Transcription
Microsoft Azure GovernmentOnboarding GuideUpdated March 2017
Agenda1
Microsoft Azure Government is a government-community cloud that offers hyperscale compute, storage,networking, and identity management services with world-class security.Provides a physical and network-isolated instance of Microsoft Azure.Offers a roadmap for meeting rigorous compliance demands (i.e. FedRAMP, CJIS, and HIPAA) of agovernment-only cloud.Provides rich infrastructure, storage, and identity management capabilities delivered through cloud,on-premises, and hybrid solutions.Stores data within the United States.Provides screened U.S. citizens and policies to help protect customer data and applications.2
Azure Government HierarchyEnrollment Enterprise Agreement Invoice Level Optional layer in the hierarchy Example: Department A IT Department B Finance Provision within Azure Gov AADExample: Account A PM of Project 1 Account B PM of Project 2 Service LayerExample: Subscription 1 Dev Subscription 2 ProdDepartment AAccount ASubscription 1Subscription 2Department BAccount BAccount CAccount DSubscription 3Subscription 4Subscription 53
Azure Government Portals OverviewEnterprise Portalea.azure.comFunction account.windowsazure.usportal.azure.us ScreenshotRoles *Note: The classic version of the Azure Management Portal is stillavailable at manage.windowsazure.us*4
Azure Government Roles & Azure Active Directory (AAD) AssociationsEnterprise PortalEnterprise AdminGOVAADO365AADDepartment AdminGOVAADO365AADGOVAADGOVAADGOVAADGOVAADNote: Additional Role Based Authentication Control (RBAC) roles can be found here5
Azure Government Account OverviewGovAADMicrosoft Account(Live.com, Outlook.com, Hotmail.com)O365AADEnterprise AdminDepartment AdminNot recommended for use in AzureGovernmentCan be used only in the Enterprise PortalCan be used in all roles in all portals6
Azure AAD ConsiderationsYou can connect your on premise ActiveDirectory to either O365 Azure ActiveDirectory or Azure Government Azure ActiveDirectory.On-Premises (Customer)In the cloudO365 AADAD on rosoft.comAzure Gov AADuser@AzureGovDomain.onmicrosoft.comNote: When adding a new account owner, the account must be within the Azure Active Directory domain within your Azure Governmentenvironment. See the section below on Adding Users to your Azure Active Directory for details on how to create additional accounts. Also note thatthe account will not become Active until that account owner logs in to the Enterprise Portal. Only active accounts can be used to create additionalsubscriptions.7
Common Order and Provisioning IssuesIssue: Submitting an order that has both Azure Government and Azure CommercialSolution: Azure Government and Azure Commercial must always be on a separate enrollmentsIssue: Submitting an order that has the reseller listed as the Online Notices ContactSolution: When completing the order ensure that the customer is listed as the Online Notices ContactIssue: Customers are not able to access their Azure Government instanceSolution: There are many reasons why this might happen, but the most common one is that when a customer is new to AzureGovernment we need to manually provision their tenant (example: cityofphiladelphia.onmicrosoft.com). Customerwill be notified of this process in the Welcome Email.Issue: When adding a Enterprise, Department or Account Owner the portal gives an error message “Invalid Account”.Solution: This is caused because the setting on the Enrollment Tab for “Auth Level” isn’t set to “Work or School Account CrossTenant”Issue: Adding an Enterprise Administrator that is already a Department Administrator (and vice versa).Solution: The Department Administrator needs to be different, find a backup and make the backup be the DepartmentAdministrator.Issue: Cannot create an Account OwnerSolution: Ensure your Account Owners are setup within an Azure Government AAD8
Enterprise Portal OverviewThe Enterprise Portal has many functions as seen in the screen shot below. It is where you will Manage access to the following key roles. It is also where you will see Reports forusage on the enrollment.Enrollment NumberThis number to the left under the Windows icon is the EnterpriseAgreement number from your Azure Government enrollmentManage PanelYou can move to Department, Account and Subscription level from here.You can also create and modify Enterprise Admins, Department Admins,Account Owners and subscriptionsReports PanelShows reports that outline consumption of services in your enrollment.The amount of details that are available to you are governed by if thePartner has enabled the option to Show Partner MarkupNotification PanelProvide updates based on service updates and other communicationsrelating to your Azure Government instanceHelp PanelProvides self-help tutorials on a variety of topics ranging from how toAdd a new Subscription to how to enable Partner Markup9
Enterprise PortalManage Tab10
