Merge pull request #78577 from alkohli/graph

Resource access, prereqs for deployment

Author: v-dansch

articles/databox-online/data-box-edge-deploy-prep.md

@@ -7,13 +7,12 @@ author: alkohli
 ms.service: databox
 ms.subservice: edge
 ms.topic: tutorial
-ms.date: 04/23/2019
+ms.date: 06/03/2019
 ms.author: alkohli
 Customer intent: As an IT admin, I need to understand how to prepare the portal to deploy Data Box Edge so I can use it to transfer data to Azure. 
 ---
 # Tutorial: Prepare to deploy Azure Data Box Edge  
 
-
 This is the first tutorial in the series of deployment tutorials that are required to completely deploy Azure Data Box Edge. This tutorial describes how to prepare the Azure portal to deploy a Data Box Edge resource.
 
 You need administrator privileges to complete the setup and configuration process. The portal preparation takes less than 10 minutes.
@@ -26,7 +25,6 @@ In this tutorial, you learn how to:
 
 If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
 
-
 ### Get started
 
 To deploy Data Box Edge, refer to the following tutorials in the prescribed sequence.
@@ -37,7 +35,7 @@ To deploy Data Box Edge, refer to the following tutorials in the prescribed sequ
 | 2. |**[Install Data Box Edge](data-box-edge-deploy-install.md)**|Unpack, rack, and cable the Data Box Edge physical device.  |
 | 3. |**[Connect, set up, and activate Data Box Edge](data-box-edge-deploy-connect-setup-activate.md)** |Connect to the local web UI, complete the device setup, and activate the device. The device is ready to set up SMB or NFS shares.  |
 | 4. |**[Transfer data with Data Box Edge](data-box-edge-deploy-add-shares.md)** |Add shares and connect to shares via SMB or NFS. |
-| 5. |**[Transform data with Data Box Edge](data-box-edge-deploy-configure-compute.md)** |Configure Edge modules on the device to transform the data as it moves to Azure. |
+| 5. |**[Transform data with Data Box Edge](data-box-edge-deploy-configure-compute.md)** |Configure compute modules on the device to transform the data as it moves to Azure. |
 
 You can now begin to set up the Azure portal.
 
@@ -50,7 +48,11 @@ Following are the configuration prerequisites for your Data Box Edge resource, y
 Before you begin, make sure that:
 
 - Your Microsoft Azure subscription is enabled for a Data Box Edge resource. Pay-as-you-go subscriptions are not supported.
-- You have owner or contributor access to your subscription.
+- You have owner or contributor access at resource group level for the Data Box Edge/Data Box Gateway, IoT Hub, and Azure Storage resources.
+
+    - To create any Data Box Edge/ Data Box Gateway resource, you should have permissions as a contributor (or higher) scoped at resource group level. You also need to make sure that the `Microsoft.DataBoxEdge` provider is registered. For information on how to register, go to [Register resource provider](data-box-edge-manage-access-power-connectivity-mode.md#register-resource-providers).
+    - To create any IoT Hub resource, make sure that Microsoft.Devices provider is registered. For information on how to register, go to [Register resource provider](data-box-edge-manage-access-power-connectivity-mode.md#register-resource-providers).
+    - To create a Storage account resource, again you need contributor or higher access scoped at the resource group level. Azure Storage is by default a registered resource provider.
 - You have admin or user access to Azure Active Directory Graph API. For more information, see [Azure Active Directory Graph API](https://docs.microsoft.com/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-permission-scopes#default-access-for-administrators-users-and-guest-users-).
 - You have your Microsoft Azure storage account with access credentials.
 
@@ -59,7 +61,7 @@ Before you begin, make sure that:
 Before you deploy a physical device, make sure that:
 
 - You've reviewed the safety information that was included in the shipment package.
-- You have a 1 U slot available in a standard 19” rack in your datacenter for rack mounting the device. 
+- You have a 1U slot available in a standard 19” rack in your datacenter for rack mounting the device.
 - You have access to a flat, stable, and level work surface where the device can rest safely.
 - The site where you intend to set up the device has standard AC power from an independent source or a rack power distribution unit (PDU) with an uninterruptible power supply (UPS).
 - You have access to a physical device.

articles/databox-online/data-box-edge-manage-access-power-connectivity-mode.md

@@ -7,7 +7,7 @@ author: alkohli
 ms.service: databox
 ms.subservice: edge
 ms.topic: article
-ms.date: 03/25/2019
+ms.date: 06/03/2019
 ms.author: alkohli
 ---
 
@@ -51,6 +51,48 @@ The reset workflow does not require the user to recall the old password and is u
 
