Getting Started With Your Azure Subscription
Your subscription is ready when you receive the provisioning confirmation from the Cloud Team. Follow the steps below to get set up.
These steps also work as a checklist for an established subscription — revisit them any time, such as after your annual check-in, to verify your contacts, budget, and tags are still the way you want them.
- Step 1 — Sign In
- Step 2 — Find Your Subscription
- Step 3 — Review Your Roles
- Step 4 — Set Subscription Contacts
- Step 5 — Verify Defender for Cloud
- Step 6 — Configure Networking (Optional)
- Step 7 — Create a Resource Group
- Step 8 — Set Up or Verify a Budget Alert
- Getting Help
Step 1 — Sign In
- Go to portal.azure.com.
- Sign in with your UCSB email address (
yournetid@ucsb.edu).- If prompted, choose Work or school account.
- Authenticate with Duo MFA if required.
- In the top-right dropdown, verify you are in the UC Santa Barbara directory.
- If you see a personal directory instead, click your name → Switch directory → select UC Santa Barbara.
Always use the UCSB directory
Azure has both a UCSB tenant (ucsb.edu) and a personal Microsoft account option. Always confirm you are in the UC Santa Barbara directory before working to avoid creating resources in the wrong place.Step 2 — Find Your Subscription
- In the portal search bar, type Subscriptions.
- Locate your subscription in the list.
- Click it to view the subscription overview — note your Subscription ID for future support tickets.
If your subscription does not appear, verify that:
- You are in the UC Santa Barbara directory (step 1).
- Your role assignment is complete (ask the Cloud Team if unsure).
Step 3 — Review Your Roles
Four custom RBAC roles are assigned to your subscription:
| Role | Who Should Use It | Key Permissions |
|---|---|---|
| UCSB Subscription Owner | PI or department head (1–2 people max) | Manage all resources, assign roles |
| UCSB Application Owner | Developers, researchers, lab managers | Create/manage compute, storage, databases, deploy code |
| UCSB Network Operations | Networking staff | Manage VPN gateways, ExpressRoute, route tables |
| UCSB Security Operations | Security reviewers, compliance staff | Read all resources, view Defender alerts, manage Key Vault |
Most day-to-day work should use Application Owner. Use Subscription Owner only for initial setup and RBAC management. Changes to the role definitions themselves must be made by the Cloud Team — open a ServiceNow ticket if the available roles do not match your team’s needs.
Adding and Removing Users
Subscription Owners can manage role assignments in the Azure portal under
Access control (IAM). See
Assign Azure roles using the Azure portal
for step-by-step instructions. Only @ucsb.edu accounts can be assigned
roles — external collaborators need a sponsored UCSB account.
Step 4 — Set Subscription Contacts
Configure notification contacts so your team receives security, billing, and health alerts. See Account Contacts for general best practices.
The primary billing contact is managed by the Cloud Team. You configure:
Security alerts (Defender for Cloud):
- Navigate to Microsoft Defender for Cloud → Environment settings.
- Click your subscription → Email notifications.
- Set the email to your team’s functional security address.
- Alert severity: High as a minimum (All recommended).
- Save.
Budget alerts: Add your team’s billing email when you create a budget (see Step 8 below).
Service Health alerts:
- Navigate to Service Health → Health alerts → + Create service health alert.
- Scope to your subscription; choose the services and regions you use.
- Create an Action Group with an Email action pointing to your team’s address.
- Save.
Step 5 — Verify Defender for Cloud
Microsoft Defender for Cloud is enabled on all Campus Cloud subscriptions. Confirm it is active:
- Search for Microsoft Defender for Cloud in the portal.
- Under Environment settings, click your subscription.
- Verify Defender plans are showing as On for the resource types you use (VMs, Storage, SQL, Key Vault, etc.).
If Defender plans are showing as Off, contact the Cloud Team.
Step 6 — Configure Networking (Optional)
If your request included hub-spoke Virtual WAN peering for campus connectivity:
- Navigate to Virtual Networks in your subscription to confirm the VNet exists.
- Check Peerings — it should show a peering to the Campus Cloud hub VNet.
- If the VNet or peering is missing, open a ServiceNow ticket.
See Azure Networking for full details.
Step 7 — Create a Resource Group
All resources must be in a Resource Group. Azure Policy audits Resource Groups for the four required tags — groups missing tags will be flagged as non-compliant. (For the other policies applied to your subscription, see Guardrails.)
- Navigate to Resource Groups → + Create.
- Select your subscription and a region (West US 2 recommended).
- Fill in all four required tags:
ucsb:environmentucsb:missionucsb:protection-levelucsb:availability-level
- Click Review + Create.
See Tagging for allowed values.
Step 8 — Set Up or Verify a Budget Alert
Create a cost budget to alert you if spend approaches your expected amount:
- Navigate to Cost Management → Budgets → + Add.
- Set the budget amount, scope (subscription), and reset period (Monthly).
- Configure alert thresholds (e.g., 80% actual, 100% forecasted).
- Set the alert email to your team’s functional email address.
A budget only sends notifications — it does not stop resources. To automate a response when a threshold is hit, attach an action group to the budget alert. See Azure budget docs for details, and Costs & Billing for more on monitoring your spending.
Getting Help
For all the ways to get help, see the Support page. It covers:
- Contacting the Cloud Team — open a ServiceNow ticket for anything that needs tracking, or email info@cloud.ucsb.edu.
- Community and office hours — the Cloud Impact Hub chat space and weekly drop-in office hours.
- Microsoft support — technical support is included through the campus Microsoft Unified Support agreement; open a request from the Azure portal.
- Annual check-ins — schedule a check-in with the Cloud Team to review your subscription.