Merge pull request #177545 from j-martens/master

Azure DevTest Offer docs

Author: denrea

articles/devtest/offer/concepts-gitops-azure-devtest.md

@@ -0,0 +1,42 @@
+---
+title: GitOps & Azure Dev/Test offer
+description: Use GitOps in association with Azure Dev/Test
+author: jamestramel
+ms.author: jametra
+ms.prod: visual-studio-windows
+ms.topic: how-to 
+ms.date: 10/20/2021
+ms.custom: devtestoffer
+---
+# Using GitOps with Azure Dev/Test offer to optimize and secure applications
+
+GitOps is an operational framework. It takes DevOps best practices used for developing applications and applies them to infrastructure automation.  
+
+When teams practice GitOps, they use configuration files stored as code (infrastructure as code). These files generate the same environment every time it's deployed. Think of it like application source code generating the same application binaries every time you build.  
+
+## GitOps Methodology  
+
+This process, or methodology, uses Git repositories. These repositories are your source of truth for a state and configuration you define for your application. They contain declarative descriptions of the infrastructure you need in production. An automated process makes that environment match the described state in the repository.  
+
+To deploy a new application or update an existing one, you only need to update the repository - the automated process handles everything else.  
+
+## Benefits Of GitOps  
+
+- Enables collaboration on infrastructure changes  
+- Improved access control  
+- Faster time to market  
+- Less risk  
+- Reduced costs  
+- Less error prone  
+
+## Use GitOps with Dev/Test  
+
+GitOps as a process and framework should be applied to your non-production instances. It can be verified or used in your DevTest environments. You can use GitOps principles to improve your DevOps processes. Use your DevTest benefits and environments with GitOps principles to optimize your activities and maintain the security and reliability of your applications.  
+
+GitOps combines automation and commonly used collaboration frameworks like git. They can be combined to provide rapid delivery of cloud infrastructure while complying with enterprise security standards.  
+
+Learn more about GitOps and Azure:  
+
+- [Azure Friday Video: Azure Arc Enabled Kubernetes With GitOps](https://azure.microsoft.com/resources/videos/azure-friday-azure-arc-enabled-kubernetes-with-gitops/)  
+- [Azure Friday Blog: Azure Arc Enabled Kubernetes With GitOps](https://techcommunity.microsoft.com/t5/azure-arc/azure-arc-enabled-kubernetes-with-gitops/ba-p/1654171?ocid=AID754288&wt.mc_id=azfr-c9-scottha&wt.mc_id=CFID0570)  
+- [GitOps for Azure Infrastructure Lifecycle Automation](https://github.com/travisnielsen/azure-gitops)

