Azure Onboarding
Aspenware is using a security model based on Service Offerings through the Azure Lighthouse product. This model allows Aspenware staff to interact with Azure resources in your Subscription with well-known credentials, allowing for both more seamless AND improved security than we have previously implemented. When the Service Offering is accepted, key Aspenware staff are granted Read access to resources in your designated Azure Subscription. Staff are only granted Contributor access when they have need for that access and then their access is reduced back to Reader after they have completed their work.
Local Terminal
If you have used PowerShell on your local workstation it may be easiest to execute the onboarding package on your local workstation. In order to do so you must have already installed the AZ module and connected to your Azure account. Instructions for doing so are beyond the scope of this document but more information can be found here.
Unpack the zip file you received into a temporary folder on your local workstation.
Open a PowerShell, Windows Terminal, or other console window and change to the temporary folder created in the previous step.
Type the following commands:
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser
Registration-Helper.ps1 -OfferTemplate ./ServiceOfferingTemplate.json -ParameterFile ./your-resort.json
Cloud Shell
If you are not comfortable with PowerShell on your local workstation, or do not have it installed, Azure offers a command line interface directly in the browser that can make this process relatively simple. More information about using Azure Cloud Shell can be found here.
Open the Azure Portal in your browser.
Click the “Cloud Shell” icon just to the right of the Search bar near the top of the page.
Click the “Upload/Download Files” icon in the Cloud Shell bar.
Select “Upload” and then find and select the onboarding files that you received and unpacked earlier.
When the files are uploaded, type the following command at the Cloud Shell prompt:
Registration-Helper.ps1 -OfferTemplate ./ServiceOfferingTemplate.json -ParameterFile ./your-resort.json
Register Service Offering
This will process for several minutes.
If it completed successfully you will see a message directing you to open the Service Providers blade to continue.
If this is the first time that you have added or updated the Managed Services Offering you may see the following message. If so, a necessary operation has been started that may take up to 30 minutes to complete in the background. Retry the command again in 15 minutes
Registering the Managed Services provider... WARNING: Required provider registration may take up to 30 minutes to complete! WARNING: Please run this command again after 15 minutes. If you see this message again please contact support.
After seeing the previous message that a provider registration is in progress and retrying the command after a reasonable interval you may encounter the following message. If so, try the command again after another 15 minutes has passed.
WARNING: One or more ResourceTypes in the Managed Services provider is still being registerd. Please wait 15 minutes and try this command again.
If you continue to see the warning that a Resourcetype is still being registered after more than an hour has elapsed since the first command was run, please contact support.
Delegate Resources
Once you have opened the Service Providers blade you should see an entry for the new Managed Services Offering similar to the screenshot. Click the
+
icon near the end of the entry.Delegate Subscriptions
If the only resources in a Subscription will be Aspenware applications, the simplest model will be to delegate access to the entire Subscription.
On the Delegate Resources page, click the “+ Delegate Subscriptions” button.
A “Delegate Subscriptions” pane will appear on the right side of the page. Check the box next to the Azure Subscription that will be hosting the Aspenware Commerce instance(s). Then click the “Delegate Resources” button at the bottom of the pane.
Delegate Resource Groups
If you are hosting other applications or resources in a Subscription that will be hosting Aspenware resources then you will want to delegate access to only the Aspenware resource groups. You must have created the required Resource Groups prior to proceeding. Contact support to get the list of Resource Groups that need to be created.
On the Delegate Resources page, click the “+ Delegate resource groups” button.
A “Delegate Resource Groups” pane will appear on the right side of the page. Check the boxes next to each Resource Group that you were asked to create prior. Then click the “Delegate Resources button on the bottom of the pane.
The “Delegate Resources” page should now show the selected resources. Check the box near the bottom of the screen to accept the delegation as displayed, and then click the “Delegate” button.
After a minute or two you should see a notification that the delegation was successful!
At any time you can view the delegations you have granted from the Service Providers - Delegations page.
Common Troubleshooting Guide
Q: What is the default access granted?
By default most Aspenware staff are granted Reader access to the entire Subscription that you designate. This means that generally they can view resources in the subscription, their status, and some details about the resource configuration. Because we have often received questions about the cost for various resources we are also granting Billing Reader access which allows staff to see basic information about price and cost information about resources but NOT specific billing information.
Q: How do you control who can make changes?
When we set up the Service Offering we generate a set of Azure AD Groups in our directory. One group for the Reader/Billing reader access, one group for Contributor access, and one group for the limited Access Administration access. When someone on staff needs to make changes to resources in your Subscription that person’s account is added to the appropriate Contributor group. When they have completed their work their account is removed from that group.
Q: Why can’t we continue using the old ways that we granted access?
Previously access was granted to most client’s resources by either creating a specific account for Aspenware staff to use in your directory or by inviting a shared account from our directory into your directory. Use of shared accounts is by its nature a problematic practice because it involves multiple people using the same credential which is contra-indicated in almost all circumstances. By removing the use of shared credentials we are protecting both your and our assets in the cloud and on premise.
Q: Are there alternatives to this access model?
Yes, but it will require significantly more work and regular intervention from your IT staff. If that is something your organization is comfortable with and able to accommodate we would be glad to talk with you about an alternate configuration. Please note we will NOT be using any configurations that make use of shared credentials. We currently have a strong preference for re-using our existing Azure AD credentials in your directory but are open to conversations about per-user credentials created in your directory.
Q: Can we terminate Aspenware access to our resources through the service offering?
At any time you may terminate access by opening the Service Provider Offers in the Azure Portal and delete the Aspenware service offering.