Azure Management Group Discovery

Satya5
Tera Contributor

ā€Ž03-19-2022 07:12 AM

Hi Folks,

Greetings.

we are on a Journey of Implementing Cloud discovery in our Organisation.

I need clarity on the below queries

1.WE have a couple of Azure  Management Groups which consists of 1000 of subscription, need advice on how to segregate and run discovery on this cloud sub-account will be much appreciated any automation can be used to track all account discovery status or please suggest the ways you have followed in your organization (We are not targeting ip based discovery at this moment).

2. We get a lead time of 24 hours in a week to run all our discoveries so we want to manage the discovery of all cloud resources in that time. server resources or of no concern we can build multiple mid server.

3.Is there a way to automatically update the changes in cloud data back to CMDB on-demand basis.

4. Any folks who have implemented the cloud discovery please provide your experiences, do's, do not's and lessons learned which will help us.

Thanks all for your support.

Regards

Satya

 

 

 

0 Helpfuls
  • 3,324 Views
17 REPLIES 17

Ram Devanathan1
ServiceNow Employee
ServiceNow Employee
In response to Pritesh-TechM

ā€Ž07-09-2024 11:14 AM

have you checked on your end - mgmt group is just a holder for multiple subscriptions - it does not have a IAM concept or linkage.

 

So you need 2 things -

 

first is of course the mgmt group - and your subscriptions assigned to it.

and second, as always you need a service principal - your scope should be wider so the service principal can access all the subscriptions. you will set the permission as relevant for the needs.

 

HTH

Ram

0 Helpfuls

Pritesh-TechM
Tera Contributor
In response to Ram Devanathan1

ā€Ž07-10-2024 12:40 AM

Hello @Ram Devanathan1 ,

 

I means to say can azure stakeholder provide reader role to management group like we needed reader role for subscription IDs at Azure end 

 

 

0 Helpfuls

terrywang
ServiceNow Employee
ServiceNow Employee
In response to Pritesh-TechM

ā€Ž07-06-2025 04:10 PM

Yes you can set reader role on the management group.

Reference:
https://learn.microsoft.com/en-us/azure/governance/management-groups/overview#management-group-acces...


Another scenario where you would use management groups is to provide user access to multiple subscriptions. By moving multiple subscriptions under a management group, you can create one Azure role assignment on the management group. The role inherits that access to all the subscriptions. One assignment on the management group can enable users to have access to everything they need, instead of scripting Azure role-based access control (RBAC) over different subscriptions.

0 Helpfuls