Microsoft Azure and CSP

  • 發行項

UPD: This post is outdated. Use Azure CSP Documentation to get the latest updates about the limitations. Less and less left :)

In my previous post I've mentioned, that currently there are significant feature differences between Microsoft Azure, purchased via traditional channels (Direct, Open, EA), and Azure CSP. In this port I'll continue my CSP story and describe Azure CSP in details.

I've already wrote about 2 different Azure models - ASM and ARM, which use different portals and APIs for management. Some services are available only on "current portal" (ASM-based services), some services, especially new ones, appear only on "new portal" (ARM-based services). Additionally, some ASM services (like "classic" VMs) are available on the new Portal, and it confuses customers.

Azure CSP approach simplifies the experience for end customers, because only ARM-based services are available in it. More than 95% or revenue generating services are already available in CSP, so don't worry about VMs, vNets, Web Sites, SQL Azure etc. Azure CSP is great and can be used by most customers. But you need to understand the limitations.

Here are the limitations of Azure CSP subscriptions:

1. Only new portal is available for management. If an end user with Azure CSP subscription admin rights will try to log on to the current portal, he'll receive an error.

2. Only ARM services, ARP APIs and ARM PowerShell cmdlets are available. Services, which are managed on the current portal only, are not available in Azure CSP.

3. No "classic" deployment method is available. Compare New VM creation UI in traditional and CSP subscriptions.

4. 3rd party solutions in Azure Marketplace are limited only to that ones, which support "Bring your own license" model. You need to purchase the license for 3rd party Marketplace software somewhere else, and then use it for the 3rd party service, deployed in Azure.

Services, not available in Azure CSP

To get the most recent details about which services are available in Azure and which are not - just go to "Sales" page in the Partner Center portal and download "Release Notes" document for Azure Services in CSP. Current version was updated on 29th of February, less than a week ago.

Here is the high-level view:

*Portal UI is available for Site-to-Site VPN Gateway configurations
**Now it is available.

Azure Backup

Azure Backup is available in CSP via Azure PowerShell and ARM API. It is not available in the portal, but this will be changed soon. Currently Azure Backup management via UI is in Private Preview, which you can join. Instructions are available in the "Release Notes" document.

UPDATE: Azure Backup is now available via CSP. Details are here.

Azure Site Recovery

ASR management is available only via Azure PowerShell and ARP APIs. Also you can configure ASR via ASR Agent and VMM. ASR Management will added to the portal during next months.

UPDATE: Azure Site Recovery is now available via CSP. Details are here.

Azure Log Analytics

Azure Log Analytics (also called Operational Insights) is not available in Azure CSP yet. So customers need to purchase it as a part of OMS Suite, which is sold as an add-on to System Center licenses.

UPDATE: Azure Log Analytics is now available via CSP.

Azure RemoteApp

Azure RemoteApp is not available in Azure CSP yet. If a customer wishes to have similar functionality from Azure, then service provider can deploy Windows Server 2012 R2 RDS farm on Azure VMs.

Azure Active Directory

Full Azure AD management in not available for tenants directly on the portal. Check here for details. But Office 365 and Azure CSP use Azure AD as an identity provider inside. When CSP Direct partner or CSP Distributor create a new customer on ParnerCenter portal, a primary domain should be specified (*.onmicrosoft.com). For every new customer an Azure ID directory is being created automatically, named <primarydomain>.onmicrosoft.com.

The only sad thing - there is no Azure AD management UI available on the new portal, and you can't access current portal to manage this directory. On new portal you'll see this picture:

Of course, you can manage this Azure AD through Office 365 admin portal - create new users, manage permissions, configure the integration with On-Premise AD. This will enough for the most customers.

If you need full Azure AD management capabilities, there is a workaround. First, you can try to use this link to access old Azure portal for Azure AD management purposes only. But sometimes it doesn't work. In such cases use the following workaround.

1. Logon to Current Azure Portal using an account with a traditional Azure subscription. It can be free Azure trial subscription, MSDN Subscription (which is available to all SilverGold Microsoft Partners) or any paid subscription.

2. Click +New -> App Services -> Active Directory -> Directory.

3. Choose "Use existing directory" and click "I am ready to be signed out now."

4. You will be logged out. Login using any user, that has Global Administrator rights to the Azure AD directory, that you want to add. For my case it can be admin@kotlyarenko.onmicrosoft.com (user, that was created during New Customer creation on Partner Center) or kirill@kotlyarenko.com (user, that I've created on Office 365 admin portal and assigned Global Admin rights).

5. After that your Azure subscription admin will be added to this directory with Global Admin rights.

6. That's all, logon back with your Azure subscription admin credentials and you'll be able to fully manage this directory.

Important - all paid Azure AD features will be charged from your traditional Azure subscription, not from Azure CSP. So if your customer wishes to use multi-factor authentication, rich reports, advanced self-service features or other Azure AD Premium features, they must buy Azure AD Premium per-user subscription via CSP. It is available as a standalone license or as part of Enterprise Mobility Suite (EMS). Don’t forget to assign these licenses to users:

BTW, all main Azure services and features will be migrated to the new portal during the next year, so don't worry about these issues and challenges in long-term.

