1 00:00:03,320 --> 00:00:08,010 Welcome to episode 348 of the Microsoft Cloud IT Pro 2 00:00:08,010 --> 00:00:11,610 podcast recorded live on August 11th, 2023. 3 00:00:12,120 --> 00:00:17,090 This is a show about Microsoft 365 and Azure from the perspective of it pros and 4 00:00:17,090 --> 00:00:21,290 end users where we discuss a topic where recent news and how it relates to you. 5 00:00:21,870 --> 00:00:25,490 You get a subscription and you get a subscription and you get a subscription. 6 00:00:25,780 --> 00:00:28,210 Today we talk all about Azure subscriptions, 7 00:00:28,430 --> 00:00:32,650 the nuances around them in considerations for having multiple subscriptions 8 00:00:33,010 --> 00:00:34,370 regardless of your company size. 9 00:00:36,790 --> 00:00:40,130 Did you wanna mention your Hashi Corp news that you posted out there? 10 00:00:40,410 --> 00:00:43,730 I saw that link. Yeah. This was interesting. Yeah, ish. 11 00:00:44,050 --> 00:00:48,730 I spend a little bit of my life thinking about how 12 00:00:48,870 --> 00:00:53,610 we interact with our customers with open source tooling, 13 00:00:53,610 --> 00:00:57,530 right? Like I've got easy copy and s STKs and all these things. 14 00:00:57,590 --> 00:01:00,170 And we certainly wanna encourage customer contributions. 15 00:01:00,930 --> 00:01:05,730 I work with customers to help them sometimes like think about ways to do like 16 00:01:05,730 --> 00:01:08,970 data migration and maybe wrap a copy rather than building your own data 17 00:01:08,970 --> 00:01:11,810 migration engine thing, thing, things like that. So, you know, 18 00:01:11,810 --> 00:01:16,370 all our stuff is like out on GitHub with a fairly standard m I t license. Yep. 19 00:01:16,440 --> 00:01:17,250 Like you know, 20 00:01:17,250 --> 00:01:20,650 another customer could come and they could fork one of our projects, 21 00:01:20,650 --> 00:01:25,410 take it on and pick it up and make it their own thing and they could support it 22 00:01:25,430 --> 00:01:29,410 and do what whatever they need to from there. So HashiCorp, 23 00:01:30,190 --> 00:01:33,330 so they're the purveyors of Terraform. So it, 24 00:01:33,600 --> 00:01:38,490 Terraform has traditionally been an open source project and 25 00:01:39,480 --> 00:01:40,290 it's been, 26 00:01:40,290 --> 00:01:44,970 I believe it was licensed under an M I T license previously. 27 00:01:45,590 --> 00:01:47,770 But regardless of that, you know, 28 00:01:47,770 --> 00:01:52,650 they've been in a position where they publish things like the core of the 29 00:01:52,650 --> 00:01:57,450 Terraform engine out to GitHub and anybody can come and clone or 30 00:01:57,560 --> 00:02:00,090 fork that project and do what they need to do with it. 31 00:02:00,090 --> 00:02:03,610 So that could be a customer, it could be an I S V, it could be a partner, 32 00:02:04,100 --> 00:02:06,810 could frankly be a competitor, and then competitor. Uh, 33 00:02:06,810 --> 00:02:10,330 and then HashiCorp like many other companies that publishes open source tooling, 34 00:02:11,080 --> 00:02:14,290 they have an enterprise entity as well. 35 00:02:14,910 --> 00:02:19,250 And that entity is out there to make money and keep the rest of the business 36 00:02:19,250 --> 00:02:23,970 going. So HashiCorp made the decision this week, yesterday. 37 00:02:24,020 --> 00:02:26,290 Today is Friday, August 10th, 2023. 38 00:02:26,630 --> 00:02:29,490 As of August 10th, 2023, 39 00:02:30,240 --> 00:02:35,090 they are going to A B S L or A B 40 00:02:35,170 --> 00:02:38,690 U S L. But it's a business source license. 41 00:02:39,510 --> 00:02:43,850 So it's an alternative license 42 00:02:44,560 --> 00:02:46,850 that puts some restrictions in place, 43 00:02:47,330 --> 00:02:51,970 particularly in the areas of what competitors 44 00:02:52,150 --> 00:02:57,010 can do with that code and where they might need to acquire a 45 00:02:57,010 --> 00:02:59,480 commercial license from HashiCorp. 46 00:03:00,220 --> 00:03:02,640 But if you're like a big open sourced purist, 47 00:03:02,840 --> 00:03:06,840 I can't say I'm like exactly evangelical about it, but you know, 48 00:03:06,840 --> 00:03:11,400 for all the FAQs and everything that HashiCorp put out and blog posts and things 49 00:03:11,400 --> 00:03:11,830 like that, 50 00:03:11,830 --> 00:03:16,480 like this effectively makes them not open source in 51 00:03:16,550 --> 00:03:21,120 like the true, you know, evangelical kind of sense of things. 52 00:03:21,520 --> 00:03:23,360 I don't think there's a major impact to customers. 53 00:03:23,530 --> 00:03:25,640 There should not be a major impact to customers. 54 00:03:25,640 --> 00:03:30,520 Like everything stays up on GitHub, you still have access to SDKs, 55 00:03:31,070 --> 00:03:31,903 APIs. 56 00:03:31,930 --> 00:03:36,920 Where it starts to get interesting is in how those restrictive 57 00:03:37,200 --> 00:03:42,200 covenants potentially impact others from working with Hashi 58 00:03:42,280 --> 00:03:47,160 Corp. So now it becomes really a Hashi Corp decision 59 00:03:47,820 --> 00:03:52,480 for who they choose to really dive in and work with and grant 60 00:03:52,480 --> 00:03:57,040 additional licensing to beyond their B SS L licensing. 61 00:03:57,460 --> 00:04:02,040 So if you think about being a hyperscaler, right? You're Microsoft with Azure, 62 00:04:02,180 --> 00:04:06,400 you're a W Ss, Amazon with a w s, your Google, which E C P, 63 00:04:06,400 --> 00:04:11,160 all those kinds of things. There are pretty decent hooks in Terraform. 64 00:04:11,380 --> 00:04:14,680 And we've talked about this a little bit in the past for like working with these 65 00:04:14,680 --> 00:04:19,400 hyperscalers and having kind of ready to go providers in 66 00:04:19,430 --> 00:04:22,720 Terraform for all the major clouds, all the major resources, things like that. 67 00:04:23,300 --> 00:04:26,640 So technically at this point, per that, B Ss L, 68 00:04:26,640 --> 00:04:30,320 depending on how like HashiCorp kind of chooses to look at it, 69 00:04:30,670 --> 00:04:34,360 like if they didn't already have a relationship with Microsoft and Amazon and 70 00:04:34,360 --> 00:04:37,080 others, that could be kind of bad. 71 00:04:37,080 --> 00:04:39,800 Like they're saying they're gonna continue to work with all these companies. 72 00:04:39,870 --> 00:04:42,200 Clearly they made this decision for a reason. 73 00:04:42,200 --> 00:04:45,400 Like they must have some competitors who are leaning in like way too hard and 74 00:04:45,400 --> 00:04:49,840 they feel like they're using their IP that had been previously released under 75 00:04:49,960 --> 00:04:52,520 that earlier. It wasn't an M I T model, uh, 76 00:04:52,520 --> 00:04:54,720 it was the M P L Mozilla public license. 77 00:04:54,900 --> 00:04:57,360 So under that model that was out there before, 78 00:04:57,950 --> 00:05:00,920 it's gonna be interesting maybe to see like over the next year, 79 00:05:01,260 --> 00:05:02,160 six months to a year, 80 00:05:02,270 --> 00:05:05,200 like who has to drop out and can't stay in the race because of that. 81 00:05:05,470 --> 00:05:06,760 There's been a lot of this lately, 82 00:05:06,760 --> 00:05:09,840 like HashiCorp isn't the only company to do this. I, 83 00:05:09,960 --> 00:05:14,320 I don't know if you follow along with Linux distributions and things that are 84 00:05:14,320 --> 00:05:15,153 going on there. 85 00:05:15,340 --> 00:05:20,280 Red Hat had kind of a big bruhaha around what they've done with 86 00:05:20,530 --> 00:05:25,360 their enterprise licensing and how that formulates 87 00:05:25,420 --> 00:05:30,040 and comes back to things like CentOS and what was gonna get out in 88 00:05:30,040 --> 00:05:33,040 mainline. It's kind of like Java did, 89 00:05:33,040 --> 00:05:36,960 Oracle did with Java a couple years ago, however long ago that was now, 90 00:05:37,300 --> 00:05:39,440 and took all those things down that path. 91 00:05:39,620 --> 00:05:42,920 So we shall see where all this stuff goes. 92 00:05:43,400 --> 00:05:45,560 I think it's a weird time in open source land, 93 00:05:46,030 --> 00:05:50,640 like if you're an open source purist does a lot of these entities that have 94 00:05:50,990 --> 00:05:55,920 open source components that then they've commercialized maybe a little 95 00:05:55,920 --> 00:05:59,520 bit more than support on top of, and they're truly product driven. 