Skip to main content
Skip table of contents

Onboarding Stage 1: Configuring Access to Azure

The first thing we need to do is to get least privileged access to your environment for our engineers and tooling.

This page gives you a view of how our secure access solution works. During onboarding we will discuss this in detail and answer any questions you may have.

When you're comfortable with how our Access Solution works we will share a link with you which you can simply click to automate the Access configuration in your environment.

Some admin privileges are granted automatically when we establish a reseller relationship with you. However, this is not enough to manage or support your tenant or resources. Others type of accesses must be granted to us by you.

There are two levels of admin privileges for Azure in CSP, (1)Tenant-level administrator privileges & (2) Subscription-level admin privileges

There will be an additional cost billed if the required administrator privileges are removed. Refer to your contract and catalog for the specifics.

Tenant-level admin privileges

Tenant-level admin privileges gives us access to your tenant with the least-privileged access following the Zero Trust cybersecurity policy. As your Partner managing Azure, we no longer receive the Global Admin role on your tenant but rather, receive lower permissions to read your directory by default.

Reseller Relationship is a record of you as a customer created in Microsoft Partner Center allowing SoftwareOne to manage subscriptions, billing, or provide support.

Granular Delegated Admin Privileges (GDAP) Billing partner is granted owner access by default by Microsoft. This access is assigned to the SoftwareOne Spend Management and Cost Optimization Platform used by the SoftwareOne operations team for cost management (billing) and provisioning of Cloud Accounts, and SoftwareOne support engineers administrative accounts to open tickets on Customer’s behalf with Microsoft. The GDAP roles requested are (1)Directory readers, (2)Service support administrator, (3) Global reader, (4)Billing administrator.

Consequences of not having GDAP

  1. SoftwareOne won’t be able to raise a Microsoft support request on behalf of the customer.

  2. SoftwareOne won't be able to support customer on tenant level issues.

  3. Cloud Application Administrator role is required initially in GDAP to onboard the customer to Lighthouse. Later this role can be removed to follow the least-privelaged required access on the tenant level.

  4. Customer can also decide to onboard themselves to lighthouse if they don’t want to add this role due to security concerns.

Subcription-level admin privileges

Subscription-level admin privileges gives us complete access to your Azure CSP subscriptions. This access allows us to provision and manage your Azure resources. As your Partner we receive subscription-level admin privileges for subscription that are created by the partner by default.

  • Lighthouse enables authorized SoftwareOne support engineers toperform management operations or support on Customer’s Cloud Accounts. SoftwareOne support engineers have by default Read Only access. Privileged access (Contributor Role, Log Analytics Contributor Role, Managed Services Registration assignment Delete Role and User Access Administrator Role) is temporarily granted in case of an Incident or Service Request with approval of their SoftwareOne supervisor and of the Customer. All activities are logged in Azure Activity Log by default for ninety (90) days..

Consequences of not having Lighthouse

  1. It is inefficient for a Services Provider like SoftwareOne to managed thousands of tenants

  2. No group/life management, constantly switching Azure ActiveDdirectory, no aggregated view or reports, automated tools require manual effort for each tenant.

  • Foreign principal allows us to interact with your subscriptions through federated access and provide the necessary support within the scope of Azure. It provides Subscription-level admin privileges. This role is important to provide support to you when the Support team needs to open a Microsoft ticket on your behalf. The roles requested are (1) Reader, (2) Support Request Contributor.

Consequences of not having Foreign Principal

  1. SoftwareOne will not be able to open Microsoft Tickets on a customer’s behalf.

Conditional Access Policies

In case of any blocking Conditional Access Policies appropriate exception for SoftwareOne access has to be configured on the customers side.

Architectural Overview

The following diagram shows the Azure Lighthouse based implementation utilised by SoftwareOne to access your environment.

Lighthouse uses your Azure Subscription’s native “Microsoft.ManagedServices” provider to create a connection to our Lighthouse Active Directory.

The connection will allow members of specific management groups within our directory to access your subscription. Using the policy of least privilege, we will add our engineers and tools (via Enterprise Apps) to those groups.

The Groups have Read-Only Access by default, which allows our engineers to troubleshoot without change.

If change is required our engineers will require a ticket from yourselves. The engineer will utilize that ticketID to gain Privileged Access. This ensure both yourselves and SoftwareOne are aware of why the access was requested.

Azure Privileged Identity Management

To again Write access to a customer environment, an engineer must go through a privileged access process to temporarily be given Write access to your environment

The process includes documenting the Ticket number and giving a summary reason for the access.

The access is temporary and is automatically removed after four hours.

Logging & Tracing

All SoftwareOne activity in your environment is logged abd stored in your own environment and shows the user from SoftwareOne that is doing the work by their unique email address.

Your Azure Activity Log operates at the subscription layer and provides insight into the operations on each Azure resource

There is a single Activity log for each Azure subscription. By default, an Activity log is kept for 90 days and entries in the Activity Log are system generated and cannot be changed or deleted.

Further Reference

What is Azure delegated resource management?

Role support for Azure Lighthouse

Enhanced services and scenarios

Azure Lighthouse and the Cloud Solution Provider program

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close