Management of Azure services in CSP Direct

CSP Direct partners can use Partner Center portal to manage customer service subscriptions.

By default, CSP Direct partner is the only owner or customer's Azure subscription. He can add other users as owners, readers, contributors etc. to the tenant's subscription.

For example, he can specify customer's Microsoft ID or another account, such as Office 365 e-mail.

Service Provider can offer fully managed Azure-based services (e.g. service provider creates VMs and configures everything), or he can delegate Azure management responsibilities to customer's IT guys or even to an outsourcing organization.

I've recently posted a full list of Azure services, currently available in CSP.

Management of Azure services in CSP Indirect

In CSP Indirect model it depends on the used management panel and process automation, which is unique for every CSP Distributor.

By default, CSP Distributor creates a new customer on Partner Center portal and assigns him Microsoft Azure subscription. After that, CSP Distributor can assign other users with Owner rights to this subscription on New Azure Portal. Procedure is the same, as described above for CSP Direct. It can be customer's account or CSP Indirect partner account.

If you need more information about Azure in CSP - look at "Azure CSP in a Box" . It covers technical aspects (API, pre-sales, administration) and business scenarios. It is a very valuable resource regarding Azure in CSP.

Comments

  • Anonymous
    March 04, 2016
    The comment has been removed
  • Anonymous
    March 07, 2016
    Is it possible to use this method for accessing the classic portal for CSP customers to create classic storage to be used by the Import/Export Service?
  • Anonymous
    March 09, 2016
    The comment has been removed
  • Anonymous
    March 10, 2016
    Chris,
    no, this won't work for classic non-ARM services.
  • Anonymous
    March 28, 2016
    Can CSP customers be moved to EA subscription?
  • Anonymous
    March 29, 2016
    Hi Srinivas!
    There is no simple "switch to another subscription" button in Azure CSP. So the only way is to move resources from subscription to another.
    E.g. you can use methods like asyn blob copy to copy VM VHDs from CSP subscription to Azure subscription.
    Here are some details: http://gauravmantri.com/2012/07/04/how-to-move-windows-azure-virtual-machines-from-one-subscription-to-another/
  • Anonymous
    May 05, 2016
    Hi - is it possible for a CSP client, with an existing Office 365 subscription, to use the directory for the 365 subscription with the CSP Azure instance?

    Thanks!
  • Anonymous
    May 05, 2016
    Hi Lee!
    Office 365 via CSP includes Azure AD directory, which can be managed on old Azure portal using the trick described above. In fact - additional Azure CSP subscription is not needed for that.
  • Anonymous
    May 12, 2016
    Hi Kirill,
    we are a CSP T2 disti and our customer has the following Problem, which cannot be solved:

    MFA itself is working (we used the Workaround you described) , but only for Azure itself, not for external providers.

    The customer`s problem is to get it work with external auth providers, in this case via Radius protocol.

    In a “credit card Azure” sandbox it is working.
    The Azure Portal Shows the the external Providers.

    Using CSP Azure, the Azure portal does not show the external providers.
    Again, MFA itself is working in CSP, but not for the external providers ….

    So this seems to be a CSP related problem.

    The question is: How to get MFA in CSP working using external providers (Radius) !


    Thanks,
    Guido
  • Anonymous
    May 12, 2016
    Hi Guido!
    I don't understand what do you want to achieve. Are you talking about Azure MFA server? Or about Azure AD itself?
    Also I recommend you to reach Azure Mentor Program or Global Partner Support to help you with that issue.
  • Anonymous
    June 13, 2016
    Can you follow the below steps and check if that works:-1.Login to partner center2.Select customer then add subscription3.Select License (Microsoft Azure Multi factor Authentication ) click OK.4.Now manage the Azure AD (login to MSDN or other paid account and add directory )4.Now select the directory>> configure>> Multi factor Authentication( open Manage service settings)5. Multi factor authentication setting page will open ( at the bottom select Go to portal)5. Download the Multi factor server and generate the keys.6. Install this on-premise server to manage Radius (like for normal paid Azure subscription)Now the process will remain same for as of other Azure Subscription.Like configure MFA on-premise server/Import user/enable user etc.
  • Anonymous
    December 16, 2016
    I have a customer that has an existing O365 subscription - its a direct bill. We just added them on as an Azure CSP customer. I would like their Azure subscription to be able to leverage the accounts they have in O365 (which are synchronized to on-prem using Azure AD Connect). Is this possible, and if so, how do you go about switching the Azure CSP subscription over to their O365 directory?
    • Anonymous
      December 18, 2016
      You need to use "Request a reseller relationship" to add an existing tenant to Partner Center and create an Azure subscription there.
  • Anonymous
    March 17, 2017
    How can third party Azure solution vendors make their solutions to be ARM-based so they are made available for procurement through CSPs?