96 00:05:59,910 --> 00:06:04,360 Like they're trying to peel their products back and own more of that and own 97 00:06:04,360 --> 00:06:05,840 more of their future along the way. 98 00:06:05,990 --> 00:06:10,600 Yeah. I read this and I, again, I couldn't figure out exactly to your point. 99 00:06:10,600 --> 00:06:12,320 This doesn't change a lot in, 100 00:06:12,950 --> 00:06:17,560 I've used some of their stuff a little bit and the one paragraph, well, 101 00:06:17,580 --> 00:06:22,160 one paragraph, one sentence they have in here, uh, about halfway down it, 102 00:06:22,160 --> 00:06:23,480 well it's towards the bottom of the article, 103 00:06:23,480 --> 00:06:27,480 there's comments and stuff is that it really impacts, like you said, 104 00:06:27,480 --> 00:06:32,360 the vendors who provide competitive services built on their community products 105 00:06:32,860 --> 00:06:36,880 and their ability to incorporate future releases, bug fixes, security patches, 106 00:06:36,880 --> 00:06:40,400 all of that. I didn't even think like, would this really affect Microsoft? 107 00:06:40,400 --> 00:06:45,040 Because does Microsoft actually build competitive services built 108 00:06:45,380 --> 00:06:46,720 on their community products? 109 00:06:47,020 --> 00:06:50,080 So Hashi Corp owns the underlying engine. 110 00:06:50,320 --> 00:06:54,440 I don't know how it is at a W s and G C P, 111 00:06:54,820 --> 00:06:57,920 but in the case of Microsoft, yeah. 112 00:06:58,180 --> 00:07:03,080 Direct contributor to the resource provider in Terraform 113 00:07:03,260 --> 00:07:06,320 for ARM resources. And there's some kind of, there, 114 00:07:06,320 --> 00:07:07,760 there's some logic behind that, right? 115 00:07:07,760 --> 00:07:12,400 If you think about companies like HashiCorp put Terraform or 116 00:07:12,620 --> 00:07:15,960 Pop and Chef and some of these other orchestration engines. Yep. 117 00:07:16,070 --> 00:07:20,240 They don't necessarily always know like what's coming next, right? Like, hey, 118 00:07:20,240 --> 00:07:23,240 when's that next new feature going to come in that service? 119 00:07:23,460 --> 00:07:24,960 Or there's a new service lighting up. 120 00:07:24,980 --> 00:07:28,080 So sometimes like at least in the case of the hyperscalers, 121 00:07:28,190 --> 00:07:32,800 like we're more well positioned to own that stuff and kind of push out 122 00:07:32,800 --> 00:07:35,800 updates down downstream. And to do that, 123 00:07:35,870 --> 00:07:37,880 it's gotta be a back and forth relationship, right? 124 00:07:37,880 --> 00:07:42,400 Like we need to know what's coming in Terraform and folks at HashiCorp need to 125 00:07:42,400 --> 00:07:45,440 know what's coming on our side. So that needs to be a little bit of a, 126 00:07:45,640 --> 00:07:46,473 a dialogue. 127 00:07:46,480 --> 00:07:51,360 'cause like Terraform for Azure used to move a lot slower until 128 00:07:51,470 --> 00:07:56,120 kind of Microsoft stepped in and took on some of that dev effort upfront 129 00:07:56,580 --> 00:07:59,560 to get those things moving. So I don't know, 130 00:07:59,590 --> 00:08:02,360 like if Hashi Corp came back and they said, oh, 131 00:08:02,860 --> 00:08:06,000 we want to build all of our own providers now, 132 00:08:06,100 --> 00:08:10,520 and those are core to the Terraform experience, like for the hyperscalers, 133 00:08:10,710 --> 00:08:14,200 like what does that mean for the hyperscalers, right? Like I, I don't, 134 00:08:14,200 --> 00:08:15,120 I don't think it would get there, 135 00:08:15,460 --> 00:08:20,240 but the kind of metapoint is Hashi Corp is in full control of that 136 00:08:20,260 --> 00:08:22,520 now. So back to that whole like eh, 137 00:08:22,580 --> 00:08:26,200 what's open source thing and is somebody gonna be like a little bit more 138 00:08:26,430 --> 00:08:28,920 evangelical or a purist about it? 139 00:08:29,350 --> 00:08:33,360 It's a little bit of a different place to be right when the enterprise 140 00:08:34,010 --> 00:08:36,600 steps back in and takes that on for themselves. 141 00:08:37,120 --> 00:08:37,520 Interesting. 142 00:08:37,520 --> 00:08:39,080 I thought it was a fun one And, and like I said, 143 00:08:39,080 --> 00:08:42,800 like no major impact to customers I don't think unless you're using a competitor 144 00:08:42,800 --> 00:08:45,120 product that somehow runs a foul of this thing. 145 00:08:45,540 --> 00:08:49,360 And that's when it becomes interesting in like six to 12 months because you 146 00:08:49,360 --> 00:08:49,440 know, 147 00:08:49,440 --> 00:08:53,160 as new features come out on the HashiCorp side or in the core of Terraform, 148 00:08:53,160 --> 00:08:57,680 like can they keep up with it? Like eh, I don't know, we shall see. 149 00:08:57,940 --> 00:09:00,640 But if you're just a regular customer and you're out there and like, Hey, 150 00:09:00,880 --> 00:09:05,680 I use Terraform and I deploy it and I use these things like, you're fine. 151 00:09:05,860 --> 00:09:07,120 No major impact for you there. 152 00:09:07,940 --> 00:09:10,520 If you wanted to go out and build a competitor business though, you're like, 153 00:09:10,540 --> 00:09:10,880 Ooh, 154 00:09:10,880 --> 00:09:14,440 I just became a Terraform expert and now I wanna build a competitive business on 155 00:09:14,440 --> 00:09:16,960 top of it. Like depending on what you wanna build that could be rougher. 156 00:09:16,960 --> 00:09:18,160 Right? 'cause that's what I'm gonna say. 157 00:09:18,160 --> 00:09:22,040 As long as it sounds like you're not actually building anything that competes 158 00:09:22,040 --> 00:09:26,000 with Terraform, you're still not, there still isn't any impact for you. 159 00:09:26,030 --> 00:09:30,400 It's only if you use their stuff to build other stuff that 160 00:09:30,560 --> 00:09:32,400 competes with their stuff. 161 00:09:32,620 --> 00:09:33,020 Yes. 162 00:09:33,020 --> 00:09:37,440 That's my reading of their B S L and kind of reading between the lines and their 163 00:09:37,520 --> 00:09:39,240 F A Q. But you know, 164 00:09:39,370 --> 00:09:42,760 folks gotta go out and and read that for themselves and take it in. Yeah. 165 00:09:42,760 --> 00:09:44,840 And I should, I am not a lawyer. . 166 00:09:44,990 --> 00:09:49,280 Yeah. Or a licensing expert. So yes, I agree. 167 00:09:49,500 --> 00:09:50,720 Go figure it out. 168 00:09:50,720 --> 00:09:53,320 Have your lawyers figure it out if you think it might impact you. 169 00:09:53,420 --> 00:09:57,360 But to your point, if you're out there just building stuff, deploying stuff, 170 00:09:57,800 --> 00:10:01,640 managing state with Terraform and all that, really nothing changes. Correct. 171 00:10:02,420 --> 00:10:05,880 All right, so, so since we've been talking about Terraform and deploying stuff, 172 00:10:05,940 --> 00:10:07,280 you wanna talk about deploying stuff? 173 00:10:07,370 --> 00:10:08,680 Let's talk about deploying stuff. 174 00:10:09,660 --> 00:10:14,400 So I had a client come to me and they 175 00:10:14,510 --> 00:10:17,280 said we want to deploy, 176 00:10:17,300 --> 00:10:20,640 and this is this for anybody listening or those of you in the Discord anxiously 177 00:10:20,640 --> 00:10:21,150 waiting, 178 00:10:21,150 --> 00:10:25,040 this is the discussion Scott and I were having right before we jumped on live 179 00:10:25,040 --> 00:10:28,400 today. I had a customer come to me and they said, 180 00:10:28,640 --> 00:10:31,440 I want to deploy Microsoft Defender for cloud, 181 00:10:32,180 --> 00:10:35,560 but I'm not gonna give you access to the subscription. 