You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/lighthouse/how-to/publish-managed-services-offers.md
+11-58Lines changed: 11 additions & 58 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ description: Learn how to publish a managed service offer that onboards customer
4
4
author: JnHs
5
5
ms.author: jenhayes
6
6
ms.service: lighthouse
7
-
ms.date: 10/17/2019
7
+
ms.date: 11/11/2019
8
8
ms.topic: overview
9
9
manager: carmonm
10
10
---
@@ -76,10 +76,10 @@ Finally, add one or more **Authorization** entries to your plan. Authorizations
76
76
77
77
For each **Authorization**, you'll need to provide the following. You can then select **New authorization** as many times as needed to add more users and role definitions.
78
78
79
-
-**Azure AD Object ID**: The Azure AD identifier of a user, user group, or application which will be granted certain permissions (as described by the Role Definition) to your customers' resources.
80
-
-**Azure AD Object Display Name**: A friendly name to help the customer understand the purpose of this authorization. The customer will see this name when delegating resources.
81
-
-**Role Definition**: Select one of the available Azure AD built-in roles from the list. This role will determine the permissions that the user in the **Azure AD Object ID** field will have on your customers' resources. For descriptions of these roles, see [Built-in roles](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles) and [Role support for Azure delegated resource management](../concepts/tenants-users-roles.md#role-support-for-azure-delegated-resource-management)
82
-
-**Assignable Roles**: This is required only if you have selected User Access Administrator in the **Role Definition** for this authorization. If so, you must add one or more assignable roles here. The user in the **Azure AD Object ID** field will be able to assign these **Assignable Roles** to [managed identities](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview), which is required in order to [deploy policies that can be remediated](deploy-policy-remediation.md). Note that no other permissions normally associated with the User Access Administrator role will apply to this user. If you do not select one or more roles here, your submission will not pass certification. (If you did not select User Access Administrator for this user’s Role Definition, this field has no effect.)
79
+
-**Azure AD Object ID**: The Azure AD identifier of a user, user group, or application which will be granted certain permissions (as described by the Role Definition) to your customers' resources.
80
+
-**Azure AD Object Display Name**: A friendly name to help the customer understand the purpose of this authorization. The customer will see this name when delegating resources.
81
+
-**Role Definition**: Select one of the available Azure AD built-in roles from the list. This role will determine the permissions that the user in the **Azure AD Object ID** field will have on your customers' resources. For descriptions of these roles, see [Built-in roles](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles) and [Role support for Azure delegated resource management](../concepts/tenants-users-roles.md#role-support-for-azure-delegated-resource-management)
82
+
-**Assignable Roles**: This is required only if you have selected User Access Administrator in the **Role Definition** for this authorization. If so, you must add one or more assignable roles here. The user in the **Azure AD Object ID** field will be able to assign these **Assignable Roles** to [managed identities](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview), which is required in order to [deploy policies that can be remediated](deploy-policy-remediation.md). Note that no other permissions normally associated with the User Access Administrator role will apply to this user. If you do not select one or more roles here, your submission will not pass certification. (If you did not select User Access Administrator for this user’s Role Definition, this field has no effect.)
83
83
84
84
> [!TIP]
85
85
> In most cases, you'll want to assign permissions to an Azure AD user group or service principal, rather than to a series of individual user accounts. This lets you add or remove access for individual users without having to update and republish the plan when your access requirements change. For additional recommendations, see [Tenants, roles, and users in Azure Lighthouse scenarios](../concepts/tenants-users-roles.md).
@@ -138,62 +138,15 @@ Once you've completed all of the sections, your next step is to publish the offe
138
138
139
139
## The customer onboarding process
140
140
141
-
When a customer adds your offer, they will be able to [delegate one or more specific subscriptions or resource groups](view-manage-service-providers.md#delegate-resources) which will then be onboarded for Azure delegated resource management. If a customer has accepted an offer but has not yet delegated any resources, they'll see a note at the top of the **Provider offers** section of the [**Service providers**](view-manage-service-providers.md) page in the Azure portal. If a user in the customer's tenant is unable to perform this delegation, it's probably because they don't have the Owner role for the subscription. To find users who can delegate the subscription, the user can select the subscription in the Azure portal, open **Access control (IAM)**, and [view all users with the Owner role](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal#view-roles-and-permissions).
141
+
After a customer adds your offer, they'll be able to [delegate one or more specific subscriptions or resource groups](view-manage-service-providers.md#delegate-resources), which will then be onboarded for Azure delegated resource management. If a customer has accepted an offer but has not yet delegated any resources, they'll see a note at the top of the **Provider offers** section of the [**Service providers**](view-manage-service-providers.md) page in the Azure portal.
142
142
143
-
Before a subscription (or resource groups within a subscription) can be onboarded, the subscription must be authorized for onboarding by manually registering the **Microsoft.ManagedServices** resource provider. A user in the customer's tenant with the Contributor or Owner role can do this by following the steps outlined in [Azure resource providers and types](../../azure-resource-manager/resource-manager-supported-services.md).
144
-
145
-
The customer can then confirm that the subscription is ready for onboarding in one of the following ways.
146
-
147
-
### Azure portal
148
-
149
-
1. In the Azure portal, select the subscription.
150
-
1. Select **Resource providers**.
151
-
1. Confirm that **Microsoft.ManagedServices** shows as **Registered**.
152
-
153
-
### PowerShell
154
-
155
-
```azurepowershell-interactive
156
-
# Log in first with Connect-AzAccount if you're not using Cloud Shell
This should return results similar to the following:
163
-
164
-
```output
165
-
ProviderNamespace : Microsoft.ManagedServices
166
-
RegistrationState : Registered
167
-
ResourceTypes : {registrationDefinitions}
168
-
Locations : {}
169
-
170
-
ProviderNamespace : Microsoft.ManagedServices
171
-
RegistrationState : Registered
172
-
ResourceTypes : {registrationAssignments}
173
-
Locations : {}
174
-
175
-
ProviderNamespace : Microsoft.ManagedServices
176
-
RegistrationState : Registered
177
-
ResourceTypes : {operations}
178
-
Locations : {}
179
-
```
180
-
181
-
### Azure CLI
182
-
183
-
```azurecli-interactive
184
-
# Log in first with az login if you're not using Cloud Shell
185
-
186
-
az account set –subscription <subscriptionId>
187
-
az provider show --namespace "Microsoft.ManagedServices" --output table
188
-
```
143
+
> [!IMPORTANT]
144
+
> Delegation must be done by a non-guest account in the customer’s tenant which has the [Owner built-in role](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#owner) for the subscription being onboarded (or which contains the resource groups that are being onboarded). To see all users who can delegate the subscription, a user in the customer's tenant can select the subscription in the Azure portal, open **Access control (IAM)**, and [view all users with the Owner role](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal#view-roles-and-permissions).
189
145
190
-
This should return results similar to the following:
146
+
After the customer delegates a subscription (or one or more resource groups within a subscription), the **Microsoft.ManagedServices** resource provider will be registered for that subscription, and users in your tenant will be able to access the delegated resources according to the authorizations in your offer.
191
147
192
-
```output
193
-
Namespace RegistrationState
194
-
------------------------- -------------------
195
-
Microsoft.ManagedServices Registered
196
-
```
148
+
> [!NOTE]
149
+
> At this time, subscriptions (or resource groups within a subscription) can't be delegated if the subscription uses Azure Databricks. Similarly, if a subscription (or resource groups within a subscription) has already been delegated, it currently isn't possible to create Databricks workspaces in that subscription.
0 commit comments