![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 7.000000000000001%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,992 questions
Hi,
Jai is correct in that you can create a sync between your on-premises Active Directory and Azure Active Directory using a tool called "AAD Connect". This tool will ensure that the users and groups you create and maintain on-premises are replicated to Azure.
More information here:
https://video2.skills-academy.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect
In regards to the management (and security) of each resources in Azure, there are a lot of different ways to structure this, but your approach is correct.
Each resource in Azure has to be part of a Resource Group, each Resource Group has to be part of a Subscription and each Subscription has to be part of a Azure Active Directory (or tenancy).
With that in mind, the security gets inherited down by default, so if you assign the contributor role to a user at the Subscription level, by default, this user will have contributor role to all the Resources Groups and Resources created in that Subscription. The same is true for each Resource Group, whereby if a user gets contributor access to a Resource Group, it will inherit contributor access to all the resources in the group, but NOT to any other Resource Group.
This principle goes down to each resources.
I would not recommend to assign permissions to a specific resource unless absolutely necessary as the management would quickly become a nightmare, so your approach to assign permissions at the Resource Group level is a good one. In the same way, it's also preferable to assign permissions to a User Group as opposed to individual users.
If you wanted to compare it to an on-premises technology (analogy), think of it like a file share, containing folders, containing files (where files are resources, folders are resource groups and file shares are subscriptions). You would rarely assign permissions to a specific file, but instead assign permissions to folders based on group of users and not individual user accounts.
This is known as RBAC (Role-Based Access Level). More information here:
https://video2.skills-academy.com/en-us/azure/role-based-access-control/overview
Hope this helps, but let me know if you need any more clarification.
Cheers,
Stephane
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 45%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJV%3C/text%3E%3C/svg%3E)