Getting Started With Your Azure Subscription
Your subscription is ready when you receive the provisioning confirmation from the Cloud Team. Follow the steps below to get set up.
- Step 1 — Sign In
- Step 2 — Find Your Subscription
- Step 3 — Review Your Roles
- Step 4 — Set Subscription Contacts
- Step 5 — Verify Defender for Cloud
- Step 6 — Configure Networking (Optional)
- Step 7 — Create a Resource Group
- Step 8 — Set a Budget Alert
- Getting Help
Step 1 — Sign In
- Go to portal.azure.com.
- Sign in with your UCSB email address (
yournetid@ucsb.edu).- If prompted, choose Work or school account.
- Authenticate with Duo MFA if required.
- In the top-right dropdown, verify you are in the UC Santa Barbara directory.
- If you see a personal directory instead, click your name → Switch directory → select UC Santa Barbara.
Always use the UCSB directory
Azure has both a UCSB tenant (ucsb.edu) and a personal Microsoft account option. Always confirm you are in the UC Santa Barbara directory before working to avoid creating resources in the wrong place.Step 2 — Find Your Subscription
- In the portal search bar, type Subscriptions.
- Locate your subscription in the list.
- Click it to view the subscription overview — note your Subscription ID for future support tickets.
If your subscription does not appear, verify that:
- You are in the UC Santa Barbara directory (step 1).
- Your role assignment is complete (ask the Cloud Team if unsure).
Step 3 — Review Your Roles
Four custom RBAC roles are assigned to your subscription:
| Role | Who Should Use It | Key Permissions |
|---|---|---|
| UCSB Subscription Owner | PI or department head (1–2 people max) | Manage all resources, assign roles |
| UCSB Application Owner | Developers, researchers, lab managers | Create/manage compute, storage, databases, deploy code |
| UCSB Network Operations | Networking staff | Manage VPN gateways, ExpressRoute, route tables |
| UCSB Security Operations | Security reviewers, compliance staff | Read all resources, view Defender alerts, manage Key Vault |
Most day-to-day work should use Application Owner. Use Subscription Owner only for initial setup and RBAC management. Changes to the role definitions themselves must be made by the Cloud Team — open a ServiceNow ticket if the available roles do not match your team’s needs.
Adding and Removing Users
Subscription Owners can manage role assignments in the Azure portal under
Access control (IAM). See
Assign Azure roles using the Azure portal
for step-by-step instructions. Only @ucsb.edu accounts can be assigned
roles — external collaborators need a sponsored UCSB account.
Step 4 — Set Subscription Contacts
Configure notification contacts so your team receives security, billing, and health alerts. See Account Contacts for general best practices.
The primary billing contact is managed by the Cloud Team. You configure:
Security alerts (Defender for Cloud):
- Navigate to Microsoft Defender for Cloud → Environment settings.
- Click your subscription → Email notifications.
- Set the email to your team’s functional security address.
- Alert severity: High as a minimum (All recommended).
- Save.
Budget alerts: Add your team’s billing email when you create a budget (see Step 8 below).
Service Health alerts:
- Navigate to Service Health → Health alerts → + Create service health alert.
- Scope to your subscription; choose the services and regions you use.
- Create an Action Group with an Email action pointing to your team’s address.
- Save.
Step 5 — Verify Defender for Cloud
Microsoft Defender for Cloud is enabled on all Campus Cloud subscriptions. Confirm it is active:
- Search for Microsoft Defender for Cloud in the portal.
- Under Environment settings, click your subscription.
- Verify Defender plans are showing as On for the resource types you use (VMs, Storage, SQL, Key Vault, etc.).
If Defender plans are showing as Off, contact the Cloud Team.
Step 6 — Configure Networking (Optional)
If your request included hub-spoke Virtual WAN peering for campus connectivity:
- Navigate to Virtual Networks in your subscription to confirm the VNet exists.
- Check Peerings — it should show a peering to the Campus Cloud hub VNet.
- If the VNet or peering is missing, open a ServiceNow ticket.
Step 7 — Create a Resource Group
All resources must be in a Resource Group. Azure Policy audits Resource Groups for the four required tags — groups missing tags will be flagged as non-compliant.
- Navigate to Resource Groups → + Create.
- Select your subscription and a region (West US 2 recommended).
- Fill in all four required tags:
ucsb:environmentucsb:missionucsb:protection-levelucsb:availability-level
- Click Review + Create.
See Tagging for allowed values.
Step 8 — Set a Budget Alert
Create a cost budget to alert you if spend approaches your expected amount:
- Navigate to Cost Management → Budgets → + Add.
- Set the budget amount, scope (subscription), and reset period (Monthly).
- Configure alert thresholds (e.g., 80% actual, 100% forecasted).
- Set the alert email to your team’s functional email address.
Getting Help
| Issue | Where to go |
|---|---|
| Access problems (can’t sign in, wrong directory) | ServiceNow |
| Tag policy blocking resource group creation | Tagging |
| Missing VNet, networking issues | Networking |
| Policy violations | Guardrails |
| Billing questions | Cost Management |
| Everything else | ServiceNow |