MicroStrategy on Azure

Introduction: 2Deployment Requirements: 2MicroStrategy Cloud Platform Account 2Azure subscription 2Azure Administrator 2VNET 3Data Source Connectivity 3Subscription Prerequisites 4

Workflow 5Here is a high-level pictorial representation of the workflow: 5Step-by-step explanation of the workflow: 6Service Principal ID 9

Requested Permissions Explanation 10Configuration Link 10Azure Functions 11Configure Function 11Redirect Function 11

Azure Architecture 12Team 12Department 13Enterprise 14

Azure Deployment 15Resource Creation 15Image Sharing 15

Azure Services 15Customer’s Azure subscription 15MicroStrategy’s Azure subscription 15

Resources 16

Introduction: The MicroStrategy Cloud console was built for seamless and rapid deployments of the MicroStrategy Platform on Amazon Web Services and Microsoft Azure with a simple and secure architecture. The MicroStrategy Cloud console provides the breadth of all the MicroStrategy Platforms’ offerings, configured and ready to go out-of-the-box. Deploying MicroStrategy on Azure is a 2-step process:1. Configuring a customer’s Azure Subscription2. Deploying the MicroStrategy Platform in the customer’s subscription.Before a new MicroStrategy Cloud customer can begin provisioning environments into their Azure subscription, there are a few prerequisites which must be configured in both MicroStrategy and the customer’s Azure subscription. Configuring these prerequisites allows our Cloud console to interact with the customer’s Azure subscription. This document will outline the processes to configure these prerequisites and then successfully deploy the MicroStrategy platform.

Deployment Requirements:

MicroStrategy Cloud Platform Account●A MicroStrategy Cloud Platform account is needed to log-in and deploy via the MCP interface. Note that though the deployment is triggered within the MicroStrategy Cloud console, the infrastructure will reside within a customer-owned and customer-managed Azure subscription.

Azure subscription ●An Azure Subscription is needed for the deployment process. The MicroStrategy Cloud Platform will be deployed into a customer owned and managed Azure subscription.

Azure Administrator●An Azure administrator will need to be available for the deployment process. This administrator will need to have Global Administrator / Company Administrator privileges to provide the MicroStrategy Cloud Platform with the permissions it needs to deploy a MicroStrategy application into the customers Azure subscription. The specific details on Global Administrator privilege can be seen here.

●This administrator must also have Owner level access to the subscription in which the MicroStrategy Cloud Platform will be deploying into.

VNET ●A VNET is required to successfully complete the deployment process. All the MicroStrategy infrastructure and components are deployed into a customer VNET. ●The VNET must have a CIDR range that does not conflict with data sources and systems that need to be connected to by the MicroStrategy application.●This VNET must include 5 subnets.

○2 Private Subnets, 2 Public Subnets and a NetAppSubnet (Subnet to host NetApp File System)

○The CIDR ranges for the subnets don’t matter as long as they are within the range provided for the overall VNET.

○The “Microsoft.Sql” endpoint needs to be selected and enabled for all 5 subnets that are created in the VNET.

○The NetApp subnet needs to be delegated to the “Microsoft.NetApp/Volumes” service

This VNET must have certain ingress and egress allowed for the deployment to be successful to and from this domain *.cloud.microstrategy.com.

○Egress■HTTPS 443■TCP 3000

○Ingress■HTTPS 443■TCP 3000

*Note on VNET: A new VNET may be provisioned in an automated fashion by the MicroStrategy Cloud Platform. This will make the deployment process easier and less prone to issues caused by incorrect VNET architecture. However, this will mean express routes or VPN connections must be established after the fact, as they are dependent upon the existence of a VNET.

Data Source ConnectivityConnectivity must be established between the Azure VNET and the data sources. This connectivity can be established in 3 ways. 1. VPN connection

1. Site-to-site IPSec tunnel in the case that data sources are located on premise2. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-

vpngateways

2. Express Route1.Dedicated line between data center and Azure VNETs in the case that data

sources are located on-premises2.https://azure.microsoft.com/en-us/services/expressroute/

3.Peering Connection1.Connectivity that is established between Azure VNETs in the case that data

sources are located in Azure2.https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-

peering-overview○The intelligence server will be routing traffic into the customer data center to

retrieve data and use it within the MicroStrategy platform. This data will be using the protocols and ports specific to the data source that is being connected.