articles/devtest/offer/concepts-security-governance-devtest.md

@@ -0,0 +1,82 @@
+---
+title: Security, governance, and Azure Dev/Test subscriptions
+description: Manage security and governance within your organization's Dev/Test subscriptions. 
+author: jamestramel
+ms.author: jametra
+ms.prod: visual-studio-windows
+ms.topic: how-to 
+ms.date: 10/20/2021
+ms.custom: devtestoffer
+---
+
+# Security within Azure Dev/Test Subscription
+
+Keeping your resources safe is a joint effort between your cloud provider, Azure, and you. Azure Dev/Test Subscriptions and the [Azure Security Center](../../security-center/security-center-introduction.md) provide you with the tools needed to harden your network, secure your services, and make sure you're on top of your security posture.  
+
+Important tools within Azure Dev/Test Subscriptions help you create secure access to your resources:  
+
+- Azure Management Groups  
+- Azure Lighthouse  
+- Credits Monitoring  
+- Azure Active Directory  
+
+## Azure Management Groups  
+
+When enabling and setting up your Azure Dev/Test Subscriptions, Azure deploys a default resource hierarchy to manage identities and access to resources in a single Azure Active Directory domain. The resource hierarchy allows your organization to set up strong security perimeters for your resources and users.  
+
+![A screenshot of the Azure Management Groups](media/concepts-security-governance-devtest/access-management-groups.png "Azure default resource hierarchy.")  
+
+Your resources, resource groups, subscriptions, management groups, and tenant collectively make up your resource hierarchy. Updating and changing these settings in Azure custom roles or Azure policy assignments can effect every resource in your resource hierarchy. It's important to protect the resource hierarchy from changes that could negatively impact all resources.  
+
+[Azure Management Groups](../../governance/management-groups/overview.md) are an important aspect of governing access and protecting your resources in a single tenant. Azure Management Groups allows you to set quotas, Azure policies, and security to different types of subscriptions. These groups are a vital component of developing security for your organization's dev/test subscriptions.  
+
+![A screenshot of Azure org and governance groupings](media/concepts-security-governance-devtest/orgs-and-governance.png "How Azure Management Groups fit into overall governance.")
+
+As you can see above, using management groups changes the default hierarchy and adds a level for the management groups. This behavior can potentially create unforeseen circumstances and holes in security if you don’t follow the [appropriate process to protect your resource hierarchy](../../governance/management-groups/how-to/protect-resource-hierarchy.md)  
+
+## Why are Azure Management Groups useful?  
+
+When developing security policies for your organization's dev/test subscriptions, you may choose to have multiple dev/test subscriptions per organizational unit or line of business. You can see a visual of that management grouping below.  
+
+![A diagram of subscription management groupings for multiple subscriptions within an organization.](media/concepts-security-governance-devtest/access-management-groups.png "A diagram of management groupings for multiple subscriptions within an organization.")  
+
+You may also choose to have one dev/test subscription for all of your different units.  
+
+Your Azure Management Groups and dev/test subscriptions act as a security barrier within your organizational structure.  
+
+This security barrier has two components:  
+
+- Identity and access: You may need to segment access to specific resources  
+- Data: Different subscriptions for resources that access personal information  
+
+## Using Azure Active Directory Tenants  
+
+[A tenant](../../active-directory/develop/quickstart-create-new-tenant.md) is a dedicated instance of Azure AD that an organization or app developer receives when the organization or app developer creates a relationship with Microsoft like signing up for Azure, Microsoft Intune, or Microsoft 365.  
+
+Each Azure AD tenant is separate from other Azure AD tenants. Each Azure AD tenant has its own representation of work and school identities, consumer identities (if it's an Azure AD B2C tenant), and app registrations. An app registration inside your tenant can allow authentications from accounts only within your tenant or all tenants.  
+
+If you need to further separate your organization’s identity infrastructure beyond management groups within a single tenant, you can also create another tenants with its own resource hierarchy.  
+
+An easy way to do separate resources and users is creating a new Azure AD tenant.  
+
+### Create a new Azure AD tenant  
+
+If you don't have an Azure AD tenant, or want to create a new one for development, see the [quick start guide](../../active-directory/fundamentals/active-directory-access-create-new-tenant.md) or follow the [directory creation experience](https://portal.azure.com/#create/Microsoft.AzureActiveDirectory). You will have to provide the following info to create your new tenant:  
+
+- **Organization name**  
+- **Initial domain** - will be part of /*.onmicrosoft.com. You can customize the domain later.  
+- **Country or region**  
+
+ [Learn more about creating and setting up Azure AD tenants](../../active-directory/develop/quickstart-create-new-tenant.md)  
+
+### Using Azure Lighthouse to manage multiple tenants  
+
+Azure Lighthouse enables cross- and multi-tenant management, allowing for higher automation, scalability, and enhanced governance across resources and tenants. Service providers can deliver managed services using comprehensive and robust management tooling built into the Azure platform. Customers maintain control over who accesses their tenant, which resources they access, and what actions can be taken.  
+
+A common scenario for Azure Lighthouse is managing resources in its customers’ Azure Active Directory tenants. However, the capabilities of Azure Lighthouse can also be used to simplify cross-tenant management within an enterprise that uses multiple Azure AD tenants.  
+
+For most organizations, management is easier with a single Azure AD tenant. Having all resources within one tenant allows centralization of management tasks by designated users, user groups, or service principals within that tenant.  
+
+Where a multi-tenant architecture is required, Azure Lighthouse helps centralize and streamline management operations. By using Azure delegated resource management, users in one managing tenant can perform cross-tenant management functions in a centralized, scalable manner.  
+
+[More Security Resources](../../security-center/security-center-introduction.md)

