Azure for Students for University IT Admins
Azure for Students is a great offer from Microsoft, and requires no input from the University for students to setup. However, there’s a few steps you might want to consider if you’re an Azure administrator in Higher Education.
What is Azure for Students?
Azure for Students is a promotion from Microsoft that gives students free Azure credit and access to free services without the usual need for a credit card. This makes it a great, financially-risk-free, subscription for students to try out Azure. From the IT department perspective this provides a great space for student projects with no management overhead or expenditure from the institution.
Why am I seeing all these subscriptions titled “Azure for Students”?
If you have any top level permissions in the Tenant Root Management Group, either because you are logged in as a tenant owner or have specific Role-based Access Control assigned at that level, you might see a long list of subscriptions titled “Azure for Students”. If Azure for Students subscriptions aren’t created by the IT department, why do they show up in the Azure Portal for IT admins?
The students are registering for this Azure offer with their institutional credentials (student@example.ac.uk) and if this account is in your Azure AD Tenant (example.ac.uk) then the subscription will, by design, be created there. Because your IT account has a role assigned at the top level, this is inherited down the hierarchy. For example if your account has been assigned the Reader role on the Tenant Root Management Group this will be inherited by all the subscriptions beneath it, so the “Azure for Students” subscriptions will not only be visible but you will have Read access to the resources inside as well.
Additionally, if you have assigned any Azure Policies at the top level (and the recommendation is that you limit this anyway) then they will be applied to the student subscriptions.
What steps should I take to manage these subscriptions?
Microsoft don’t expect the University to perform any explicit management or governance around these subscriptions, however for internal housekeeping purposes there are a couple of steps that make sense. These are my recommendations, but are in-line with those in the Microsoft Cloud Adoption Framework.
Firstly, create a new management group below the Tenant Root Group, and move existing Azure for Students subscriptions into this new Management Group.
Next there’s two useful settings found in the Settings
blade of Management Groups
in the Azure portal. See the Microsoft Learn page “How to protect your resource hierarchy” for more details.
- Set
Permissions for creating new management groups
toRequire write permissions for creating new management groups
– this prevents every user (including those students) from being able to create a management group structure. - Set the
Default management group for new subscriptions
to the management group you created above. This will ensure that future “Azure for Students” subscriptions (and any others) are dropped in there and don’t sit at the top of your tree.
Finally, move any general Policies and Role-Based Access Control (RBAC) assignments from your Root Management Group down to the lower management groups, leaving only your tenant owners with rights at the top level. Do not apply any additional permissions or policies to the “Default” management group created for Azure for Student subscriptions. If your IT Team (with the exception of the top-level admin accounts which “own” your Azure tenant) have no inherited roles on this new management group then these Student subscriptions won’t be visible, and any policy applied at the corporate level can be isolated from the student subscriptions. To conclude, here’s an example of what this Management Group structure with Role Assignments might look like at our imaginary University: