for Azure VMware Solution follows the same principle of least privilege as any private or public cloud environment. Any user, process, or program should only be given permissions and privileges that are essential to performing its intended function. This document builds on several considerations and recommendations defined in the article enterprise-scale identity and access management for Azure VMware Solution.
Following the guidance in this article will help examine design considerations and recommendations related to identity and access management specific to the deployment of Azure VMWare Solution. Identity requirements vary according to Azure's Azure VMWare Solution implementation; therefore, this document will cover the most common scenarios.
General Recommendation
After successfully planning and deploying Azure VMWare Solution, the new private cloud’s vCenter Server contains a built-in local user called cloudadmin, assigned to the CloudAdmin role with several permissions in the vCenter Server. Alternatively, create custom roles in an Azure VMWare Solution environment using the principle of least privilege.
Additional Recommendations
- As part of the Identity and Access Management Enterprise Scale Landing Zone (ESLZ), an Active Directory Domain Services Domain Controller is deployed in the Identity Subscription
- Limit the number of users assigned to the CloudAdmin role. Use custom roles and least privilege to assign users to Azure VMware Solution.
- Use caution when rotating cloudadmin/NSX admin passwords. Ensure HCX Connector passwords are updated with password changes to avoid lockouts. Rotate the cloudadmin credentials for Azure VMware Solution - Azure VMware Solution | Microsoft Docs
- Limit Azure VMware Solution RBAC permissions in Azure to the Resource Group where it is deployed and the users who need to manage Azure VMware Solution.
- vSphere Permissions with Custom Roles should only be configured at the hierarchy level if needed. It is better to apply permissions at the appropriate VM Folder or Resource Pool. Application of vSphere Permissions at or above the Datacenter level should be avoided.
- Active Directory Sites and Services should be updated to direct Azure and Azure VMware Solution AD DS traffic to the appropriate Domain Controllers.
- Use Run Command to:
- Add Active Directory Domain Services (Domain Controller) as an identity source for vCenter and NSX-T.
- To provide lifecycle operations on the vsphere.local\CloudAdmins group.
- Create groups in Active Directory and use RBAC to manage vCenter and NSX-T. You can create custom roles and assign Active Directory groups to the custom roles.