Data Sources

Data sources available for use by the ICS community

Platforms

ICS supported platforms.

Teams

ICS Teams


Menu Button Menu Button

Azure Infrastructure: Requesting a New Azure Subscription

TODO: Fill in information about requesting a PO for the subscription

User Access Administrator Role

Service Principal Configuration

Individuals are only granted Contributor roles when being added to subscriptions per security best practices. In order to enable our team to leverage automated deployments, we will want to request a service principal for each subscription with elevated permissions. This will allow automated deployments to run as the service principal with permission to make any necessary modifications to IAM, Key Vault Policies, etc.

When requesting the subscription setup from WUIT, also request a service principal is created with the custom permissions. We will also need them to deliver a client secret for the service principal. That secret should be stored in an appropriate Key Vault and referenced from the automated pipelines as needed.

Below is an example of an SP configuration used for deployments:

{
    "Name": "<Subscription Name> Deployment Service",
    "IsCustom": true,
    "Description": "Permissions more elevated than Contributor, less elevated than Owner.",
    "Actions": [
        "*"
    ],
    "NotActions": [
        "Microsoft.Authorization/classicAdministrators/write",
        "Microsoft.Authorization/classicAdministrators/delete",
        "Microsoft.Authorization/denyAssignments/write",
        "Microsoft.Authorization/denyAssignments/delete",
        "Microsoft.Authorization/locks/write",
        "Microsoft.Authorization/locks/delete",
        "Microsoft.Authorization/policies/audit/action",
        "Microsoft.Authorization/policies/auditIfNotExists/action",
        "Microsoft.Authorization/policies/deny/action",
        "Microsoft.Authorization/policies/deployIfNotExists/action",
        "Microsoft.Authorization/elevateAccess/Action",
        "Microsoft.Authorization/policyDefinitions/delete",
        "Microsoft.Authorization/policyDefinitions/write",
        "Microsoft.Authorization/policyExemptions/delete",
        "Microsoft.Authorization/policyExemptions/write",
        "Microsoft.Authorization/policySetDefinitions/delete",
        "Microsoft.Authorization/policySetDefinitions/write",
        "Microsoft.Authorization/roleDefinitions/delete",
        "Microsoft.Authorization/roleDefinitions/write",
        "Microsoft.Blueprint/*/write",
        "Microsoft.Blueprint/*/delete",
        "Microsoft.Compute/galleries/share/action"
    ],
    "DataActions": [],
    "NotDataActions": [],
    "AssignableScopes": [
        "/subscriptions/<Subscription Id>"
    ]
}

Table of Contents

Updated on August 12, 2025