Using Managed Cloud Premium
Learn about the permissions needed to use the Managed Cloud Premium service.
To use the Managed Cloud Premium service, you must have the necessary permissions. This topic describes the requirements and permissions needed for:
Subscription management
Owner/Contributor access
The Azure Active Directory service
Boarding Pass (the Azure Active Directory B2B SPN)
Sitecore Managed Cloud Premium support for Azure uses Rackspace, a trusted partner, to perform actions in your Azure environment. You must assign Rackspace the correct level of access and the necessary permissions, so that it can fulfill the role of your managed service provider.
To avoid any potential abuse of these services, Rackspace has integrated safeguards that include leveraging Rackspace corporate identities and built-in security features such as multi-factor authentication credentials, and password rotation.
To deliver Managed Cloud Premium support for Azure, Rackspace requires the Owner or Contributor permissions to all Azure subscriptions that Rackspace manages for Sitecore. You must configure the Owner or Contributor account as an organizational account instead of a Microsoft account. If you cannot provide Rackspace with an organizational account that is set up with Owner/Contributor permissions, then some support services might not be available or might only be available within a limited scope.
Note
Rackspace stores the Owner/Contributor account credentials within a secure password repository, which Rackspace accesses during support, troubleshooting, deployment, and other such activities. Only Rackspace Support can access customer deployments.
Rackspace configures the Service Principal Names (SPNs) so Sitecore management services can access resources that are secured by an Azure Active Directory (AD) tenant. While onboarding, the user receives an Azure AD application requesting consent for Rackspace to access resources within a tenant.
Rackspace then assigns the SPNs a 'least-permission levels' model so that Sitecore can:
Define the access policy and permissions.
Have the authentication and authorization to deliver programmatic access to resources within that subscription.
Enable a whole host of automation services to deliver Managed Cloud Premium support for Azure.
Note
Rackspace securely stores the SPN credentials in a key vault within the Rackspace managed Azure subscription, and the keys are encrypted both at rest and in transit.
Rackspace has developed a set of tools called Boarding Pass, designed to provide Rackspace support engineers with on-demand, time-bound, audited, and named access to customer subscriptions. Boarding Pass uses the Azure AD B2B invitation service/API and dual factor authentication to import existing corporate identities and users from the Rackspace Azure AD tenant. The feature is comprised of two discrete services:
Boarding Pass Enrollment – an on-boarding tool that prepares your subscription by configuring the automation account or SPN and setting up the predefined access groups.
Boarding Pass Access – a secure web application, located in the Rackspace operations portal, that grants time-bound access to a selected subscription.
Boarding Pass is limited to Azure-certified members of the Managed Cloud Premium Support Engineering team, and contains several security controls to manage access, including the following requirements:
Users must have a presence in the Rackspace corporate directory, which is RSA dual factor enforced.
For access to the Managed Cloud Premium Support for Azure Operations Portal (a restricted group), users must be a member of a Lightweight Directory Access Protocol (LDAP) group.
For access to the Boarding Pass portal (restricted to either Reader or Contributor roles), users must be a member of an LDAP group.