Create the ability to give permissions to all subscription reservations to a single principle.
We would like to have the ability to give permissions to all Reservations within a single EA to a single principle. This would include Enterprise Applications, Users and Groups.
From what we can tell, when Azure created the Reservation capabilities in their platform, they introduced a new abstract layer of authorization strictly around the Reservations themselves. When reservations are created the only people allowed to view them are the Owner of the subscription that the Reservations were created within, and the user that actual purchased the reservation.
The primary limitation to this method is that there is no a way to create a group of principals and have that group automatically or programmatically be given permissions to all existing and future Reservations.
With the potential for Azure customers to have multitudes of subscriptions and multitudes of Reservations within those subscriptions, potentially purchased by multiple different users, there is not happy path to allow authorization to all of the reservation data.
A couple solutions that would make this easier to manage would be:
Creating 2 new directory roles that could be applied to any principal that cover all Reservations under a given directory:
Reservations Admin
Reservations Reader
Allow the ability to setup a Group to be applied to all future Reservations.
This would require some investigation and work to Authorize all existing Reservations, but would allow newly created ones to have a centralized method of authorization.
I'm sure there are potentially other methods that could simplify this problem and I am happy to jump on a call and provide further clarity or answer any questions.
Jason Turner
shared this idea
We will soon have a feature that will let all Enterprise Administrators to see and manage all reservations, without being explicitly added to them.
21 comments
-
Andrey
commented
well, is it still planned?
it's funny when spent millions for Azure consumption and need to manage reservation manually -
ADM_Nicholas
commented
Please, at least provide a workaround (a powershell script?) to simplify the management until the feature is released.
-
Anonymous
commented
Any word when this will be Generally Available?
-
Anonymous
commented
The issue still persists
-
Kurt Roggen
commented
Hi product team,
Any progress on this issue? Does not seem to be a nice-to-have, but rather must-have. -
Shane
commented
This is simply not fit for for purpose. A modern-day enterprise where one of potentially 20 people can create a reservation and only the creator can see them by default??? I'm amazed that RIs have been around so long and this has still not been addressed.
-
Shane
commented
As has already been said, this approach is simply ridiculous. Please add the functionality that would bring this in line with modern-day infrastructure management fit for the enterprise.
-
Anonymous
commented
Has there been any update on this? You mentioned delivery by the end of last calendar year
-
Eric Hebert
commented
Here we are March 25th 2020 and still not fixed...
-
Timothy
commented
I can't believe that I have to manually go in and add my admins to each reservation individually. This is maddening.
-
Calum O
commented
Is this still in the backlog? Seems like a pretty standard feature to expect out of something like this. Are there any ETAs? I see this as a bug, more than an idea.
-
Christian Margadant
commented
@Yashesvi Sharma: Is there any news about this feature in the backlog?
It would be a great improvement for the management of reservations. -
Jack Fruh
commented
I second this, as a global company with 70+ subscriptions and millions in azure spend, we need central management over this.
Lester, I was able to see instances with powershell, but could not pull information or change anything I did not have access to.
-
Yashesvi Sharma
commented
Hi Folks - thanks for raising this feature. I am the PM for Azure RIs and can be reached at yashar[@]microsoft[dot]com
We do have this feature in the backlog and we plan to deliver this before end of the calendar year. The approach that we are thinking of is that some billing roles will be able to see all RIs purchased in the org. Please reach out if you have any other inputs or suggestions.
-
Matthew Weaver
commented
This makes reporting RI costs to a common cost optimization platform difficult to impossible. The needs to be a better way.
-
Jason Turner
commented
Please excuse my spelling misfortune.
Should have been "principal" not "principle".
-
Rich Davies
commented
Equally, it should be possible to have a RBAC role for purchasing reserved instances which doesn't require the purchaser to be an Admin for the subscription. Purchase of RI should be fundamentally a billing activity. I don't want my billing people to be admins of every subscription: what happened to the principle of least privilege.
-
Lester W
commented
By the way, you can view and manage via the API just fine. It appears go be purely the Azure portal that is stopping access.
-
Lester W
commented
Global admins SHOULD be able to view (or at least manage permissions) of Reserved Instance reservations in the Azure portal. Currently, only the purchaser and account owner can manage the permissions. This is contradictory to everything else in Azure, where a Global Admin alywas has the capability to change permissions (acting as a User Access Administrator).
On a secondary note, Read-only admins in the Enterprise Agreement portal should also have the ability to view reserved instance data.
-
Yashesvi Sharma
commented
Hello, I am on the reservation team. Thanks for the feedback, we have this feature in the backlog. Regarding your specific issue, can you please reach out to me at yashar[@]microsoft[dot]com