182 00:10:36,200 --> 00:10:40,520 I will only give you access to the three resource groups that we want to push 183 00:10:40,840 --> 00:10:42,040 Microsoft Defender for cloud to. 184 00:10:42,620 --> 00:10:46,680 And we don't necessarily want to turn it on for 185 00:10:46,970 --> 00:10:47,803 everything. 186 00:10:47,820 --> 00:10:52,480 We are a small business segment focused on a particular app 187 00:10:52,550 --> 00:10:56,120 that it's three resource groups, same subscription, dev test, qa. 188 00:10:56,230 --> 00:11:00,200 Frankly I don't even know what other resource groups are in there or 189 00:11:01,100 --> 00:11:05,880 how many they have. What are the resources they have? And I was like, 190 00:11:05,990 --> 00:11:08,560 okay, let's go turn this sunlight up for the VMs. 191 00:11:08,860 --> 00:11:13,120 And I knew I was gonna have to go into the subscription you turn on Microsoft 192 00:11:13,320 --> 00:11:14,680 Defender for cloud at the subscription. 193 00:11:15,160 --> 00:11:18,640 I don't know that I ever put two and two together until I went to try to do 194 00:11:18,640 --> 00:11:23,000 this. That you cannot only 195 00:11:23,890 --> 00:11:28,720 light this up for a subset of 196 00:11:29,640 --> 00:11:30,430 resources, 197 00:11:30,430 --> 00:11:35,040 whether they be on a resource by resource basis ish. 198 00:11:35,090 --> 00:11:38,160 There are some exceptions to this, but just a couple, 199 00:11:38,940 --> 00:11:43,040 or even at a resource group level, 200 00:11:43,390 --> 00:11:47,800 like all of the defender for Cloud is published with pricing of like servers 201 00:11:47,800 --> 00:11:52,280 $15 per server per month for defender, for cloud plan two, 202 00:11:53,020 --> 00:11:56,280 so much for Azure sql, so much for storage accounts, all of this. 203 00:11:56,860 --> 00:12:00,360 But you go turn this on at your subscription and you can pick and choose which 204 00:12:00,800 --> 00:12:01,680 resources you want on. 205 00:12:01,700 --> 00:12:05,240 So you could only turn it on for servers or only turn it on for storage 206 00:12:05,240 --> 00:12:05,870 accounts. 207 00:12:05,870 --> 00:12:08,120 Yeah. Uh, pick which resource types, which. 208 00:12:08,320 --> 00:12:10,440 Resource types. Yes. Good. Yes. 209 00:12:10,550 --> 00:12:15,240 Clarify that Resource types only turn it on for sql but it 210 00:12:15,350 --> 00:12:20,200 will get turned on for all of that particular resource type at the 211 00:12:20,200 --> 00:12:25,080 entire subscription level. So in this case, this small business segment, 212 00:12:25,080 --> 00:12:28,640 because they just did resource groups in a much larger subscription that 213 00:12:29,150 --> 00:12:33,720 realistically could have 300 other resource groups in it for all I know cannot 214 00:12:34,320 --> 00:12:39,080 leverage Microsoft Defender for cloud without impacting the other 297 215 00:12:39,220 --> 00:12:43,480 or 506 or whatever number it happens to be without 216 00:12:43,710 --> 00:12:48,400 impacting and conversely paying for that 217 00:12:49,080 --> 00:12:52,480 resource type protection across the entire subscription. 218 00:12:52,900 --> 00:12:57,760 And I was complaining about that because I wanted to have more granularity 219 00:12:58,500 --> 00:13:02,200 in which resources this gets deployed to. I said there are some exceptions. 220 00:13:02,200 --> 00:13:04,600 There's a couple of 'em. Like I noticed storage accounts. 221 00:13:04,700 --> 00:13:06,080 You can go into a storage account, 222 00:13:06,140 --> 00:13:10,680 go into defender for cloud and essentially say don't inherit the settings from 223 00:13:10,680 --> 00:13:15,000 the subscription and just disable defender for cloud on the storage account. 224 00:13:15,620 --> 00:13:20,560 But that does not hold true for every resource nor is there any way to 225 00:13:20,560 --> 00:13:25,440 do that with like policy or exclusions of a 226 00:13:25,440 --> 00:13:26,360 certain resource group. 227 00:13:26,430 --> 00:13:31,080 It's like a manual resource by resource toggle 228 00:13:31,670 --> 00:13:34,360 that you could probably script it out. 229 00:13:34,860 --> 00:13:38,440 But I was annoyed and I was complaining to Scott. 230 00:13:38,960 --> 00:13:43,600 I love this as a good lesson in 231 00:13:43,830 --> 00:13:48,360 potentially how you approach deploying 232 00:13:48,720 --> 00:13:53,280 a new service in the cloud. So it sounds like, 233 00:13:53,660 --> 00:13:55,600 and it's kind of an unfortunate situation, 234 00:13:56,100 --> 00:14:00,680 but it sounds like that customer that you're working with didn't take 235 00:14:00,950 --> 00:14:01,783 step one, 236 00:14:01,930 --> 00:14:06,000 which was go read the pricing docs like the, 237 00:14:06,000 --> 00:14:07,000 like that is the, 238 00:14:07,460 --> 00:14:12,400 the most important piece of documentation that you could sit down and kind 239 00:14:12,400 --> 00:14:14,400 of start to consume and touch. 240 00:14:14,860 --> 00:14:19,480 And I don't know that the defender team has done a great job 241 00:14:19,750 --> 00:14:23,840 with kind of disambiguating what is an individual resource 242 00:14:24,410 --> 00:14:28,920 constraint within their service and then what's just the broader 243 00:14:29,440 --> 00:14:32,880 defender for a cloud thing. So step one would be, hey, 244 00:14:33,450 --> 00:14:36,120 let's go read the pricing docs step two. 245 00:14:36,500 --> 00:14:40,240 And we kind of do this on all the do the cloud streams we do, right? Yep. 246 00:14:40,240 --> 00:14:43,040 Like when we wanna start playing with this stuff is, hey, 247 00:14:43,050 --> 00:14:46,280 let's go read the overview docs. I've never touched this service before. 248 00:14:46,690 --> 00:14:50,720 Let's just see what's going on with it. What are you kicking around? 249 00:14:50,860 --> 00:14:53,520 So you know, you and I were chatting earlier about it. 250 00:14:53,580 --> 00:14:55,680 So I started going down that path. I'm like, all right, 251 00:14:55,680 --> 00:14:58,000 lemme go look at the pricing docs. Lemme see what's happening. 252 00:14:58,130 --> 00:15:02,240 Lemme go look at the overview. And if you go look at the overview for Defender, 253 00:15:02,460 --> 00:15:07,400 it very quickly points you to a place which says how do you enable paid 254 00:15:07,400 --> 00:15:09,960 plans on your subscriptions? And I, 255 00:15:10,080 --> 00:15:14,280 I absolutely love the way this is done is if you go to that link that I just put 256 00:15:14,280 --> 00:15:19,200 in, uh, discord it be in the show notes there, that is the, it has a note, 257 00:15:19,220 --> 00:15:22,960 you know like one of those like purple boxes in the Microsoft Docs. 258 00:15:23,380 --> 00:15:28,320 And that is the one place where I have found so far that it calls out 259 00:15:28,590 --> 00:15:32,960 here is the specific set of resource types 260 00:15:33,630 --> 00:15:38,400 that are going to be available for individual like resource level 261 00:15:38,400 --> 00:15:43,240 enablement, like you mentioned storage accounts. There's defender for sql, 262 00:15:43,410 --> 00:15:46,240 which you gotta be careful with 'cause there's defender for sql, 263 00:15:46,510 --> 00:15:50,760 like defender for like SQL services like Azure sql. Yep. 264 00:15:50,820 --> 00:15:54,000 And then there's defender for SQL like ias VMs. 265 00:15:54,140 --> 00:15:57,680 So that one's a little bit weird. You have open source relations, 266 00:15:57,680 --> 00:16:02,120 relational databases, so like my SQL MariaDB, things like that. 267 00:16:02,820 --> 00:16:07,600 And then you can also do workspace level defender 268 00:16:07,650 --> 00:16:12,240 plans for servers and defender for SQL servers on virtual machines. 269 00:16:12,550 --> 00:16:15,480 That being said, defender is like a slew of things. 270 00:16:15,680 --> 00:16:17,000 I forget how many they have there. 271 00:16:17,000 --> 00:16:20,120 There's gotta be at least 10 different workload types that they cover if not 272 00:16:20,150 --> 00:16:23,360 more within there today and they keep adding more of them on. 273 00:16:23,620 --> 00:16:28,240 So the way I like to think about Defender in the back of my head is defender 274 00:16:29,060 --> 00:16:32,920 is fundamentally a subscription scoped thing, right? 