Subscription Prerequisites

There are few prerequisites for subscription before customers can start deploying MicroStrategy on Azure.

1.The below resources are required to be registered for subscription using Azure Portal:• Microsoft.Storage• Microsoft.Compute• Microsoft.ManagedIdentity• Microsoft.ManagedServices• Microsoft.DBforMySQL• Microsoft.DBforPostgreSQL• Microsoft.Authorization• Microsoft.Network• Microsoft.Sql• Microsoft.SqlVirtualMachine• Microsoft.Network• Microsoft.Sql• Microsoft.Web• Microsoft.Portal• Microsoft.ResourceGraph• Microsoft.NetApp

The above resources can be registered by navigating to Subscription > Resource providers

2.Deploying of Enterprise environments would require NetApp files. Along with registering “Microsoft.NetApp” resource provider, user has to whitelist the subscription by sending an email to “ANFFeedback@microsoft.com"

3.If the subscription is governed using Azure Policies, deployments require the policy definition to allow below resources:

Linux (redhat 7.6) Standard E4s v3Standard E8s v3Standard E16s v3Standard E20s v3Standard E32s v3Standard E64s v3

Windows (Windows Server 2016 Datacenter) Standard E2s v3

Workflow

Here is a high-level pictorial representation of the workflow:

Step-by-step explanation of the workflow:

1.Customer enters Azure Subscription ID in the Cloud Console.

2.Cloud Console Validates Subscription ID and displays link/button: “Configuration".

There are two ways customers can configure their subscription authentication: 1.Resource Group level: For resource group level configuration, all the resources of new environments will be deployed in the given resource group. Create a new resource group during configuration by clicking on ‘create new’ button or select an existing resource group. Enter Service Principal ID of MicroStrategyCloudConsole.

2.Subscription Level: For subscription level access, Service principal would be given access to entire subscription and a new resource group with name “env-XXXX” will be created for each deployment. Customer has to select MicroStrategyOnAzure-<region> Resource Group on the page, which has already been created in step 8.

In subscription level configuration, Access to Service principal should be provided manually.

3.The "Configuration" button is an https link that triggers MCP's automation to configure and authorize customer accounts.

4.The configuration automation redirects customers to Microsoft OAuth Login page, where customer can log-in to his/her Azure account

5.After logging-in, Microsoft further redirects customer to Authorization Grant page, where it populates all the permissions it needs to grant MicroStrategy AD App. These permissions allow us to deploy and manage environments.

6.Once customers accept the permissions grant, Microsoft redirects customer back to our authentication app with authorization code. Authorization code is a GUID-like string. It is part of the OAuth protocol. 7.Using the authorization code, we assign MicroStrategyCloudConsole Service Principal Access to the Tenant. We use Service Principal authentication method to get access to the services deployed in the customer’s subscription.8.Using the Service Principal, we immediately create a Resource Group in customer’s subscription:

●MicroStrategyOnAzure-<region>

9.As last step, we redirect customer to Deploy ARM Template page on Azure.

10.There are two ways customers can configure their subscription authentication:

11.Click on ‘Purchase’ button, w h i c h d e p l o y s t h e A R M template. Customer can now go back to Cloud Console and click on validate, where console makes sure if the deployment has been successful.

12.Customer can also confirm the deployment success in the Azure Subscription by going to MicroStrategyOnAzure-<region> ResourceGroup

Service Principal ID

Steps to find Service principal ID:

1. Navigate to Azure Active Directory.2. Click on Enterprise Applications and select All Applications:

3. Search for MicroStrageyCloudConsole:

4. Click on the application and copy the object id used for configuration:

Requested Permissions Explanation

1. Sign in and read user profile•Permission for allowing user to sign-in with their Active Directory credentials

2. Access Azure Storage•Permission to access user’s storage account

3. Access Azure Service Management•Permission for querying Rest APIs in user account/subscription•This permission allows MicroStrategy Cloud Console to manage customer’s MicroStrategy deployments.•For example, to do a scheduled stop, MicroStrategy Cloud Console will use Azure service management APIs to stop customer’s VMs

4. Read directory data•Permission to read user’s role in AD

Configuration Link As discussed in Step 3 of the workflow, here is a sample configure link that customer is redirected to:h t t p s : / / c u s t o m e r a d a u t h . a z u r e w e b s i t e s . n e t / a p i / c o n fi g u r e ?email=user@company.com&region=<Region>&existingVNET=false&subscriptionId=1abc2a12-12a1-1ab1-12a1-a1a1b123abc1

It triggers an Azure function, which redirects customers to Microsoft login page for them to be able to login with their Active Directory Credentials. Once the customer logs in, Microsoft further redirects customer to Authorization Grant page, where it populates all the permissions it needs to grant to MicroStrategy Cloud Console.

