All subscriptions in UW Azure are in the uw.edu Entra ID tenant, with a subscription owner that has an @uw.edu account. Should the owner of a UW Azure subscription leave the university without transferring ownership to another UW employee, UW-IT can assist in re-assigning ownership. The UW-IT Office of Information Security also has the ability to quickly get audit logs and vulnerability information from any UW Azure subscription. For UW Azure subscriptions which are in the enterprise agreement, there is paid Unified Enterprise Support coverage to get Microsoft support for issues. You can also only use Software Assurance cost benefits with an UW Azure subscription. Azure subscriptions with an owner that is not a @uw.edu account, do not have:
- UW-IT assistance with ownership re-assignment
- UW-IT access to security logs and vulnerability information
- Paid Unified Enterprise Support coverage to get Microsoft support for issues
- Software Assurance cost benefits
There are three types of subscriptions within UW Azure:
- Enterprise agreement: These Azure subscriptions covered under the UW contract with Microsoft, with charges to a UW Workday worktag. The UW contract includes HIPAA BAA coverage as well as other protections. Enterprise agreement subscriptions also are eligible for Unified Enterprise Support coverage to get Microsoft support for issues. Customers who open support cases from their Azure subscription should result in a case with the broadest set of support Microsoft provides. Customers who do not have Unified Enterprise support get minimal assistance from Microsoft and must pay for this type of support. There are two sub-classes of this type of subscription:
- UW-IT managed service: These are fully operated by a UW-IT service team to provide services advertised in the UW-IT service catalog:
- Self-managed: These are also Enterprise Agreement subscriptions, but you own and manage the entire subscription. See Azure Subscription - Service Portal (service-now.com) for more about this option and to request a self-managed UW Azure subscription.
- Generic pay-as-you-go subscriptions: Azure subscriptions which are funded by a credit card. These are heavily discouraged because no UW contractual protections, nor discounts are available. If you have one of these subscriptions, UW-IT can assist in converting this to an Enterprise Agreement subscription.
- Azure sponsorship subscriptions: Azure subscriptions which are funded by someone else. There are special details for all of these types of subscriptions. There are 3 sub-classes of these types of subscriptions:
- a Microsoft sponsorship award -- these are generally awarded to researchers, with a fixed term of use, and thousands of credits. Open a request to UW-IT for assistance with getting sponsorships credits awarded by Microsoft connected to a UW Azure subscription.
- a grant awarded by NIH which is eligible for the STRIDES program -- these subscriptions are paid by NIH without you as the middle man. An additional 10% discount is applied as part of this program. Open a request to UW-IT for assistance with this option.
- Microsoft offers. See the link below for Microsoft offers to get one of these types of subscription. These generally are not recommended if you are eligible for one of the other types of subscriptions, but the free credit offers are a great way to explore and get experience before committing to one of the other types. Do note that some of the free subscription offers require a credit card. The Azure for Students offer does not require a credit card, but these subscriptions do expire after 12 months.
If you want to check the Microsoft offer for the Azure subscription you have, you can review the "Offer" information on the overview page of your Azure subscription. See
https://azure.microsoft.com/en-us/support/legal/offer-details/ for all the possible active offers from Microsoft. In some cases, we use offers to help organize the Azure Management Group structure at the UW. There are ways to shift between the types of offers, so if you start with a free or pay-as-you-go subscription, you can later switch to an enterprise agreement subscription. You'll need to talk to UW-IT for help doing this.
The best security step you can take is to ensure your subscription is UW-IT managed. UW-IT managed subscriptions adhere to a higher standard of security.
- Ensure your Azure subscription has an @uw.edu account as owner so that the UW-IT Office of Information Security has visibility to your cloud-based computing resources. This will improve vulnerability awareness and shorten the timeline for any data breach that might occur.
- Review which accounts have access to your subscription, particularly Owner or Contributor roles. Reviewing and removing unnecessary access is recommended.
- We strongly recommend always using a group when assigning an Azure RBAC role and never assigning a role directly to a user account.
- We also recommend only assigning Owner or Contributor roles to admin UW NetIDs.
For interactive sign in use cases, starting 10/15/2024, Microsoft will require 2FA for any access via the Azure Portal. In early 2025, Microsoft will also require 2FA for access via other interfaces such as the Azure command-line interface (Azure CLI), Azure PowerShell, Azure mobile app, or Infrastructure as Code (IaC) tools. Your use of these other interfaces may not be interactive (see below for more on those), but for interactive use cases, you will need 2FA. You will not be able to use Shared UW NetIDs to access the Azure Portal or various Azure command line interfaces noted above. Shared UW NetIDs are not eligible for Duo, so are unable to meet Microsoft's 2FA requirement. If your personal UW NetID is not eligible for Duo, you can open a help request to seek an exception. If you have a guest account that needs to access one of these interfaces, that guest account can enable Azure MFA in order to meet the Microsoft requirement. For non-interactive sign in use cases, you should be using an Azure workload identity. In general, you should choose among the 3 options as follows:
| Use case |
Recommended workload identity |
| You have one Azure resource that is inherently linked to another Azure resource, e.g. an Azure VM needs to access its Azure storage |
System-assigned Managed Identity |
| You are writing code, i.e. programmatically accessing a resource (Azure or otherwise) |
User-assigned Managed Identity |
| You are writing code and need OAuth permissions outside those available via Azure RBAC roles |
Use an Entra application |
Microsoft has best practice recommendations for Azure managed identities that are recommended reading. If you have a need that requires heightened security, please reach out to UW-IT for consulting and advice.
There are multiple ways to reduce your costs in Azure. In addition to leveraging the UW enterprise agreement to ensure costs are paid by a UW Workday worktag, you can:
- Make use of reservations. By making a commitment to run a resource for 1 year or 3 years, you can get a large discount on the costs.
- Azure hybrid benefits. If you are in UW Azure, you can apply the Software Assurance benefits from the UW campus agreement to your Windows Server or SQL Server license costs in Azure. There's an Azure Hybrid Benefit Savings Calculator to help you determine the overall savings.
- The Pricing Calculator provides estimates in all areas of Azure, including compute, networking, storage, web, and databases.
- Leverage the budgeting features in Microsoft Cost Management to help plan and drive organizational accountability. With budgets, you can account for the Azure services you consume during a specific period. Monitor spending over time and inform others about their spending to proactively manage costs. Use budgets to compare and track spending as you analyze costs. Alerts and email notifications can help improve awareness about spending.
- If you are eligible for an Azure subscription with free credits, you may want to consider whether some of your Azure resources are eligible to run under those subscriptions to leverage the value of those credits.