275 00:16:32,920 --> 00:16:36,800 Like I'm gonna light this up and it's gonna protect everything in my 276 00:16:37,080 --> 00:16:39,480 subscription for a workload that I enable. 277 00:16:39,540 --> 00:16:42,840 So I go enable defender for servers great. 278 00:16:42,940 --> 00:16:45,560 Or let's pick one that it like can only cover everything. 279 00:16:45,700 --> 00:16:47,600 So I go to defender for app service, 280 00:16:47,930 --> 00:16:52,440 every single app service regardless of scope within that subscription. 281 00:16:52,440 --> 00:16:55,000 Like if it lives, you know, in this resource group over here, 282 00:16:55,000 --> 00:16:55,680 this resource group, 283 00:16:55,680 --> 00:16:59,680 like all of them are just now protected versus that defender for storage thing, 284 00:16:59,680 --> 00:17:04,680 which then I go light it up one piece at a time and and turn it on that way. 285 00:17:05,100 --> 00:17:07,440 The other thing that I've seen that's very con uh. 286 00:17:07,440 --> 00:17:09,160 Storage accounts, it's the opposite way. 287 00:17:09,160 --> 00:17:11,120 You go turn it on and it lights it up for everything. 288 00:17:11,310 --> 00:17:15,640 It's on by default for everything You have to go disable it. Yes, yes. It's not, 289 00:17:15,640 --> 00:17:18,160 you can light it up and then go enable it one by one. 290 00:17:18,190 --> 00:17:22,160 It's you light it up and then you have to go through. So in my case, 291 00:17:22,190 --> 00:17:24,200 like let's say they have 300 subscriptions, 292 00:17:24,420 --> 00:17:28,560 I'd have to go into the other 297 subscriptions and turn off every storage 293 00:17:28,560 --> 00:17:32,440 account across, across all those subscriptions after I enabled it. Yes. 294 00:17:32,600 --> 00:17:36,400 I can't just enable it and then say go just let's go manually turn it out on 295 00:17:36,400 --> 00:17:37,180 these two or three. 296 00:17:37,180 --> 00:17:40,440 You want me to give you like another little bit of nuance here that's probably 297 00:17:40,440 --> 00:17:41,880 gonna annoy you even more. Sure. 298 00:17:42,220 --> 00:17:46,680 You don't enable defender for cloud for resources like that 299 00:17:47,300 --> 00:17:50,280 in the actual resource provider of the owning service. 300 00:17:50,700 --> 00:17:52,080 So like for a storage account, 301 00:17:52,260 --> 00:17:55,880 if you want to manipulate defender for cloud for storage accounts, 302 00:17:56,380 --> 00:18:00,520 you use the defender for cloud rp, their resource provider to do that. 303 00:18:00,520 --> 00:18:03,080 Which makes sense, right? 'cause it's a defender piece of functionality. 304 00:18:03,420 --> 00:18:06,040 But I have seen like customer asks come in where they go, 305 00:18:06,300 --> 00:18:10,840 Hey you don't have a commandlet in storage or I can't do this through your A P 306 00:18:10,840 --> 00:18:13,680 I. And it's like well 'cause it's not us that did it, right? 307 00:18:13,750 --> 00:18:16,080 It's the defender team that did it right? They own it. 308 00:18:16,080 --> 00:18:19,240 We give you the storage account and now you wanted to do something else with an 309 00:18:19,440 --> 00:18:23,040 additive service that was technically outside of storage. Like alright, 310 00:18:23,060 --> 00:18:28,040 you've gotta go potentially solve for that one and figure it out. 311 00:18:28,340 --> 00:18:30,160 So, so defender becomes kind of a, 312 00:18:30,400 --> 00:18:35,280 a wonky service in that way 'cause it's really like a 313 00:18:35,280 --> 00:18:39,400 big bundle and then a bunch of attributes that are applied to it for workloads 314 00:18:39,540 --> 00:18:42,240 and then you can potentially get really granular, uh, 315 00:18:42,240 --> 00:18:43,520 and go down to the resource level. 316 00:18:44,060 --> 00:18:48,920 But that's all dependent upon the defender resource provider and their building 317 00:18:49,010 --> 00:18:51,800 model and and all the things that they do there. 318 00:18:52,140 --> 00:18:55,240 But I think another interesting thing that came outta the conversation we were 319 00:18:55,240 --> 00:18:59,720 having was I'm starting to talk to more and more 320 00:19:00,080 --> 00:19:04,760 customers where there's this inherent just 321 00:19:04,990 --> 00:19:09,880 fear of additional operational complexity around 322 00:19:09,880 --> 00:19:13,960 having multiple subscriptions in Azure. I totally get it. 323 00:19:13,990 --> 00:19:18,960 Like if you've been doing Azure since the A S M days or I'll say pre 324 00:19:18,960 --> 00:19:22,760 management groups in Azure AD and id, all that stuff, 325 00:19:22,950 --> 00:19:26,000 like if that's the mindset you're coming from and you've never played with 326 00:19:26,000 --> 00:19:30,840 management groups, then I think multi subscription gets a little bit scary. 327 00:19:31,070 --> 00:19:33,320 Like it's tough. How do you have insights into things? 328 00:19:33,420 --> 00:19:36,680 How do you deploy policy at scale, all that good kind of stuff. 329 00:19:37,260 --> 00:19:40,920 The other thing that I run into is 330 00:19:42,000 --> 00:19:46,560 customers get scared of multiple subscriptions because they think 331 00:19:47,160 --> 00:19:51,640 multiple subscriptions means a bunch of manual process. Like oh you know, 332 00:19:51,660 --> 00:19:54,600 I'm a customer on an M C A, like I, 333 00:19:54,720 --> 00:19:58,000 I transitioned from an EA an enterprise agreement over to Microsoft customer 334 00:19:58,120 --> 00:20:03,120 agreement and because I made that transition, now I'm just like, 335 00:20:03,140 --> 00:20:06,200 uh, I'm on some kind of different plan. I don't know what I'm doing over here. 336 00:20:06,200 --> 00:20:07,600 If I wanna create a new subscription, 337 00:20:07,740 --> 00:20:11,120 I'm gonna go out to my licensing portal and spin it up that way. And the one, 338 00:20:11,140 --> 00:20:14,360 the portal that I still remember and is near and dear to my heart is the EA 339 00:20:14,360 --> 00:20:14,830 portal. 340 00:20:14,830 --> 00:20:19,720 Like I go in there many a time and manually created a subscription 341 00:20:20,220 --> 00:20:23,280 but you don't need to do that. 342 00:20:23,470 --> 00:20:28,280 Like there are avenues to programmatically create Azure 343 00:20:28,640 --> 00:20:32,920 subscriptions and it's not for everybody. And when I say it's not for everybody, 344 00:20:33,110 --> 00:20:38,000 it's only available to certain classes of subscriptions or certain types. 345 00:20:38,100 --> 00:20:43,080 So specifically EA M C A and M P A subscriptions but 346 00:20:43,470 --> 00:20:46,800 totally doable. And then once you go down that path, 347 00:20:46,830 --> 00:20:51,560 like so if I can programmatically create a subscription and 348 00:20:52,360 --> 00:20:57,000 I can manage all of my subscriptions at scale through 349 00:20:57,410 --> 00:21:01,040 management groups at least in the lens of policy and getting that down, 350 00:21:01,220 --> 00:21:02,640 that's kind of two big buckets for me. 351 00:21:02,860 --> 00:21:07,560 And then I think the third leg of that chair tends to be security. 352 00:21:07,940 --> 00:21:12,360 So I also see customers that still don't necessarily 353 00:21:12,830 --> 00:21:17,560 grok the whole Azure ad enter ID isn't actually Azure 354 00:21:17,570 --> 00:21:20,480 thing like it's kind of like this meta service sitting out over here. 355 00:21:20,820 --> 00:21:23,320 So they go, oh I have to create another subscription. 356 00:21:23,320 --> 00:21:26,720 Well that means I need to redo all my security and I'm gonna have another 357 00:21:27,080 --> 00:21:30,600 identity provider and I gotta go back and I gotta do my security groups. 358 00:21:30,630 --> 00:21:32,040 It's like no, no, no, no, 359 00:21:32,040 --> 00:21:35,280 let's take a step back because now you have an A tenant that holds your 360 00:21:35,520 --> 00:21:35,900 identity, 361 00:21:35,900 --> 00:21:39,200 you're gonna take that new subscription and associate it with that existing 362 00:21:39,200 --> 00:21:43,960 tenant so it gets all the existing security you can use the same 363 00:21:44,240 --> 00:21:47,040 security groups, same enterprise app, same spns, 364 00:21:47,100 --> 00:21:48,600 all that kinda stuff is available to you. 365 00:21:49,290 --> 00:21:54,200 Management groups are gonna be the construct that lets you come back and apply 366 00:21:54,380 --> 00:21:58,760 policy consistently across one or more subscriptions that you've 367 00:21:58,950 --> 00:22:02,920 grouped together. And you can have, I forget how many, 368 00:22:03,100 --> 00:22:05,360 how many levels to the hierarchy or management groups, 369 00:22:05,430 --> 00:22:07,800 like eight or nine levels, something like that. Like it was. 370 00:22:07,960 --> 00:22:09,200 I can't remember. There's. 371 00:22:09,200 --> 00:22:12,880 A ton of flexibility there that's available to you. 372 00:22:13,220 --> 00:22:17,840 But you need to shift your mindset a little bit out of like, 373 00:22:17,980 --> 00:22:22,920 oh I'm doing everything manually over to how do 374 00:22:22,920 --> 00:22:26,400 I automate that and start to move things forward a little bit. 375 00:22:31,750 --> 00:22:35,410 Do you feel overwhelmed by trying to manage your Office 365 environment? 376 00:22:35,510 --> 00:22:39,450 Are you facing unexpected issues that disrupt your company's productivity? 377 00:22:39,450 --> 00:22:43,410 Intelligent is here to help much like you take your car to the mechanic that has 378 00:22:43,410 --> 00:22:47,690 specialized knowledge on how to best keep your car running intelligent helps you 379 00:22:47,690 --> 00:22:50,970 with your Microsoft cloud environment because that's their expertise. 380 00:22:51,120 --> 00:22:54,810 Intelligent keeps up with the latest updates in the Microsoft cloud to help keep 381 00:22:54,810 --> 00:22:57,490 your business running smoothly and ahead of the curve. 382 00:22:57,560 --> 00:23:01,930 Whether you are a small organization with just a few users up to an organization 383 00:23:01,930 --> 00:23:03,530 of several thousand employees, 384 00:23:03,840 --> 00:23:08,050 they want to partner with you to implement and administer your Microsoft Cloud 385 00:23:08,050 --> 00:23:12,530 technology, visit them at intelligent.com/podcast, 386 00:23:12,950 --> 00:23:17,530 that's I N T L L I G I N 387 00:23:17,650 --> 00:23:22,610 k.com/podcast for more information or to schedule a 30 minute 388 00:23:22,610 --> 00:23:24,210 call to get started with them today. 389 00:23:25,050 --> 00:23:29,210 Remember intelligent focuses on the Microsoft cloud so you can focus on your 390 00:23:29,490 --> 00:23:32,650 business. So here you go. 391 00:23:33,030 --> 00:23:37,650 You can have 10,000 management groups in a single ad tenant and six levels of 392 00:23:37,650 --> 00:23:41,090 depth not including the root or the subscription. So Gotcha. 393 00:23:41,110 --> 00:23:43,490 You've got levels and lots you can create. Yeah. 394 00:23:43,790 --> 00:23:46,240 And and then I think the other thing to think about here is, 395 00:23:46,500 --> 00:23:50,440 and we got a couple folks mentioned it in the chat is if you're an SS M B, 396 00:23:50,670 --> 00:23:54,040 like you're just a a small business really, 397 00:23:54,270 --> 00:23:56,160 like I get that there's friction, 398 00:23:56,340 --> 00:24:00,080 but how much friction is it for you to go to the Azure portal and just spin up a 399 00:24:00,080 --> 00:24:02,920 new subscription like next, next, next. You're way through it. 400 00:24:02,920 --> 00:24:06,480 Even if you're a PayGo customer and you have to put a credit card on there, 401 00:24:06,510 --> 00:24:08,440 like I do this as a pay customer. 402 00:24:08,440 --> 00:24:13,120 Like I have to keep some Azure subscriptions around as just pay subscriptions 403 00:24:13,120 --> 00:24:15,080 because like there's, 404 00:24:15,230 --> 00:24:18,360 there's only certain ways to get into functionality that I need or, 405 00:24:18,380 --> 00:24:22,560 or I need visibility in the way customers see things versus the way they are in 406 00:24:22,560 --> 00:24:27,040 like our preview portals and stuff internally and I just need them in like a 407 00:24:27,380 --> 00:24:31,680 bog standard subscription. So it's, it's easy enough to do. Yeah, 408 00:24:31,880 --> 00:24:34,560 I think for a lot of it, and it's gonna sound harsh, 409 00:24:35,160 --> 00:24:37,480 I know it's gonna sound harsh but I don't mean it to be harsh. 410 00:24:38,110 --> 00:24:43,040 It's not as hard or as much friction as a 411 00:24:43,040 --> 00:24:45,960 lot of folks are thinking about it to be. 412 00:24:46,190 --> 00:24:50,520 Like once you sit down and and think about it like it does not take more than 413 00:24:50,520 --> 00:24:53,440 five minutes to create a new subscription if you just want to next, next, 414 00:24:53,440 --> 00:24:54,273 next your way through it. 415 00:24:54,430 --> 00:24:59,000 It's not like a three month project to figure it out and get it going and 416 00:24:59,210 --> 00:25:00,680 start living your life that way. 417 00:25:00,790 --> 00:25:02,400 Yeah and even as a C S P, 418 00:25:02,460 --> 00:25:07,000 so I do indirect C S P stuff and I have some clients that buy Azure 419 00:25:07,240 --> 00:25:09,640 subscriptions from me and even from my side, same thing, 420 00:25:09,640 --> 00:25:12,480 they need a new subscription. It's like sure, let me set one up for you. 421 00:25:12,480 --> 00:25:16,200 It takes me 30 seconds to go log into the portal, click new subscription, 422 00:25:17,030 --> 00:25:17,960 they're good to go. 423 00:25:18,060 --> 00:25:22,440 And I agree like there was those questions in the Discord chat of like 424 00:25:23,260 --> 00:25:27,200 to someone asked typical number of subscription in a small business. 425 00:25:27,630 --> 00:25:32,520 Some people are saying at least two I think like at least to your point in 426 00:25:32,520 --> 00:25:36,840 mine, some of it is because of my Azure credits but I have like 12 subscript, 427 00:25:36,840 --> 00:25:41,640 12 Azure subscriptions and there's me and Sean and 428 00:25:41,760 --> 00:25:44,120 I have JP doing it like there's three or four of us. 429 00:25:44,620 --> 00:25:47,160 But it allows me to separate stuff out. 430 00:25:47,230 --> 00:25:51,160 Like I can go flip on Microsoft defender for cloud to see it and make sure I'm 431 00:25:51,160 --> 00:25:55,920 only hitting like one of each resource type so I'm not using a bunch of money to 432 00:25:55,920 --> 00:25:56,960 test it. To your point, 433 00:25:57,120 --> 00:26:01,960 I think people way under create the number of subscriptions 434 00:26:01,960 --> 00:26:06,400 they realistically should and I don't know that people 435 00:26:06,980 --> 00:26:08,680 put a lot of thought into it. Again, 436 00:26:08,700 --> 00:26:12,280 I'm going through this with another client right now where they have five or six 437 00:26:12,680 --> 00:26:15,600 subscriptions, we're going out to 11. 438 00:26:16,340 --> 00:26:20,880 We may even spin it out to even more for reasons like this. 439 00:26:20,990 --> 00:26:23,080 Like there's a lot of stuff at the subscription level. 440 00:26:23,600 --> 00:26:28,560 I think the other barrier I do see people run into is subscriptions and 441 00:26:28,560 --> 00:26:33,000 it's something to think about is how do you do your networking if you're gonna 442 00:26:33,000 --> 00:26:37,680 start spanning a bunch of subscriptions because you do run into that a 443 00:26:37,870 --> 00:26:38,600 vnet, 444 00:26:38,600 --> 00:26:43,560 a network cannot span multiple subscriptions so you end up having 445 00:26:43,660 --> 00:26:46,600 to do different things to connect these together. 446 00:26:47,340 --> 00:26:51,160 One could also argue it's good because it helps you separate out your networks 447 00:26:51,220 --> 00:26:55,040 and create maybe a true hub and spoke type model, 448 00:26:55,680 --> 00:26:59,960 separate out those networks because maybe you shouldn't actually have all those 449 00:27:00,240 --> 00:27:02,000 resources in the same network anyways. 