VMware Cloud Well-Architected Framework for Azure VMware Solution: Identity and Access Management Services
Identity and Access Management Services
Identity and Access Management (IAM) for Azure VMware Solution follows the same principle of least privilege as any private or public cloud environment. Any user, process, or program should only be given permissions and privileges that are essential to performing its intended function. This document builds on several considerations and recommendations defined in the article .
Following the guidance in this article will help examine design considerations and recommendations related to identity and access management specific to the deployment of Azure VMWare Solution. Identity requirements vary according to Azure's Azure VMWare Solution implementation; therefore, this document will cover the most common scenarios.
After successfully and Azure VMWare Solution, the new private cloud’s vCenter Server contains a built-in local user called cloudadmin, assigned to the CloudAdmin role permissions in the vCenter Server. Alternatively, create in an Azure VMWare Solution environment using the principle of least privilege.
- As part of the Identity and Access Management Enterprise Scale Landing Zone (ESLZ), an Active Directory Domain Services Domain Controller is deployed in the Identity Subscription
- Limit the number of users assigned to the CloudAdmin role. Use custom roles and least privilege to assign users to Azure VMware Solution.
- Use caution when rotating cloudadmin/NSX admin passwords. Ensure HCX Connector passwords are updated with password changes to avoid lockouts.
- Limit Azure VMware Solution RBAC permissions in Azure to the Resource Group where it is deployed and the users who need to manage Azure VMware Solution.
- vSphere Permissions with Custom Roles should only be configured at the hierarchy level if needed. It is better to apply permissions at the or Resource Pool. Application of vSphere Permissions at or above the Datacenter level should be avoided.
- Active Directory Sites and Services should be updated to direct Azure and Azure VMware Solution AD DS traffic to the appropriate Domain Controllers.
- Use Run Command to:
- Add Active Directory Domain Services (Domain Controller) as an identity source for vCenter and NSX-T.
- To provide lifecycle operations on the vsphere.local\CloudAdmins group.
- Create groups in Active Directory and use RBAC to manage vCenter and NSX-T. You can create and Active Directory groups to the custom roles.