Department/Account Setup MethodologyChoosing the right set up methodology for your organization is an important first step in setting up your enrollment. How you set up your Departments/Accounts andSubscriptions will impact how they are administered and how they are reflected on your enterprise level reports. This is now done by adding the account with the Name youwant then creating a Department and associating the account with the Department11
Manage - Enrollment Panel OverviewWhen you login to the EA Portal you begin in an Enrollment view for enrollment level details. Here your main tasks are to add others in administrative roles and change anydesired enrollment level settings.Hovering over theheadshot icon will allowYou can move to Department,Feedback can be providedYou begin at the enrollment level.You can see and addyou to see your loginAccount and Subscription levelthrough the comment iconThe focus will be highlighted in blueEnterprise Adminscredentials and sign outYou canmove toreporting,notificationsand Helpviews on theleft handnavigationpanelEnablingMarketplacewill give youaccess to theAzureGovernmentMarketplaceYou can add anotificationcontact hereRelatedaccounts isthe same asthe accountview on topIf DA view charges is enabled then Department Admins will be able to see usage.If AO view charges is enabled then Account Owner will be able to see usage.Please note that this Support link will direct you toCommercial Support. Please submit support requestsdirectly within the Azure Portal (portal.azure.us)12
Add/Edit Enterprise Admins & Notification ContactsWhen creating a new Enterprise Admin ensure Auth Level is set to:“Work or School Account Cross Tenant”Read-only role flag for those who can see usage but cannot add/edit rolesNotification Contacts can added to provide billing/usageinformation to identities outside of Azure GovernmentTo focus on a specific Enterprise Admin hover over it. An edit pen and delete icon will appear. Selectingedit will open a screen to update notifications and selecting the x will open a screen to delete the adminClicking on the Add buttons will bring slideouts in from the right side of the screen.Fill in the action box with appropriate details13
Manage - Department Panel OverviewThe Department focus allows you to operate at the department level. The default iconic view uses color to show active departments in green and inactive departments in orange.If you prefer a list view you can toggle to that view. Clicking on a department brings you to the detail view where you can edit department detailsDefault view uses Icons. Youcan toggle to a list view hereYou can add Departments here. Clicking on add will bring a slide out from theright hand side of the screen with an action box to fill in details.Clicking on theDepartment willopen a Detailsview where youcan view andedit detailsYou can addDepartmentAdmins here.Related accountswill now showaccounts withthe departmentfocus setClicking on the edit penopens additional detailsFilter to showonly activestatus itemsClicking on addwill bring aslide out fromthe right handside of thescreen with anaction box tofill in details.14
Manage - Account Panel OverviewThe Account Panel is where you do all things related to Accounts. To manage account details hover over the account until it is highlighted then select from the icons on the rightYou can select accountsacross all departments orfilter by departmentAuth Type: Shows theAuthentication method requiredfor each accountStatus:Active - if account owner has logged in.Pending - if account owner has not logged in.Inactive - if the account owner has been deletedStart Date is the date the account owner firstlogged in.End Date is the end of EA contract periodFilter to remove deletedaccounts from view.Once deleted they showas Inactive but remain forhistoric billing info. Theycan be re-added as wellView My Account opensthe Account Detail screenwhere you can edit youraccount name forexampleYou can see and define Cost Centerat the Department, Account andSubscription LevelDepartment isUnassigned untilset by Enterprise orDepartment Admin15
Important information prior to adding Account Owners The first time you login to the EA Portal as an Account Owneryou will see this warning. It is important to read andunderstand because any existing subscriptions that are ownedby this Account Owner are about to be converted and benefitscould be lost A Trial Account that is added to an enrollment will lose theirindividual monthly Azure credit A Sponsored Account that is added to an enrollment will losetheir individual monthly Azure credit Azure Commercial Account Owners cannot use the sameidentity for Azure Government16
