Subscription Enrollment

Subscription Enrollment

Introduction

myDRE is designed to work with one or more Microsoft Azure subscriptions of the Tenant (=client); all the Workspaces and related resources of the Tenant are deployed in those Subscriptions.

This document describes the full process, which is in part an interaction between the Tenant and anDREa BV and will take about one (1) hour. Other than stipulated in the requirements, there is no other preparation needed from the client. 

Duration:
  1. 1st time (new client): approximately 1 hour
  2. Additional subscriptions: 10-20 minutes

  1. Offboarding and Exit Strategy
  2. Multi-Region Implementation

Requirements

  1. Client has a Microsoft Azure contract
  2. Online meeting planned of about 1 hour
    1. Client side: person/people with privileges /roles:
      1. AAD Membership
      2. Subscription Owner
      3. At least one person who will be in the role Support Team
        1. Name, email address
        2. See also (Core) Support Team Profile
    2. anDREa side: person with role:
      1. global admin

Process

Subscription Placement

For Subscription enrolment for Tenants with already existing Support Team, please jump to Add Subscription section.


When a new tenant needs to be onboarded a new management group should be created under the path Dre Workspaces -> Production Stage Workspaces
To add a new management group, follow the below steps:

  1. Navigate to the desired parent management group. In this case Production Stage Workspaces
  2. Create a new management group by clicking on the Add Management Group button as shown below
  3. Complete the form presented to create a new management group.
    1. Management Group ID: This should be of the form mg-andrea-<tenant_abbreviation
    2. Management Group Display Name: This can be any display name of your choice. It is recommended to use complete tenant name e.g. OrganizationX University Medical Center

Create Security Group

When a new tenant is onboarded an Azure Active Directory security group needs to be created. To add a new security group follow the below steps

  1. Navigate to the group sections of Azure Active Directory by clicking here 
  2. Create a new group by clicking on New group as shown below

  3. Complete the form presented
    Field
    Value
    Group Type
    Security
    Group Type
    A name of the form: ST-<tenant_abbreviation> The name of the security group should match the exact tenant_abbreviation used in the previous step while creating the management group.
    Group description
    A
    Azure AD roles can be assigned to the group (Preview)
    		No
    Membership type
    Assigned
    Owners
    One or more owners for the group. These are users who can add or remove members of the support team. You can add or remove members later as well.
    Members
    One or more members of the group. These are the support team members of the tenant. You can add or remove members later as well.


Configure Management Group

Ensure the correct roles and permissions are set on the management group.

  1. Open Management Groups in Azure Portal by searching for it in the top search bar. Alternatively, you can click here  if you are already logged into your tenant.

  2. Navigate to the details section of the desired management group by clicking on the link as shown below

  3. In the details pane, click on Access Control (IAM) as shown below

  4. Under Check Access section on the right check if correct access has been set.
    1. Ensure Digital Research Environment (Andrea) - Self-Service has Owner rights on the Inherited Management Group scope.

    2. Ensure Digital Research Environment - DevOps has Owner rights on the Inherited Management Group scope.

    3. Ensure CST has Reader rights on the Inherited Management Group Scope.

    4. Ensure Andrea Policy Worker AAD Group has DRE Workspace Policy Worker rights on the inherited Management Group scope.

    5. Ensure ST-<tenant_abbreviation> has Reader rights on the Tenant Management Group Scope.

    6. Ensure ST-<tenant_abbreviation> has Policy Insights Data Writer (Preview) rights on the Tenant Management Group Scope.

    7. Ensure anDREa Ops Support AAD Group has DRE-Ops VM Maintainer rights on the inherited Management Group scope. 


Add Subscription

This part, till the 'green' section takes between 10-20 minutes. If a subscription was already created, it might be done quicker.