articles/devtest/offer/how-to-add-users-directory.md

@@ -0,0 +1,48 @@
+---
+title: Add users to your Azure Dev/Test developer directory tenant
+description: A how-to guide for adding users to your Azure credit subscription and managing their access with role-based controls.
+author: jamestramel
+ms.author: jametra
+ms.prod: visual-studio-windows
+ms.topic: how-to 
+ms.date: 10/12/2021
+ms.custom: devtestoffer
+---
+
+# Add users to your Azure credit subscription  
+
+To manage and access subscription resources, you must be a user within the directory. In the subscriptions themselves, the hierarchy is controlled by the Azure Active Directory (Azure AD) tenancies. Azure AD is a lightweight directory protocol (LDAP) that stores account names and passwords.  
+
+Before adding users, you need to determine your business hierarchy and what level of access they need within your subscription.  
+
+## Why do I need to add users?
+
+Step 1 is determining whether you need to add a new user to your subscription. Here are some examples of why you would need to add new users:  
+
+- Working on a project and need to give IT access to monitor for security  
+- Working on new API protocols that could be beneficial to another member of an organization  
+- Need to give access at the subscription level so they can access all resource groups  
+- At the business level, a single resource group needs to sign in to one computer but they don’t need access to the subscription  
+- Provides more visibility and transparency for projects you're working on but still isolates certain parts of work if necessary  
+- Add a consultant as a user or within a group to contribute  
+- You want to collaborate with someone to test and monitor pre-production  
+
+## Where do I add users and their roles within my subscription?
+
+Within Azure AD access management is a critical function. [Azure role-based access control](../../role-based-access-control/overview.md) \(Azure RBAC\) is the authorization system that provides fine-grained access management of Azure resources.  
+
+Once you’ve determined you need to add a user, you must understand where you're adding them and what resources they need access to. The set of resources that a user can access is referred to as scope.  
+
+If the project and tasks you're working on need to be monitored by IT to enable security protocols, you'll need that user to have an Admin role within the Management group to have full access and permissions within the subscription.  
+
+![A screenshot of the access levels in Azure.](media/how-to-add-users-directory/access-management.png "Managing roles with management groups in Azure.")
+
+However, if you're collaborating with another developer or a colleague, they may only need access at the resource or resource group level.  
+
+Read through the [Azure RBAC overview](../../role-based-access-control/overview.md) to better understand how Azure RBAC works and the purpose it serves within your subscription.  
+
+How to Add Users or delete users using Azure Active Directory  
+
+- [Add or delete users - Azure Active Directory | Microsoft Docs](../../active-directory/fundamentals/add-users-azure-active-directory.md)  
+
+- [Steps to assign an Azure role - Azure RBAC | Microsoft Docs](../../role-based-access-control/role-assignments-steps.md)  