450 00:27:02,270 --> 00:27:05,320 It's trade-offs and kind of rationalizing your way through it. 451 00:27:05,420 --> 00:27:08,520 So I'll go back to the docs thing again here. 452 00:27:08,620 --> 00:27:12,360 So Microsoft has a couple of frameworks. 453 00:27:12,660 --> 00:27:15,920 So there's the well architected framework like when you're actually getting 454 00:27:15,920 --> 00:27:20,160 ready to like build things out like hey what's the best way for me to build this 455 00:27:20,160 --> 00:27:23,480 application or design it with services, things like that. 456 00:27:23,830 --> 00:27:28,280 There's another framework that's called the cloud adoption framework. 457 00:27:28,820 --> 00:27:33,520 And inside of the cloud adoption framework there's tons of guidance 458 00:27:33,580 --> 00:27:38,160 around things like how should you think about organizing management groups 459 00:27:38,780 --> 00:27:40,560 and I'm specifically gonna say management groups, 460 00:27:40,660 --> 00:27:44,920 not management group because you're probably gonna have like multiple levels 461 00:27:44,950 --> 00:27:47,360 that hierarchy and multiple groups within them. 462 00:27:47,860 --> 00:27:50,840 If you go out into the caf, 463 00:27:50,990 --> 00:27:55,840 that cloud adoption framework and you start going into the 464 00:27:56,880 --> 00:28:00,880 resource organization stuff like you just threw a link in the chat for like 465 00:28:01,050 --> 00:28:02,480 organizing subscriptions, 466 00:28:03,030 --> 00:28:06,880 just pay attention like everything is pluralized , 467 00:28:07,550 --> 00:28:12,120 like it's not organized subscription, it's organized subscription. 468 00:28:12,780 --> 00:28:16,080 And even to the point where you get down and you like, 469 00:28:16,110 --> 00:28:19,240 there's some use cases like hey specific use cases. 470 00:28:19,900 --> 00:28:23,400 All the documentation is not create your initial subscription, 471 00:28:23,910 --> 00:28:26,520 it's create your initial subscriptions, 472 00:28:27,050 --> 00:28:30,560 scale with multiple subscriptions, organize your subscriptions. 473 00:28:30,940 --> 00:28:35,760 So the thing that folks need to get out of their head and or potentially kind of 474 00:28:35,760 --> 00:28:40,080 just wrap their head around is if you've been doing Azure for a long time, 475 00:28:40,460 --> 00:28:45,280 you were taught to treat your subscription 476 00:28:45,820 --> 00:28:50,480 and then your resource groups inside that subscription as units of 477 00:28:50,530 --> 00:28:53,880 management that are aligned with your business needs, right? 478 00:28:53,900 --> 00:28:58,800 So like I had one subscription and then I had my business units like finance and 479 00:28:58,940 --> 00:29:02,240 HR and maybe I had a resource group for each of them and then I went and 480 00:29:02,440 --> 00:29:05,440 deployed my things and and sprinkled them out there and and did that. 481 00:29:05,860 --> 00:29:09,640 In today's world where it is easier to create, 482 00:29:10,390 --> 00:29:13,160 operate, manage and maintain multiple subscriptions, 483 00:29:13,700 --> 00:29:18,440 you can really uplevel that and think about it at a higher scope and you can go 484 00:29:18,440 --> 00:29:22,360 from treating your resource groups as a unit of management that are aligned with 485 00:29:22,360 --> 00:29:27,360 your business needs to treating subscriptions as a unit of 486 00:29:27,360 --> 00:29:29,480 management that are aligned with your business needs. 487 00:29:29,820 --> 00:29:34,600 And then once you do that you're in a totally different place 488 00:29:34,670 --> 00:29:35,260 like it. 489 00:29:35,260 --> 00:29:39,720 It is a different mindset and a different way to think about it. 490 00:29:40,060 --> 00:29:43,920 And I tend to find as long as all your subscriptions are in the same tenant, 491 00:29:44,230 --> 00:29:48,480 like you talked about having 12 subscriptions across multiple tenancies and kind 492 00:29:48,480 --> 00:29:52,640 of the pain that comes along with that, like I totally get that, that's a pain. 493 00:29:52,860 --> 00:29:57,360 But as long as I can do things like AZ login once to my tenant 494 00:29:57,740 --> 00:30:00,760 and then have access to all the subscriptions, set it like I, 495 00:30:00,920 --> 00:30:05,080 I really don't care if it's in sub A, sub B, sub C, whatever it happens to be. 496 00:30:05,500 --> 00:30:07,080 Uh, subscriptions is subscription. 497 00:30:07,160 --> 00:30:11,720 I just want to get down to the underlying resource that's available 498 00:30:12,350 --> 00:30:13,183 with it there. 499 00:30:13,200 --> 00:30:15,200 I agree a hundred percent that it, 500 00:30:15,420 --> 00:30:19,800 it absolutely wasn't the early days and I think this is to your point why people 501 00:30:19,800 --> 00:30:22,800 are struggling with it. People were doing stuff at the resource group level, 502 00:30:22,820 --> 00:30:26,280 it was resource groups for departments, for business units, 503 00:30:26,380 --> 00:30:30,040 for applications for use, tagging use, all of that. 504 00:30:30,300 --> 00:30:33,920 And I think it's very much transition to subscriptions and if you wanna do a 505 00:30:33,920 --> 00:30:34,760 SharePoint analogy, 506 00:30:35,270 --> 00:30:38,320 it's kind of like the transition we've seen there where it used to be let's 507 00:30:38,320 --> 00:30:41,680 create a SharePoint site collection and create all the SharePoint sites 508 00:30:41,680 --> 00:30:45,320 underneath it and it has transitioned to now let's just do site collections for 509 00:30:45,320 --> 00:30:48,920 everything and there's no point in creating sub-sites for those of you that are 510 00:30:48,920 --> 00:30:51,960 in the office 365 space and need an analogy to that. You. 511 00:30:51,960 --> 00:30:56,720 Go back to like even the SharePoint analogy in SharePoint you never 512 00:30:56,720 --> 00:31:00,600 create just a single site collection. No you are going to end up with. 513 00:31:00,880 --> 00:31:01,713 Multiple ones, you should. 514 00:31:01,840 --> 00:31:03,880 and I go back to like that calf thing, 515 00:31:03,880 --> 00:31:08,800 like if you go into the docs it just keeps driving you this way saying like hey 516 00:31:08,800 --> 00:31:10,480 here's recommendations. 517 00:31:10,700 --> 00:31:14,440 And they're not even recommendations like we're in like patterns and practices. 518 00:31:14,490 --> 00:31:18,920 These are things that have been proven out across multiple customers over time 519 00:31:19,540 --> 00:31:23,600 and this is the way like stuff is managed at scale. 520 00:31:23,630 --> 00:31:27,760 Like these are like direct learnings from Microsoft having to do itself, 521 00:31:28,300 --> 00:31:33,240 you know their major customers, even their internal services, right? 522 00:31:33,240 --> 00:31:35,560 If you think about like you know Azure sql, 523 00:31:35,930 --> 00:31:40,200 Azure SQL is an Azure service that is built on top of Azure as well. 524 00:31:40,410 --> 00:31:44,040 Azure storage is a service built like we're all built on top of Azure. 525 00:31:44,300 --> 00:31:48,160 And so you have to get into that mental model in that mindset. 526 00:31:48,540 --> 00:31:53,080 So like even if you go to the hey create your first subscription guidance in the 527 00:31:53,080 --> 00:31:55,400 calf, it's not create your first subscription, 528 00:31:55,510 --> 00:31:57,560 it's create your first two subscriptions, 529 00:31:57,820 --> 00:32:01,720 here's how to create your production and your non-prod subscription at the same 530 00:32:01,720 --> 00:32:06,720 time. Like just go ahead and get this done from the start and 531 00:32:07,470 --> 00:32:11,080 then you gotta figure out the next friction points like how do you deploy 532 00:32:11,080 --> 00:32:14,800 things, how do you move things around, how do you secure them? 533 00:32:15,060 --> 00:32:19,160 And there's tons of great prescriptive, 534 00:32:19,310 --> 00:32:24,120 like really good really prescriptive guidance out there for that with 535 00:32:24,120 --> 00:32:25,720 things like landing zones, 536 00:32:26,380 --> 00:32:31,360 you mentioned network topologies like hey there's a ton of 537 00:32:31,480 --> 00:32:33,880 guidance out there for thinking about like do I do hub and spoke? 