Taking a traditional business operating under an Enterprise Agreement, we make some assumptions to ensure we cover as many scenarios as possible

• EA Agreement Pricing and Dev/Test subscriptions

• Standardization of Development Environments ensuring inclusion business-rule compliant resources, ensuring compliance and supportability

• Automation removes manual processes or required feedback

  • reducing time to delivery for improved engineer experience

  • reducing operational time and effort

I would always recommend ensuring that, from top down, via tangible business objectives, we plan and deliver this project in order to feed into these - and ultimately the business' - success

High Level Design

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

Components

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

Detailed Design

√Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

iteration 1 - a simple start

with access to an EA Account, you want to 

• add a new Tenant 
• add a new local admin account for EA Management
• create the EA Account setup
• validate
• add a new subscription in the tenant via portal
• add a new subscription in the tenant via CLI

in this simple configuration, your users will be provided a new account to the tenant and login to access their subscription

Reference Documentation

Azure - Create a new AD Tenant

Create a new Administrator user under your Tenant

Azure EA agreements and amendments

onboard new AD tenant under EA enrollment

Setup Billing Account structure and Enrolment

Azure

Perparing your account with permissions

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

az login

Creating a new Azure Tenant

There is currently no public API, so I would recommend following the Microsoft Learn documentation via https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant

az login -t YourTenantName.onmicrosoft.com --use-device-code

Creating a new Admin user under the your new tenant

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

az

Enterprise Billing

Enrolling the Tenant to your EA AGreement via the partner portal

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

az

#!/bin/bash

iteration 2 - adding cross-tenant complexity

Building on the initial simple config where

as an Administrator  in the new Tenant, we can create a new EA Subscription either via portal or simple CLI, while using the Azure Billing Enrolment Account

originally we use a single tenant, but to add to the complexity:

• use the new Squad0 Tenant as an additional dev/test tenant 
• Authenticate via the original home tenant as a Guest User invited into the Development Tenant 

Summary

#!/bin/bash

iteration 3 - graduating to IaC - Service Principals

Now that we have 

• 2 tenants - one home and one dev/test

• ability to create subscriptions 

we essentially have a way for an admin user to create subscriptions - or to script that automation via az-cli

now we have the process and permissions, we will switch from using a manual user, in favor of a service principal

• Configure the Home Tenant
• under your home tenant, create an app registration
• create an Enterprise App Service Principal

### Define app registration name, etc.
appregname=myappregtest1
clientid=$(az ad app create --display-name $appregname --query appId --output tsv)
objectid=$(az ad app show --id $clientid --query objectId --output tsv)

default_scope=$(az ad app show --id $clientid | jq '.oauth2Permissions[0].isEnabled = false' | jq -r '.oauth2Permissions')
az ad app update --id $clientid --set oauth2Permissions="$default_scope"
az ad app update --id $clientid --set oauth2Permissions="[]"

az rest -m post -u https://graph.microsoft.com/v1.0/applications  --headers 'Content-Type=application/json' --body '{"displayName": "xxx"}'

### Use --query to obtain the client app id
clientid=$(az rest -m post -u https://graph.microsoft.com/v1.0/applications  --headers 'Content-Type=application/json' --body '{"displayName": "myappregtest1"}' --query appId --output tsv)

• Configure the Development Tenant
• App Registration
• Service Principal
• Assign Subscription Owner role to the SP

as above

• Billing API
• identify Billing Account number
• Obtain Enrolment Account Number
• Obtain Enrolment Account Role Identifier
• Obtain Enrolment Account Subscription Creator role
• Add Enrolment Account Role to Service Principal
• Add Enrolment Account Subscription Creator Role to Service Principal
• Verify Role Assignments by logging in as the Service Principal and creating a subscription

az rest -m GET -u "https://management.azure.com/providers/Microsoft.Billing/enrollmentAccounts?api-version=2018-03-01-preview"
az role assignment create --role Owner --assignee-object-id <userObjectId> --scope /providers/Microsoft.Billing/enrollmentAccounts/<enrollmentAccountObjectId>

RERQUEST_BODY=$(cat <<EOF
{
  "properties": {
    "principalId": "99a1a759-30dd-42c2-828c-db398826bb67",
    "principalTenantId": "7ca289b9-c32d-4f01-8566-7ff93261d76f",
    "roleDefinitionId": "/providers/Microsoft.Billing/billingAccounts/7898901/enrollmentAccounts/225314/billingRoleDefinitions/a0bcee42-bf30-4d1b-926a-48d21664ef71"
  }
}
EOF
)

az rest -m POST -u "PUT https://management.azure.com/providers/Microsoft.Billing/billingAccounts/{billingAccountName}/enrollmentAccounts/{enrollmentAccountName}/billingRoleAssignments/{billingRoleAssignmentName}?api-version=2019-10-01-preview" --body "${REQUEST_BODY}""

Summary

#!/bin/bash

Links

https://learn.microsoft.com/en-us/azure/healthcare-apis/register-application-cli-rest

iteration 4 - Hands-off non-interactive

We now have 

• Understanding of each process step to add a new user and then provide them a subscription in the new tenant - accessed via their Home Tenant Login

• Understanding of how to auth across tenants

• The requirements of each stage

• Service Principals with permissions to operate autonomously

We can start to build the process in terraform - taking each manual or scripted stage and identify what terraform resources we will need to read and create. For each step of the process, you can verify your code as you work - doing terraform plan after each new resource is added to the terraform

• create boilerplate terraform files
• .gitignore
• terraform standard files
• provider.tf
• variables.tf
• main.tf
• output.tf

Summary

#!/bin/bash
az rest --method GET --url https://graph.microsoft.com/v1.0/users
az rest --method GET --url https://graph.microsoft.com/v1.0/users | jq '.value | .[]| select(.userPrincipalName == "paul.kelleher@contino.io")'`cccc

iteration 5 - Feature Development

Summary

iteration 6

Summary

Lorem Ipsum

Lorem Ipsum