For MicroStrategy on Azure deployment we need to get a consent at the tenant level. We ask this consent when a customer clicks on the "configuration" link on the console. They are redirected to the URL which is something like this below :

h t t p s : / / c u s t o m e r a d a u t h . a z u r e w e b s i t e s . n e t / a p i / c o n fi g u r e ?email=user@company.com&region=<Region>&existingVNET=false&subscriptionId=1abc2a12-12a1-1ab1-12a1-a1a1b123abc1

Only Global admins at the Tenant (AD) have privilege to accept this "Consent". Once consent is approved anybody can deploy in the same subscription without elevated privileges at the subscription level.

Query Parameters passed for configuration:

1. User email•Used only for logging purposes

2. Existing VNET flag•Used to signify if customer wants to deploy in an existing VNET or create a new VNET to deploy MicroStrategy environments.•Based on this flag, ARM template to deploy VNET, Subnets and Storage Accounts is determined.

3. Subscription ID•Customer’s subscription ID is passed to Microsoft which determines Customer’s Tenant, and based on the Tenant, Azure registers “MicroStrategyCloudConsole” service principal as an enterprise application.•MicroStrategy uses the Service Principal access to make Rest API calls to Azure to manage customer’s MicroStrategy environments deployed on Azure.

Azure Functions All the steps below are in MicroStrategy Managed Account

Configure Function•Https endpoint that customer is redirected to, from Cloud Console. •Gets customer’s Tenant ID based on her/his Subscription ID. •Redirects customer to Microsoft for login and permission grant page. •Stores Subscription ID and Tenant ID mapping in the database. •Emails team, that Customer has initiated Configuration process.•Production Endpoint: https://customeradauth.azurewebsites.net/api/configure?subscriptionId=<subscriptionId>&region=<<Region>>&email=<email>

Redirect Function•Https endpoint for Microsoft to redirect to, after customer has accepted the permissions grant.•Gets Access using service principal authentication•Emails team, that Resource Group creation has been initiated.•Creates 2 Resource Groups in the Customer’s Subscription:

•MicroStrategyOnAzure-<region>•Gets SAS URL of the MSTRonAzureInfrastructure.json ARM Template•Redirects customer to Deploy ARM Template page. After customer proceeds further, ARM template will deploy VNET, Subnets, Storage Account, etc.•https://customeradauth.azurewebsites.net/api/redirect

Azure Architecture

Team

Department

Enterprise

Azure Deployment Clicking Create Environment triggers the MSTRCloudOrchestrator-<Region> Logic App. This logic app access the image shared via Azure Shared Image Gallery and starts deploying in the customer’s subscription.

Resource Creation

Subscription Level - If the subscription is configured at subscription level, a new resource group will be created with name “Env-[Environment ID]” and all the resources related to the environment being created is deployed in the resource group.

Resource Group Level - in this configuration, a resource group is either created during configuration or an existing resource group is selected during configuration where all the deployments are created.

Image SharingMicroStrategy Images are shared using Shared Image Gallery from MicroStrategy Subscription.

Azure Services

Customer’s Azure subscription a.Virtual Network (VNET)b.Subnetsc.Application Load Balancersd.Network Security Groups (NSG)e.Network Interface (NIC)f.Environment Instancesg.Imagesh.Storage Account

MicroStrategy’s Azure subscription a.Active Directory App Registrationb.Azure Functionsc.Azure Logic Appsd.Base VMse.Snapshots

Resources Azure Configuration Documentationhttp://www2.microstrategy.com/producthelp/Current/Cloud/en-us/Content/azure_configuration_guide.htm

Azure Deployment Documentationhttp://www2.microstrategy.com/producthelp/Current/Cloud/en-us/Content/create_new_environ.htm

MicroStrategy Cloud Platform Documentationhttp://www2.microstrategy.com/producthelp/Current/Cloud/en-us/Content/manage_environs.htm