Under some circumstances, you may be prevented from creating an Azure subscription in Cloud Subscriptions. This article explains why that might be the case.
Symptoms
If you are an AzureSimple customer with SoftwareOne, you may encounter problems as you attempt to create a new Azure subscription within the Cloud Subscriptions feature of PyraCloud. The most common problem encountered by our customers is during the Azure subscription creation process, the drop-down list to select a subscription owner remains empty. This occurs despite the fact you have valid users in your Microsoft tenant.
Cause
As security becomes a growing concern, organizations are implementing additional security measures to protect their online estate. The implementation of either Conditional Access Policies (CAP) or Privileged Identity Management (PIM) within a Microsoft tenant may cause the symptoms described at the beginning of this article. Most often, the issues described are caused by Conditional Access Policies.
More Information
PyraCloud populates the Azure subscription owner drop-down list by requesting a list of users from your Microsoft tenant through the Microsoft Graph API. PyraCloud needs to authenticate to your Microsoft tenant to do this, and the authentication attempts are blocked by CAP or PIM.
Authentication to your Microsoft tenant by PyraCloud works differently when SoftwareOne has a reseller relationship with your organization through CSP. This makes it difficult (or impossible) to configure exceptions to policies configured under CAP.
Technical Detail
When you establish a reseller relationship with a CSP provider (in this case, SoftwareOne), the partner is granted permissions to your tenant such as those required to access the Microsoft Graph API. Authentication requests to your tenant from PyraCloud with these permissions use an approach call the Secure Application Model.
The Secure Application Model uses both user and enterprise application credentials to make the authentication request. While enterprise application requests are not affected by Conditional Access Policies, the user part of the authentication request is affected.
Workarounds
Under the current PyraCloud infrastructure, there are no workarounds to this limitation that SoftwareOne would recommend. Conditional Access Policies are designed to increase the security of your Microsoft tenant using the least privilege principal and SoftwareOne does not recommend relaxing the policies you have configured.
While it may be possible to exclude the IP ranges of PyraCloud from your Conditional Access policies, the source IP ranges of egress traffic from PyraCloud are subject to change as its infrastructure changes and the size of the IP range to exclude would be too large to satisfy the ideal of least privilege.
Future Roadmap
SoftwareOne is currently working toward allowing all users to create Azure subscriptions without specifying an Owner for the subscription. To take advantage of this approach, you would require at least one user in your organization to either:
- Be assigned the Owner or User Access Administrator role in Azure Management Groups within your Azure tenant, or
- Be a Global Administrator and elevate their access to manage access to all Azure subscriptions and management groups in your tenant.
Note that this is not yet complete. More information will be provided in this document when the feature becomes available.