538 00:32:34,180 --> 00:32:38,320 Do I need uh connectivity back to my wan? Do I do virtual wan? 539 00:32:38,700 --> 00:32:43,160 How do I think about IP addressing across multiple subscriptions, 540 00:32:43,760 --> 00:32:47,440 multiple V nets, multiple subnets, all those kinds of things. 541 00:32:47,540 --> 00:32:48,760 How do I think about security? 542 00:32:49,150 --> 00:32:54,080 Like it all just starts to kind of tie back together once you have 543 00:32:54,080 --> 00:32:57,880 that initial mental model in your head. Yeah. 544 00:32:57,880 --> 00:32:59,360 And Pirate is asking in the chat too, 545 00:32:59,360 --> 00:33:02,840 like do you think it's purely a conceptual thing and I'm assuming you're meaning 546 00:33:02,870 --> 00:33:04,240 like getting over that barrier, 547 00:33:04,260 --> 00:33:09,160 having multiple subscriptions and thinking through all those concepts 548 00:33:10,060 --> 00:33:13,760 and I would say a hundred percent especially from 549 00:33:14,900 --> 00:33:18,320 people that have been doing Azure for a long time and been listening to 550 00:33:18,560 --> 00:33:22,720 Microsoft talk about it for a long time is that it's 551 00:33:23,430 --> 00:33:23,990 like you said, 552 00:33:23,990 --> 00:33:28,720 it's a step upwards in the architecture that's as it's grown as people have used 553 00:33:28,770 --> 00:33:31,080 Azure, if we've learned more as we've architected more, 554 00:33:31,140 --> 00:33:35,920 it is absolutely a step upwards in the architecture and thinking through 555 00:33:36,660 --> 00:33:40,360 how you plan this out And you even look at like some of the Microsoft exam stuff 556 00:33:40,360 --> 00:33:45,240 around architecture and going back to hammering home, 557 00:33:45,240 --> 00:33:50,120 this multiple subscription thing is Microsoft more and more hammers through 558 00:33:50,120 --> 00:33:51,520 and it came through like Scott said, 559 00:33:51,520 --> 00:33:56,040 the landing zone through the cloud architecture framework, all of that is, 560 00:33:57,150 --> 00:34:01,920 this is one of those things that anybody that's standing 561 00:34:01,980 --> 00:34:05,840 up Azure now or looking at uh moving forward with Azure 562 00:34:06,890 --> 00:34:11,400 needs to understand these concepts and really put thought and planning 563 00:34:11,830 --> 00:34:13,400 into this ahead of time. 564 00:34:14,160 --> 00:34:18,160 I do feel for companies that maybe have been on the same Azure subscription for 565 00:34:18,810 --> 00:34:21,520 eight, nine years, they got on Azure when it first came out, 566 00:34:21,950 --> 00:34:24,840 when it absolutely was do everything in one subscription. 567 00:34:24,840 --> 00:34:28,240 They put it all all out in resource groups and now they're running into 568 00:34:28,520 --> 00:34:29,260 challenges. 569 00:34:29,260 --> 00:34:33,840 It is not easy to go take one subscription and break it up into a whole bunch of 570 00:34:33,840 --> 00:34:38,800 different things because you can't just pick up resources or pick up 571 00:34:38,800 --> 00:34:43,160 networks and move them from one subscription to another subscription. 572 00:34:43,160 --> 00:34:48,160 There is absolutely some rebuilding that is involved in that. I think. 573 00:34:48,470 --> 00:34:53,080 It's getting better the number of things that kind of tend to 574 00:34:53,570 --> 00:34:57,040 cause friction or pain like that list, 575 00:34:57,110 --> 00:34:59,400 like if you thought like hey that's my shopping list of stuff. 576 00:34:59,400 --> 00:35:00,840 Yep I gotta go grab off the shelf. 577 00:35:00,910 --> 00:35:05,120 Like it's getting smaller and smaller by the day. 578 00:35:05,620 --> 00:35:10,280 So that could be things like honestly moving 579 00:35:11,040 --> 00:35:14,920 resources between subscriptions these days isn't really that bad. 580 00:35:15,610 --> 00:35:19,320 Where it becomes painful is typically when you're trying to move resources 581 00:35:19,320 --> 00:35:21,400 between subscriptions that are in different tenants. 582 00:35:21,550 --> 00:35:26,480 Like back to that wrap your head around like how your tenant model is gonna tie 583 00:35:26,630 --> 00:35:31,520 into your subscription just about everything else. Like not too bad. 584 00:35:31,700 --> 00:35:35,840 The other big pain point with resource stuff is just being able to like move 585 00:35:35,840 --> 00:35:37,400 your resources between regions. 586 00:35:37,400 --> 00:35:39,640 Like sometimes companies choose to go down that path, 587 00:35:39,870 --> 00:35:43,360 it's a little orthogonal but you know that's another consideration for you and 588 00:35:43,360 --> 00:35:48,240 that's where stuff like resource mover comes into play and and keeps you kind 589 00:35:48,240 --> 00:35:53,040 of where you need to be. Networking is a sticky one. 590 00:35:53,380 --> 00:35:55,680 The thing that I see and I I'd be curious Ben, 591 00:35:55,680 --> 00:36:00,320 like what you see with your customers is I still run into folks who are thinking 592 00:36:00,320 --> 00:36:05,040 about networking and v netting as really little itty bitty V nets, 593 00:36:05,400 --> 00:36:08,720 like slash 20 fours versus slash 16 kinds of things. 594 00:36:09,060 --> 00:36:09,640 So you know they're, 595 00:36:09,640 --> 00:36:14,640 they're running out there with like 254 ips for 250 596 00:36:14,790 --> 00:36:17,480 ipss 'cause of all the reservation like for this thing and then they're running 597 00:36:17,480 --> 00:36:20,360 for two 50 for this thing and for this thing and then they're trying to tie it 598 00:36:20,360 --> 00:36:23,440 all together and they're trying to figure out how to get a firewall in there and 599 00:36:23,440 --> 00:36:25,600 get a subnet for their bashing thing and they're like, 600 00:36:25,880 --> 00:36:28,560 I just don't have enough and I can't figure it out and now it's gonna overlap 601 00:36:28,560 --> 00:36:31,360 with this other thing. It's like alright so we gotta take a step back, 602 00:36:31,580 --> 00:36:34,400 we need to maybe plan things a little bit. 603 00:36:34,550 --> 00:36:39,400 Like I think like a lot of this stuff like it is super helpful to go back to 604 00:36:39,500 --> 00:36:43,960 the prescriptive guidance. Like I know not everybody learns from documentation. 605 00:36:44,440 --> 00:36:46,720 I get it. Like I am sympathetic to that. 606 00:36:47,140 --> 00:36:51,320 You're not always gonna find a video for this stuff and you're gonna have to go 607 00:36:51,390 --> 00:36:53,520 read some things though just to, 608 00:36:53,700 --> 00:36:58,600 to move them forward and if you find the Microsoft documentation a 609 00:36:58,600 --> 00:37:01,920 little squirrely, like it's just like obtuse to you, 610 00:37:02,480 --> 00:37:06,360 I get it but you still gotta like lean in and and go down that way. 611 00:37:06,650 --> 00:37:10,080 Maybe there's some YouTube videos or some plural say things but I think like the 612 00:37:10,080 --> 00:37:14,960 definitive resource for this stuff is gonna be the Microsoft 613 00:37:15,150 --> 00:37:15,440 docs. 614 00:37:15,440 --> 00:37:20,320 Like once you start to get into it and you know get hands on with it I think I 615 00:37:20,320 --> 00:37:21,720 think it helps a lot too. 616 00:37:21,910 --> 00:37:22,600 Yeah, 617 00:37:22,600 --> 00:37:27,000 I do see a lot of still those smaller networks like you said I did just post a 618 00:37:27,000 --> 00:37:31,240 link to in the chat that gives you some guidance around moving networks because 619 00:37:31,390 --> 00:37:35,640 like people are asking in the chat networks is probably the biggest one, 620 00:37:35,640 --> 00:37:39,280 especially if you have peering like you're gonna have some downtime 'cause at 621 00:37:39,280 --> 00:37:43,160 least if you're moving a vnet with peering you need to remove the pairings then 622 00:37:43,160 --> 00:37:44,920 you can move it, then you can reenable the pairings. 