  1. Decide on Microsoft Azure region
    1. All storing and processing of data takes place in the chosen region
    2. See: Multi-Region Implementation
  2. Check requirements
    1. Subscription must be Pay-As-You-Go (not free tier subscription like Microsoft Partner Network)
    2. Subscription cannot be of the type:
      MS-AZR-0015P
      MS-AZR-0144P
      MS-AZR-0145P
      MS-AZR-0146P
      MS-AZR-0159P
  3. Create subscription and add Owner role
    1. Create a Subscription in the EA Portal of your tenant or request a subscription via the CSP Vendor.
    2. Select the Subscription from Azure Portal.
    3. Go to IAM -> Role Assignments
    4. Add role assignment (good practice: is to have 2 Owners)
    5. Role: Owner
    6. Assign access to Azure AD user, group, or service principle
    7. Select: <(Core) Support Team member>
    8. Click: Save
      If the (Core) Support Team member(s) already have an anDREa account go to step 3, otherwise:
      1. Email the email addresses of (Core) Support Team Members to support@mydre.org
      2. Inform (Core) Support Team Members they will receive an email with instructions from anDREa

        A. anDREa adds the user to anDREa AAD
        User will be added to anDREa AAD
        The User will get in anDREa the Owner role of the target Subscription(s)-
        B. Add Subscription Owners to anDREa AAD (only needed when they don't have an anDREa account already)
        The Subscription Owners get a personalized message from anDREa
        Click: Accept

        Sign up for MFA when asked (MFA is always required)
        Best to do this non on your phone for then you can use the QR-code to register in Microsoft Authenticator
  4. Prepare Subscription
    1. Click on Subscription
    2. Press: Change Directory
    3. Select: mydre.org 
    4. Rename the Subscription: PX<xxxxx>-DRE-<tenant>-WORKSPACES (will be provided by anDREa)
    5. Be patient, this might take a while
    6. Change directory to: mydre.org 
    7. Be patient, the move can take up to 25 minutes to be complete
      Based on experience, this is a good point to stop the online meeting.
      The additional steps can be dealt with by anDREa, once completed we'll contact the Support Team member and do a Workspace creation test to verify everything went okay.
  5. Associate Subscription
    1. Click on the Subscription
    2. Click on: IAM
    3. Click on: Add, Role Assignments
    4. Role: Owner
    5. Assign access to: Azure AD user, group, or service principle
    6. Select: licenseadmin@mydre.org
    7. Click: Save

Workspace Subscription Configuration

It is now time to configure the subscription for workspace creation. Please contact the DevOps team with the below details. After the below details are received by the DevOps team a new configuration is created in Azure DevOps Library for this subscription and the Andrea.Environment pipeline is executed that prepares your subscription for workspace provisioning.

Field
Value
Subscription Id
This is the GUID of the subscription you added to the tenant management group.
Subscription Name
This is the name of the subscription you added to the tenant management group.


TBD

  1. Ensure Azure AD Security group for Everyone is added as a Management Group Reader to root workspace management group. This should happen automatically when the subscription is placed under the correct management group.
  2. Ensure that that Azure AD Security group Everyone-<Tenant> to the Everyone Security group as a member.
  3. Image Gallery:
    1. Ensure that ST-<Tenant> has read permissions on the gallery image(s) for the tenant or the common images.


    • Related Articles

    • Additional Subscription Enrolment

      Introduction This procedure describes the process for existing Tenants to add additional Azure Subscriptions. Typical use cases: Current Azure Subscription(s) have only room for a couple more Workspace (max 100 Workspaces per Azure Subscription) An ...

    • myDRE as a SaaS

      Introduction myDRE is a product developed and maintained by anDREa BV that allows a Service Provider to offer services to Tenants. Each Tenant is able to self-service create Workspaces for storing and processing data. The Service Provider operates ...

    • Terms & Definitions

      Accountable The person who is fully accountable for a Workspace, including but not limited to: costs, access, data, software licenses. Accountable is role used in the myDRE in the context of a specific Workspace; i.e. the role is Person-Workspace ...

    • Available Microsoft Regions

      Introduction As an organization you might want to store and process data in a region other than the current default West Europe. This might be needed because regulation and collaboration requirements. Or that certain services you need can only run in ...

    • Multi-Region Implementation

      Introduction As an organization you might want to store and process data in a region other than the current default West Europe. This might be needed because regulation and collaboration requirements. Or that certain services you need can only run in ...