Manage Accounts Panel – Add Account OwnersThe Account Panel is where you do all things related to Accounts. To manage account details hover over the account until it is highlighted then select from the icons on the right.Note: When adding a new account owner, the account must be within the Azure Active Directory domain within your Azure Government environment. See the section below onAdding Users to your Azure Active Directory for details on how to create additional accounts. Also note that the account will not become Active until that account owner logs in tothe Enterprise Portal. Only active accounts can be used to create additional subscriptions.You can add Accounts here.Clicking on add will bring a slideout from the right hand side ofthe screen with an action box tofill in details.17
Create or Associate an Account OwnerYou may create a new Account Owner or associate an existing Account Owner to your enrollment.Create a New Account – Enter the identity of a new user that you want to be able to createsubscriptions in both the “Email Address” and the “Confirm Email Address” sections. (Please note thatthe user must have first been created in the Azure Government Active Directory. For details on how todo this see the slides below that highlights “Adding Users in Azure Active Directory”)Associate an Account Owner to an enrollment (common when coming from a Trial of Sponsorship) enter the Account Owner email address that you want to associate from a Trial or Sponsorship in the“Email Address” and the “Confirm Email Address” sections.Creating a new Account Owner or associating an existing Account Owner requires confirmation ofaccount ownership. In order to confirm ownership the new Account Owner must sign into theEnterprise PortalIMPORTANT NOTICE: The association of an Account and its subscriptions happens on the day theAccount Owner signs into the enterprise portal and thereby confirms association of the account owneremail address. Existing subscriptions transferred to an Enterprise Enrollment will be immediatelytransitioned to billing on the Enterprise Enrollment on that day. The Account owner is responsible forpaying any outstanding charges on the payment instrument prior to the association date.All usage on transferred accounts will be billed based on terms of the Enterprise Enrollment.Subscriptions that were using a different offer type for payment like Pay As You Go on a credit card willbe converted to Enterprise Offers. The automated process will rename the subscription appending thewords (converted to EA) to the end of the subscription name so that you know it has made thattransition. If an account has subscriptions with special pricing (including no charge services), oncetransferred, the account will begin incurring costs based on the terms of the Azure Amendment to theEnterprise Enrollment18
Manage Accounts Panel – Edit Account OwnersSelecting the edit icon brings a pop over where you can change the account name, associate the account with a specific department and set a Cost CenterHovering over the account revealsthe Action Icons. Options are EditAccount, Delete Account, ChangeAccount Owner and TransferSubscriptionsClicking on the edit pen opensthis overlaid view.19
Manage Accounts Panel – Change Account OwnerThis process will allow you to transfer subscriptions from one account owner to anotherClicking on this icon begins theprocess of the changing theAccount OwnerThe Selection box will highlighteligible transfer candidates in darkbold text.Candidates are made eligible bybeing active and having created atleast one subscription.Please note limitations.Status will appear at the top of thewindow after submission. Transfersare not instant. If the transfer hasnot completed in an hour pleasecontact support.20
Manage Accounts Panel – Transfer SubscriptionsTransfer individual subscriptions from one account owner to another. So if Account A has three subscriptions the Enterprise Admin could transfer one to Account B, one toAccount C and one to Account D.Clicking on this icon begins theprocess of the changing theAccount OwnerThe Selection box willshow a subscriptionlist to select from.Select the targetfrom the bold darkeligible destinationaccounts.Continue on totransfer thesubscription in thefinal window.Status will appear atthe top of the panel.21
Manage Accounts Panel – Transfer SubscriptionsWhether doing an ownership change (transferring all subscriptions) or individual subscription transfers, to see the transfer status you will have to first deselect the Active filter toshow subscriptions in non-active statuses. You will also notice that the subscription is in Active Transferring status until the transfer is completed.Remove the checknext to the Active box22
Subscription Setup MethodologyOnly the Account Owner has the ability to create a subscription. Subscriptions may have any combination of services associated to them.An Account Owner can have one or multiple subscriptions.Example: Joe has two subscriptions and John has oneCreating different subscriptions for each environment (e.g. Production andDev/Test) within your applications and assigning a different Service Administratorand Co-Administrators to each subscription can be used to help control access todevelopment projects and environments within your organization.23