articles/devtest/offer/how-to-change-directory-tenants-visual-studio-azure.md

@@ -0,0 +1,76 @@
+---
+title: Change directory tenants with your individual VSS Azure subscriptions
+description: Change directory tenants with your Azure subscriptions.
+author: jamestramel
+ms.author: jametra
+ms.prod: visual-studio-windows
+ms.topic: how-to 
+ms.date: 10/12/2021
+ms.custom: devtestoffer
+---
+
+# Change Directory Tenants with your Azure Subscriptions  
+
+Organizations may have several Azure credit subscriptions. Each subscription an organization sets up is associated with an [Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md). (Azure AD)  
+
+Azure AD is Microsoft’s cloud-based identity and access management service that helps your employees sign in and access internal and external resources.  
+
+You may need to change the Active Directory you’re working in or [transfer your subscription to another Active Directory](../../role-based-access-control/transfer-subscription.md).  
+
+When activating your subscription, your identity is created based on the email you use. That identity is either associated with your organization’s Active Directory tenant or a new directory tenant is created for that identity. You can see the identity you’re using in the upper right-hand side of your Azure portal.  
+
+![A screenshot of the Azure portal with the identity highlighted in the upper right-hand corner.](media/how-to-change-directory-tenants-visual-studio-azure/identity.png "The logged in identity is in the upper right-hand corner of your Azure portal.")  
+
+From here, you can either switch identities or switch directories. You may need to change your identity to access certain directories.  
+
+If the identity you’re logged in as is associated with multiple directories, switch by selecting “Switch directory.” You'll see the directories your current identity is associated with.  
+
+![A screenshot of the Directory and Subscription window in Azure portal.](media/how-to-change-directory-tenants-visual-studio-azure/switch-directory.png "Switch directories by clicking switch directory. Choose the directory you want.")  
+
+Your experience within the portal is highly dependent on the directory associated with the identity you used. To change directory tenants, an Admin will have to add your identity as a user within the target directory.  
+
+## Importance of Changing Your Azure Active Directory Tenant  
+
+When you set up your Azure Credit Subscription through a Visual Studio license, you can use a work email or a personal email to create your identity.  
+
+If you set up your credit subscription using a personal account, your identity and work are isolated from your organization’s active directory. Let’s say you've been working on an app that needs its own subscription to test and learn before deployment. Now, you need access to your organization’s work or references. Changing your directory’s tenant lets you access your organization’s resources and lets them access yours.  
+
+Below is a simple diagram that shows the basic steps taken when you change or transfer your subscription.
+
+![A diagram illustrating changing or transferring your subscription.](media/how-to-change-directory-tenants-visual-studio-azure/change-diagram.png "A diagram of what happens when you change or transfer your subscription.")  
+
+## Identity and Access Management
+
+Where and how you have access dictates what you see based on your logged in credentials. This access can be given at different levels within the organization’s hierarchy. You can be given access at the directory level, subscription level or within resource groups.  
+
+![A screenshot of Azure access levels.](media/how-to-change-directory-tenants-visual-studio-azure/access-management.png "The access levels available in Azure.")  
+
+You can see and manage your access levels within Access Control. You can also manage others' access to the subscription depending on your access levels.  
+
+![A screenshot of the Visual Studio Subscription access control page.](media/how-to-change-directory-tenants-visual-studio-azure/access-control.png "Manage access to your subscription.")
+
+## How to Change your Azure Directory Tenant
+
+To access another Active Directory, you need an active account with the necessary permissions and access to change directory tenants. An admin within the directory tenant you wish to access can either add you as:
+
+* User
+* Guest  
+
+Once you’ve been added and given proper permissions, you can switch directories within your subscription.  
+
+1. Sign in and select the subscription you want to use from the [Subscriptions page in Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade)  
+2. Select “Change Directory”  
+
+    ![A screenshot a Contoso Enterprise Subscription page with Change Directory highlighted.](media/how-to-change-directory-tenants-visual-studio-azure/change-directory.png "Select Change Directory.") 
+3. A box will surface to choose the new directory  
+4. Select “Change”  
+
+    > [!NOTE]
+    > If you don’t have access to the target directory it will not show. After the directory is changed for the subscription, you'll receive a success message.  
+
+    ![A screenshot of the Change Directory validation page.](media/how-to-change-directory-tenants-visual-studio-azure/change-button.png "Select the directory from the dropdown and click the Change button.")
+5. Select “Switch Directories” on the subscription page to access the new directory  
+
+  ![A screenshot of the subscriptions page with Switch Directories highlighted.](media/how-to-change-directory-tenants-visual-studio-azure/switch-directories-outlined.png "Click Switch Directories to access the new directory.")
+
+You can also access a target directory and change your tenancy by going to the target directory and adding an Admin. Follow [these instructions](/visualstudio/subscriptions/cloud-admin.md) on how to add an Admin to your subscription. Once that’s done, the Admin has access to both directories and can change the tenant directory for you.