Azure Stack multi-tenant setup for service providers

It is fair to say Microsoft have been working hard to allow Cloud Service Providers (CSPs) to enable multi-tenancy within Azure Stack. When we first started the process we had to email a list of users we wished to register against our Azure Stack which took approximately 8 hours. This occurred every time we wanted to onboard a new customer, not very ‘cloudy’! Things have improved greatly and there is now a service endpoint we can call to enable this linking immediately.

I thought it would be useful to capture the entire flow so our customers can understand how we will on-board our customers to UKCloud’s Azure Stack.

Note: This article only discusses the process for a connected  Azure Active Directory integrated deployment.

The diagram above shows the entire process and the high level steps discussed below. The steps in green require our customers to actually undertake some actions.

Azure Stack deployment

Whilst the Azure Stack registration is not something our customers need to know about, it provides some useful context about the rest of the flow defined here.

When Azure Stack is built it needs to target an Azure Active Directory (AAD) domain, the account you provide will become the default administrator for the entire stack.

Once the stack is deployed the CSP then needs to register it against an Azure Subscription ID. To do this the CSP does two things:

  1. Creates a shared subscription via the CSP portal following the guide here. This actually creates a new domain!
  2. Registers Azure stack with the new shared services admin account created above following the guide here.

This is important as it creates the default subscription that ALL Azure Stack consumption will be charged against. The CSP is accountable for paying this bill.

At this point the stack is ready for tenant on-boarding.

Tenant on-boarding

There are a few steps to the user on-boarding and they differ slightly dependent on whether the customer already has an AAD they wish to use, or whether they need a new one.

Customer setup by CSP in CSP portal

Customer has AAD

If this is the case the CSP will create a reseller request which is sent to the customer Azure admin, following the steps here. This will give administrator privileges for the CSP to manage the subscription for the customer. A more detailed explanation is available here.

Once the user has accepted the request, the CSP can see a new customer record via the CSP portal, they amend the billing details and then add the “Microsoft Azure” subscription, following this guide.

User has no AAD

In this case the CSP can create a new customer via the CSP portal which will create a new AAD domain for the customer. This can be done following this guide, during this process the CSP adds a “Microsoft Azure” subscription.

CSP and customer billing configuration

Once the CSP has a record of the customer in their CSP portal they must link the customers unique Azure subscription ID created above with the CSP’s subscription that was used in the registration. This allows the CSP portal to split out the billing information for each customer. This is done by making a call to the registration endpoint, e.g.

subscriptions/{registrationSubscriptionId}/resourceGroups/{resourceGroup}
/providers/Microsoft.AzureStack/registrations/{registrationName}
/customerSubscriptions/{customerSubscriptionId}?api-version=2017-06-01 HTTP/1.1

  • registrationSubscriptionID is the Azure subscription that was used by the CSP for the initial registration.
  • customerSubscriptionID is the Azure subscription(not Azure Stack) added to the customer record by the CSP when they created their account in the CSP portal
  • resourceGroup is the resource group in Azure in which Azure Stack is registered.
  • registrationName is the name of the registration of the Azure Stack. It is an object stored in Azure if you login with the CSP registration account.

This basically tags the customer account account with the CSP’s subscription ID so that the usage is reported against the customers subscription but still linked to the CSP who is responsible for paying Microsoft and for recouping the amount from the customer.

Azure Stack access

The CSP now configures Azure Stack to allow the new customer to authenticate against the stack. This is done following this guide and requires changes to be made by both the CSP and the customer.

At this point the customer can only authenticate, they don’t actually have access to any resources like compute, storage, networking etc.

Enable Azure Stack Resources

The final stage is for the CSP to enable the customer to consume resources in Azure Stack. There are different ways this can be achieved but in the case of UKCloud the following items are created.

  • Quotas, dedicated quotas are created for each customer and each resource provider, e.g. compute, storage, network etc
  • Plans, group the resources we allow access to in Azure Stack and link them to the quotas above
  • Offers, group the plans above into a subscription which is assigned to the customer. In the case of UKCloud we also give ownership of the subscription to the customers admin user so they can manage who in their directory has access to Azure Stack.

Once this process is complete the customer can start using Azure Stack!