Manage - Subscriptions Panel OverviewThis view allows you to view or refresh all subscriptions available to you and if you are an account owner add new subscriptions.Filter by Department and AccountUnchecking this box will show allinactive subscriptionsOnly an Account Owner willhave an add subscription linkClicking on ViewManagedSubscriptions willallow you to see allthe subscriptions thatyou have accessSetting a Cost Centervalue at thesubscription level canonly be done afterthe subscription iscreated. To do so,hover over thesubscription to revealthe edit icon andthen click on it.Within the popoverbox you can set oredit the subscriptionlevel Cost Center24
Add a New SubscriptionWhen you add a new subscription to yourenrollment from the enterprise portal, you willbe defaulted to the US Government AzureEnterprise Offer.When you add an additional subscription youwill need to check the box denoting “Thissubscription is governed by your EnterpriseAgreement” then click on Purchase.Each new subscription will default to the nameUS Government Azure Enterprise Offer. It isbest practice to rename to something uniqueafter it is created so you can identify eachsubscription. This renaming is done via theAccount Portal (Please see slide in this decktitled “Edit Subscription Details”)25
Add a New SubscriptionWhen it is ready you will see a link to take you to the ManagementPortal. You will need to come back to the Account Portal tocustomize the subscription name.Subscription creation is completed through the Account Portal andcan take a few minutes.26
Edit Subscription DetailsSelect the desired subscription from the Subscriptions List.You can edit both the subscription name and ServiceAdministrator. Subscription name should be representative of thesubscription and differentiate it from other subscriptions. The Account Owner will be the default Service Administratoron new subscriptions. Any other identity from within yourAzure Gov AAD tenant can be set as the ServiceAdministrator. Next, select Edit Subscription Details from the right handnavigation menu.27
Enterprise PortalReports Tab28
Reports – Two Key Usage ReportsThese reports will show consumption of services in your enrollment. The amount of details that are available to you varies based on if partner markup is showUsage SummaryReportThis report will onlyshow if yourPartner hasenabled showPartner Markup foryour enrollment. Itwill showconsumption byunit as well asusage charges ( ).Service Usage ReportThis report shows consumption by unit but itdoes not include actual usage charges ( ). If youwould like to see usage charges ( ) then you willneed to reach out to your Partner and requestthat they publish markup for your AzureGovernment enrollment.29
Reports – Published Markup PricingThe reports you will see depends on whether your partner is using the Publish Markup feature available to them. You will be able to tell if you Partner is the using the markupfeature by the absence or presence of the Price Sheet and Usage Summary menu itemsThe presence ofthese two itemsdenote that yourPartner haspublishedmarkup pricingfor yourenrollment30
Reports – Usage Summary – Monthly ViewThis default monthly view is where you can see a historic graph with the current month or selected month’s data highlighted on the right. If you scroll down you will get a monthlydetail where you can filter by Department, Account and SubscriptionYour view focus will be highlightedin blue.Graphical summaryshows MonetaryCommitment as ablue line. Hoveringat the data pointshows the amountmonth by monthHover over the month you want tofocus on for detailsYou can edit the PO number when youreceive an overage notificationM is the Monthly view and Q is theQuarterly view. Click to toggleCharges aresummarized onthe side and colorcoded. Green isspend against amonetarycommitment, Redis Overage,Yellow is chargesbilled separatelyby invoice.31
Reports – Usage Detail – Monthly ViewService – Each of the Microsoft Azureservices that have been utilized by one ormore subscriptions during the calendarmonthUnit of Measure – The Unit of Measureused to calculate charges each monthConsumed Units – The amount of serviceconsumed (hours, GB, etc.), during theselected monthIncluded Units – The Units consumed thatare included at no costCharged Units – The Units consumed thatare billableUnit Price – The commitment pricing perunit used to calculate monthly chargesScrolling down will show usage and charges by categories incolor coded and labelled sections for: charges against monetarycommitment, charges in overage, charges billed separatelyNote: To learn more about pricing, billingand metering, click here.Usage Charge – The amount of moneyapplied against your monetarycommitment32
Reports – Usage Summary – Quarterly ViewThis quarterly view shows the contr
Azure Government Portals Overview Enterprise Portal ea.azure.com 4 account.windowsazure.us portal.azure.us F u n c t i o n S c r e e n s h o t R o l e s *Note: The classic version of the Azure Management Port