     ![Reset password](media/data-box-edge-manage-access-power-connectivity-mode/reset-password-2.png)
 
+## Manage resource access
+
+To create your Data Box Edge/Data Box Gateway, IoT Hub, and Azure Storage resource, you need permissions as a contributor or higher at a resource group level. You also need the corresponding resource providers to be registered. For any operations that involve activation key and credentials, permissions to Azure Active Directory Graph API are also required. These are described in the following sections.
+
+### Manage Microsoft Azure Active Directory Graph API permissions
+
+When generating the activation key for the Data Box Edge device, or performing any operations that require credentials, you need permissions to Azure Active Directory Graph API. The operations that need credentials could be:
+
+-  Creating a share with an associated storage account.
+-  Creating a user who can access the shares on the device.
+
+You should have a `User` access on Active Directory tenant as you need to be able to `Read all directory objects`. You can't be a Guest user as they don't have permissions to `Read all directory objects`. If you're a guest, then the operations such as generation of an activation key, creation of a share on your Data Box Edge device, creation of a user will all fail.
+
+For more information on how to provide access to users to Azure Active Directory Graph API, see [Default access for administrators, users, and guest users](https://docs.microsoft.com/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-permission-scopes#default-access-for-administrators-users-and-guest-users-).
+
+### Register resource providers
+
+To provision a resource in Azure (in the Azure Resource Manager model), you need a resource provider that supports the creation of that resource. For example, to provision a virtual machine, you should have a ‘Microsoft.Compute’ resource provider available in the subscription.
+ 
+Resource providers are registered on the level of the subscription. By default, any new Azure subscription is pre-registered with a list of commonly used resource providers. The resource provider for ‘Microsoft.DataBoxEdge' is not included in this list.
+
+You don't need to grant access permissions to the subscription level for users to be able to create resources like ‘Microsoft.DataBoxEdge’ within their resource groups that they have owner rights on, as long as the resource providers for these resources is already registered.
+
+Before you attempt to create any resource, make sure that the resource provider is registered in the subscription. If the resource provider is not registered, you'll need to make sure that the user creating the new resource has enough rights to register the required resource provider on the subscription level. If you haven't done this as well, then you'll see the following error:
+
+*The subscription <Subscription name> doesn’t have permissions to register the resource provider(s): Microsoft.DataBoxEdge.*
+
+
+To get a list of registered resource providers in the current subscription, run the following command:
+
+```PowerShell
+Get-AzResourceProvider -ListAvailable |where {$_.Registrationstate -eq "Registered"}
+```
+
+For Data Box Edge device, `Microsoft.DataBoxEdge` should be registered. To register `Microsoft.DataBoxEdge`, subscription admin should run the following command:
+
+```PowerShell
+Register-AzResourceProvider -ProviderNamespace Microsoft.DataBoxEdge
+```
+
+For more information on how to register a resource provider, see [Resolve errors for resource provider registration](https://docs.microsoft.com/azure/azure-resource-manager/resource-manager-register-provider-errors).
+
 ## Manage connectivity mode
 
 Apart from the default fully connected mode, your device can also run in partially connected, or fully disconnected mode. Each of these modes is described as below:

articles/databox-online/data-box-gateway-deploy-prep.md

@@ -7,7 +7,7 @@ author: alkohli
 ms.service: databox
 ms.subservice: gateway
 ms.topic: tutorial
-ms.date: 04/23/2019
+ms.date: 06/03/2019
 ms.author: alkohli
 #Customer intent: As an IT admin, I need to understand how to prepare the portal to deploy Data Box Gateway so I can use it to transfer data to Azure. 
 ---
@@ -48,7 +48,11 @@ Here you find the configuration prerequisites for your Data Box Gateway resource
 Before you begin, make sure that:
 
 - Your Microsoft Azure subscription should be supported for Data Box Gateway resource. Pay-as-you-go subscriptions are not supported.
-- You have owner or contributor access to your subscription.
+- You have owner or contributor access at resource group level for the Data Box Edge/Data Box Gateway, IoT Hub, and Azure Storage resources.
+
+    - To create any Data Box Edge/ Data Box Gateway resource, you should have permissions as a contributor (or higher) scoped at resource group level. You also need to make sure that the `Microsoft.DataBoxEdge` provider is registered. For information on how to register, go to [Register resource provider](data-box-gateway-manage-access-power-connectivity-mode.md#register-resource-providers).
+    - To create any IoT Hub resource, make sure that Microsoft.Devices provider is registered. For information on how to register, go to [Register resource provider](data-box-gateway-manage-access-power-connectivity-mode.md#register-resource-providers).
+    - To create a Storage account resource, again you need contributor or higher access scoped at the resource group level. Azure Storage is by default a registered resource provider.
 - You have admin or user access to Azure Active Directory Graph API. For more information, see [Azure Active Directory Graph API](https://docs.microsoft.com/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-permission-scopes#default-access-for-administrators-users-and-guest-users-).
 - You have your Microsoft Azure storage account with access credentials.
 

