Microsoft Azure cloud platform is more than 200 products and cloud services designed by Microsoft to meet computing needs, including virtual machines, database instances, storage, web applications, and more.
UW Azure allows UW units or individuals to manage their own Azure subscription using a UW identity.
An Azure subscription is a logical unit of Azure services that’s linked to an identity. The identity is in Microsoft Entra ID or a directory that’s trusted by Microsoft Entra ID, such as a work or school account. Subscriptions help you organize access to Azure cloud service resources, and help you control how resource usage is reported, billed, and paid. You can think of them as a container for the Azure services and resources you want to deploy. Your UW identity can own or have access to multiple Azure subscriptions.
All subscriptions in UW Azure are in the uw.edu Entra ID tenant, with a subscription owner that has an @uw.edu account. Should the owner of a UW Azure subscription leave the university without transferring ownership to another UW employee, UW-IT can assist in re-assigning ownership. The UW-IT Office of Information Security also has the ability to quickly get audit logs and vulnerability information from any UW Azure subscription. For UW Azure subscriptions which are in the enterprise agreement, there is paid Unified Enterprise Support coverage to get Microsoft support for issues. You can also only use Software Assurance cost benefits with an UW Azure subscription.
Azure subscriptions with an owner that is not a @uw.edu account, do not have:
- UW-IT assistance with ownership re-assignment
- UW-IT access to security logs and vulnerability information
- Paid Unified Enterprise Support coverage to get Microsoft support for issues
- Software Assurance cost benefits
There are four types of subscriptions within UW Azure:
- Enterprise agreement: Azure subscriptions covered under the UW contract with Microsoft, with charges to a UW Workday worktag. The UW contract includes HIPAA BAA coverage as well as other protections. See Azure Subscription – Service Portal (service-now.com) for more about this option and to request an enterprise agreement UW Azure subscription. Enterprise agreement subscriptions also are eligible for Unified Enterprise Support coverage to get Microsoft support for issues. Customers who open support cases from their Azure subscription should result in a case with the broadest set of support Microsoft provides. Customers who do not have Unified Enterprise support get minimal assistance from Microsoft and must pay for this type of support.
- UW-IT managed: These are Enterprise agreement subscriptions which are operated by a UW-IT team. UW-IT provides labor & expertise to help operate the core services in these subscriptions, while you may provide the expertise for specific service or application workloads. See Windows Managed Servers – Service Portal (service-now.com) for more about this option and to request a UW-IT managed UW Azure subscription.
- Generic pay-as-you-go or free offer subscriptions: Azure subscriptions which either have free credits from Microsoft and/or are funded by a credit card. These subscriptions do not have Unified Enterprise Support coverage to get Microsoft support for issues. See the link for offers below to get one of these types of subscription. These generally are not recommended if you are eligible for one of the other types of subscriptions, but the free credit offers are a great way to explore and get experience, before committing to one of the other types. Do note that some of the free subscription offers require a credit card. The Azure for Students offer does not require a credit card, but these subscriptions do expire after 12 months.
- Grant funded subscriptions: Azure subscriptions which are funded by a Microsoft grant or a NIH grant. There tend to be special details for these types of subscriptions. See Azure Subscription – Service Portal (service-now.com) for more about this option and to request an UW Azure subscription funded via a grant. An UW Azure STRIDES subscription enrollment option is available for NIH grants.
If you want to check which kind of Azure subscription you have, you can review the “Offer” information on the overview page of your Azure subscription. See https://azure.microsoft.com/en-us/support/legal/offer-details/ for all the possible active offers from Microsoft. We use offers to help organize the Azure Management Group structure at the UW.
There are ways to shift between the types of offers, so if you start with a free or pay-as-you-go subscription, you can later switch to an enterprise agreement subscription. You’ll need to talk to UW-IT for help doing this.
Ensure your Azure subscription has an @uw.edu account as owner so that the UW-IT Office of Information Security has visibility to your cloud-based computing resources. This will improve vulnerability awareness and shorten the timeline for any data breach that might occur.
Review which accounts have access to your subscription, particularly Owner or Contributor roles. Reviewing and removing unnecessary access is recommended. We strongly recommend always using a group when assigning an Azure RBAC role and never assigning a role directly to a user account. We also recommend assigning Owner or Contributor roles to admin UW NetIDs.
For interactive sign in use cases, starting 10/15/2024, Microsoft will require 2FA for any access via the Azure Portal. In early 2025, Microsoft will also require 2FA for access via other interfaces such as the Azure command-line interface (Azure CLI), Azure PowerShell, Azure mobile app, or Infrastructure as Code (IaC) tools. Your use of these other interfaces may not be interactive (see below for more on those), but for interactive use cases, you will need 2FA.
You will not be able to use Shared UW NetIDs to access the Azure Portal or various Azure command line interfaces noted above. Shared UW NetIDs are not eligible for Duo, so are unable to meet Microsoft’s 2FA requirement.
If your personal UW NetID is not eligible for Duo, you can open a help request to seek an exception. If you have a guest account that needs to access one of these interfaces, that guest account can enable Azure MFA in order to meet the Microsoft requirement.
For non-interactive sign in use cases, you should be using an Azure workload identity. In general, you should choose among the 3 options as follows:
| Use case | Recommended workload identity |
| You have one Azure resource that is inherently linked to another Azure resource, e.g. an Azure VM needs to access its Azure storage
|
System-assigned Managed Identity |
| You are writing code, i.e. programmatically accessing a resource (Azure or otherwise)
|
User-assigned Managed Identity |
| You are writing code and need OAuth permissions outside those available via Azure RBAC roles
|
Use an Entra application |
Microsoft has best practice recommendations for Azure managed identities that are recommended reading.
If you have a need that requires heightened security, please reach out to UW-IT for consulting and advice.
There are multiple ways to reduce your costs in Azure. In addition to leveraging the UW enterprise agreement to ensure costs are paid by a UW Workday worktag, you can:
- Make use of reservations. By making a commitment to run a resource for 1 year or 3 years, you can get a large discount on the costs.
- Azure hybrid benefits. If you are in UW Azure, you can apply the Software Assurance benefits from the UW campus agreement to your Windows Server or SQL Server license costs in Azure. There’s an Azure Hybrid Benefit Savings Calculator to help you determine the overall savings.
- The Pricing Calculator provides estimates in all areas of Azure, including compute, networking, storage, web, and databases.
- Leverage the budgeting features in Microsoft Cost Management to help plan and drive organizational accountability. With budgets, you can account for the Azure services you consume or subscribe to during a specific period. Monitor spending over time and inform others about their spending to proactively manage costs. Use budgets to compare and track spending as you analyze costs.
- If you are eligible for an Azure subscription with free credits, you may want to consider whether some of your Azure resources are eligible to run under those subscriptions to leverage the value of those credits.