623 00:37:45,140 --> 00:37:49,680 But thinking about overlapping address spaces and networking 624 00:37:50,100 --> 00:37:54,680 is, I would say by and large probably the stickiest part of moving resources. 625 00:37:55,440 --> 00:37:58,880 V P N gateways are another one if you do have V P N gateways, 626 00:37:59,190 --> 00:38:03,080 hopefully you don't have too many of those depending on how everything's is 627 00:38:03,480 --> 00:38:07,560 configured. But yeah, it's, it's interesting . 628 00:38:07,760 --> 00:38:09,520 I get it. It's hard. Change is hard. 629 00:38:09,830 --> 00:38:13,960 Like I struggle with that stuff all the time but I think a lot of, 630 00:38:14,280 --> 00:38:18,360 I know it sounds harsh and I don't want it to be a harsh thing. 631 00:38:18,400 --> 00:38:20,080 I want it to be a a realistic thing. 632 00:38:20,420 --> 00:38:24,360 If you're looking at this and you're going like wow, that's a lot of friction. 633 00:38:24,470 --> 00:38:29,240 It's like I get it but there is tangible r o i 634 00:38:29,240 --> 00:38:33,520 there for you should you choose to go in another direction, right? And I, 635 00:38:33,520 --> 00:38:38,080 I'll take it like let's circle back around to defender for cloud customer, 636 00:38:38,080 --> 00:38:38,320 right? 637 00:38:38,320 --> 00:38:41,600 Like they want to be able to enable this and restrict it to a set of resources 638 00:38:41,600 --> 00:38:44,560 like with the current billing model for defender, for cloud. 639 00:38:44,560 --> 00:38:48,560 Like the reality is like you're gonna need multiple subscriptions to make that 640 00:38:48,560 --> 00:38:52,440 happen and some of that friction comes in if you don't already have 641 00:38:53,600 --> 00:38:54,280 multiple subscriptions. 642 00:38:54,280 --> 00:38:57,720 Like you don't have that mental model so now you gotta go step back and do what 643 00:38:57,720 --> 00:39:01,880 for some people was foundational work but for you could not be like it's you 644 00:39:02,160 --> 00:39:06,320 circling back around to it and having to rethink things and then maybe that has 645 00:39:06,560 --> 00:39:07,000 a a, 646 00:39:07,000 --> 00:39:11,840 a knock on effect but if you had already had one or you already had two 647 00:39:12,120 --> 00:39:14,400 subscriptions or maybe three like you had like prod, 648 00:39:14,480 --> 00:39:19,160 non-prod in your sandbox or like your dev like your real like dev playbook 649 00:39:19,590 --> 00:39:20,423 test area, 650 00:39:20,750 --> 00:39:25,520 like spinning up another one of those should be pretty common at some point and 651 00:39:25,900 --> 00:39:29,240 you'll just kind of get yourself to to where you need to be. 652 00:39:30,000 --> 00:39:32,200 Absolutely. So I don't know, 653 00:39:32,920 --> 00:39:35,080 I don't know that I have anything else on that topic. 654 00:39:35,760 --> 00:39:39,640 I think we covered it pretty well other than to summarize, 655 00:39:40,540 --> 00:39:44,480 go create more subscriptions than you think you need . 656 00:39:45,660 --> 00:39:49,000 Uh, yes there is. Are we at peace? 657 00:39:49,110 --> 00:39:53,600 Like it helps to have at least two when you're starting out. 658 00:39:53,750 --> 00:39:58,400 Well thanks Scott, that was an interesting discussion. 659 00:39:58,400 --> 00:40:00,920 Always good to talk about structure. 660 00:40:01,640 --> 00:40:06,040 I know we have some videos too out there that I think we talked about 661 00:40:06,250 --> 00:40:09,760 management groups a little bit. That was in the to the cloud membership stuff. 662 00:40:09,920 --> 00:40:10,200 I gotta. 663 00:40:10,200 --> 00:40:12,480 Get you to post those videos. I did those, those, 664 00:40:12,480 --> 00:40:15,280 yeah we do have a video where we did management groups created 'em, 665 00:40:15,280 --> 00:40:19,080 kind of talked about some of the nuance of putting that hierarchy together, 666 00:40:19,100 --> 00:40:22,040 moving things around and management groups, all that stuff. I just gotta, I, 667 00:40:22,040 --> 00:40:23,840 I gotta get my editor to post 'em something. 668 00:40:23,840 --> 00:40:27,400 To do this weekend I can go edit that video and get it posted for everybody so 669 00:40:27,510 --> 00:40:31,360 they can watch where we were playing around with management groups. Awesome. 670 00:40:31,670 --> 00:40:34,800 Well thanks Scott. I think we'll wrap it up. Go and enjoy your weekend. 671 00:40:35,020 --> 00:40:38,320 Try not to melt. It is way too hot. 672 00:40:38,820 --> 00:40:40,120 I'm gonna go sweat it out. 673 00:40:40,400 --> 00:40:45,080 I apologize if anybody heard my AC running at a million percent or 674 00:40:45,580 --> 00:40:48,880 my fan that's spinning above me at, at a million miles an hour. 675 00:40:48,940 --> 00:40:52,240 But it is currently, oh what is it? Uh, 676 00:40:52,410 --> 00:40:56,320 feels like it's currently one 13 as the sun just streams in behind the sun. 677 00:40:56,380 --> 00:41:01,280 Sun hits me more. No, go away. Yeah, it's hot outside. Yeah, I'm gonna, 678 00:41:01,280 --> 00:41:03,800 I'm gonna sit here and have my ice tea and . 679 00:41:04,380 --> 00:41:07,800 My kids went out to the pool today and lasted like 45 minutes. They're like, 680 00:41:07,800 --> 00:41:12,280 it's too hot out the pool is like 88 degrees, said the same thing. 681 00:41:12,280 --> 00:41:15,320 It feels like 115 or whatever And. 682 00:41:15,470 --> 00:41:16,060 Yeah, 683 00:41:16,060 --> 00:41:20,040 my dogs go outside and I know it's hot when they don't even wanna like play with 684 00:41:20,040 --> 00:41:21,760 a ball or do anything, they just go outside. 685 00:41:21,760 --> 00:41:24,440 They do whatever they need to do and they turn right back around and come in. 686 00:41:25,160 --> 00:41:27,120 I don't even have to say like, hey come inside. 687 00:41:27,230 --> 00:41:29,680 It's like normally I have to like go out and hurt 'em and nope, 688 00:41:29,680 --> 00:41:31,400 they're all ready for ac so. 689 00:41:31,420 --> 00:41:34,560 You know what that means, Scott, you should have ice cream for dinner tonight. 690 00:41:34,780 --> 00:41:37,640 We used to do that when it was too hot. When I lived in Michigan, 691 00:41:38,100 --> 00:41:42,120 in Florida it's too hot too often to do that but every once in a while I. 692 00:41:42,120 --> 00:41:43,480 Had ice cream for lunch. Oh. 693 00:41:44,110 --> 00:41:44,400 That. 694 00:41:44,400 --> 00:41:46,760 Works. I had a pint to Ben and Jerry's for lunch. So , 695 00:41:46,880 --> 00:41:48,880 I don't know if I should watch my figure going in the wrong way, 696 00:41:48,890 --> 00:41:51,040 wrong direction like that. Well just. 697 00:41:51,060 --> 00:41:55,400 Get on the treadmill for a little bit Now that's if you eat ice cream while 698 00:41:55,400 --> 00:41:57,760 you're on the treadmill, that's okay, right? 699 00:41:58,280 --> 00:41:58,840 Absolutely. 700 00:41:58,840 --> 00:42:02,400 like everything I know about exercise I learned from Peggy Bundy. Right? 701 00:42:02,400 --> 00:42:04,960 Like gimme a bon bon and a couch and I'm all good . 702 00:42:05,030 --> 00:42:08,360 Perfect. Alright, so now we literally will wrap it up. Go enjoy your weekend, 703 00:42:08,610 --> 00:42:11,840 enjoy your ice cream and we will talk to you next week. 704 00:42:12,020 --> 00:42:12,853 All right, thanks Ben. 705 00:42:15,100 --> 00:42:18,800 If you enjoyed the podcast, go leave us a five star rating in iTunes. 706 00:42:19,020 --> 00:42:23,480 It helps to get the word out so more it pros can learn about Office 365 and 707 00:42:23,480 --> 00:42:24,313 Azure. 708 00:42:24,380 --> 00:42:28,320 If you have any questions you want us to address on the show or feedback about 709 00:42:28,440 --> 00:42:32,880 the show, feel free to reach out via our website, Twitter, or Facebook. 710 00:42:33,140 --> 00:42:35,240 Thanks again for listening and have a great day.