articles/databox-online/data-box-gateway-manage-access-power-connectivity-mode.md

@@ -7,7 +7,7 @@ author: alkohli
 ms.service: databox
 ms.subservice: gateway
 ms.topic: article
-ms.date: 03/25/2019
+ms.date: 06/03/2019
 ms.author: alkohli
 ---
 
@@ -50,6 +50,48 @@ The reset workflow does not require the user to recall the old password and is u
 
     ![Reset password](media/data-box-gateway-manage-access-power-connectivity-mode/reset-password-2.png)
 
+## Manage resource access
+
+To create your Data Box Edge/Data Box Gateway, IoT Hub, and Azure Storage resource, you need permissions as a contributor or higher at a resource group level. You also need the corresponding resource providers to be registered. For any operations that involve activation key and credentials, permissions to Azure Active Directory Graph API are also required. These are described in the following sections.
+
+### Manage Microsoft Azure Active Directory Graph API permissions
+
+When generating the activation key for the Data Box Edge device, or performing any operations that require credentials, you need permissions to Azure Active Directory Graph API. The operations that need credentials could be:
+
+-  Creating a share with an associated storage account.
+-  Creating a user who can access the shares on the device.
+
+You should have a `User` access on Active Directory tenant as you need to be able to `Read all directory objects`. You can't be a Guest user as they don't have permissions to `Read all directory objects`. If you're a guest, then the operations such as generation of an activation key, creation of a share on your Data Box Edge device, creation of a user will all fail.
+
+For more information on how to provide access to users to Azure Active Directory Graph API, see [Default access for administrators, users, and guest users](https://docs.microsoft.com/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-permission-scopes#default-access-for-administrators-users-and-guest-users-).
+
+### Register resource providers
+
+To provision a resource in Azure (in the Azure Resource Manager model), you need a resource provider that supports the creation of that resource. For example, to provision a virtual machine, you should have a ‘Microsoft.Compute’ resource provider available in the subscription.
+ 
+Resource providers are registered on the level of the subscription. By default, any new Azure subscription is pre-registered with a list of commonly used resource providers. The resource provider for ‘Microsoft.DataBoxEdge' is not included in this list.
+
+You don't need to grant access permissions to the subscription level for users to be able to create resources like ‘Microsoft.DataBoxEdge’ within their resource groups that they have owner rights on, as long as the resource providers for these resources is already registered.
+
+Before you attempt to create any resource, make sure that the resource provider is registered in the subscription. If the resource provider is not registered, you'll need to make sure that the user creating the new resource has enough rights to register the required resource provider on the subscription level. If you haven't done this as well, then you'll see the following error:
+
+*The subscription <Subscription name> doesn’t have permissions to register the resource provider(s): Microsoft.DataBoxEdge.*
+
+
+To get a list of registered resource providers in the current subscription, run the following command:
+
+```PowerShell
+Get-AzResourceProvider -ListAvailable |where {$_.Registrationstate -eq "Registered"}
+```
+
+For Data Box Edge device, `Microsoft.DataBoxEdge` should be registered. To register `Microsoft.DataBoxEdge`, subscription admin should run the following command:
+
+```PowerShell
+Register-AzResourceProvider -ProviderNamespace Microsoft.DataBoxEdge
+```
+
+For more information on how to register a resource provider, see [Resolve errors for resource provider registration](https://docs.microsoft.com/azure/azure-resource-manager/resource-manager-register-provider-errors).
+
 ## Manage connectivity mode
 
 Apart from the default normal mode, your device can also run in partially disconnected, or disconnected mode. Each of these modes is described as below:
@@ -76,7 +118,7 @@ To change device mode, follow these steps:
 
 ## Manage power
 
-You can shut down or restart your physical and virtual device using the local web UI. We recommend that before you restart, take the shares offline on the host and then the device. This action minimizes any possibility of data corruption.
+You can shut down or restart your virtual device using the local web UI. We recommend that before you restart, take the shares offline on the host and then the device. This action minimizes any possibility of data corruption.
 
 1. In the local web UI, go to **Maintenance > Power settings**.
 2. Click **Shutdown** or **Restart** depending on what you intend to do.