Dashboards for multiple tenants in Azure with SquaredUp
If you’re building applications and running services in Microsoft Azure, SquaredUp for Azure is a presentation layer that sits on top of the Azure APIs enabling you to produce effective, informative and engaging dashboards.
But, what if you are managing multiple tenants in Azure?
Managing applications and services across multiple tenants gets increasingly inefficient with each and every additional tenant; unless you have the right tools in place. This is a problem we often hear about from large enterprises who require independency within the organization for subsidiary, legal or geographical reasons, or Cloud Service Providers (CSPs) who are managing multiple customer tenants.
But what if there was an easy way to manage all your tenants in a streamlined fashion, and bring everything together to achieve the holy grail of monitoring: the single pane of glass?
The dream team: Azure Lighthouse + SquaredUp
Introduced in July 2019, Azure Lighthouse was a breath of fresh air that provided a single view of all your tenants by using delegated resource access. It is integrated with Azure Resource Manager, Azure Monitor and Security Centre – greatly simplifying cross tenant management.
Add to the equation the powerful dashboarding tool, SquaredUp for Azure. With both tools tightly integrated into the Azure platform APIs, you can now create amazing dashboards that either zoom into one tenant, aggregate data together from multiple tenants, or even show side-by-side comparisons between different tenants. You’ve truly got yourself a single pane of glass for Azure!
Creating dashboards in a multi-tenant scenario
So how exactly does this work? In version 4.7 of SquaredUp, we’ve implemented some cool features that significantly improve the experience for our multi-tenanted customers:
- Scope filtering by tenant
- Scoping tiles by resource group
- Labels with the tenant name
Let’s go over how they work one by one.
Scope filtering by tenant
When scoping tiles in SquaredUp you will by default be scoping across all the tenants you have access to. By default, the search results in the tile configuration panel will return everything, which could become overwhelming with multiple tenants and Azure Lighthouse.
Simply check the ‘filter by tenant’ checkbox and choose the tenant, or tenants, that the relevant resources reside in and then the rest of the configuration panel will only return information for the tenants chosen.
See How to scope tiles for more information.
Scoping tiles by resource group
When adding tiles to a dashboard it is very common to scope to one or more resource groups. Again, the number of resource groups from multiple tenants could be enormous, making it hard to find the one you need, especially when naming conventions are being used and each tenant has similarly named resource groups.
From version 4.7 onwards, you can now see the tenant name alongside the subscription name in the search results. Easy!
Labels with the tenant name
The last feature added in version 4.7 provides the ability to create custom labels and sublabels using the tenant name. In scenarios where you are scoping a dashboard to include data from different tenants it’s extremely useful to include the name of the tenant of the resource.
When you are adding a tile to a dashboard, simply set the tile to use the custom label and choose the tenantName attribute from the mustache helper.
See How to use Custom Labels for more information on using custom labels and the mustache helper.
The Cost Management tile is a popular feature in SquaredUp for Azure and with multi-tenancy support, it is now possible to create cost comparison dashboards for different tenants in a matter of minutes!
Cloud Service Providers need to ensure that they are using the ‘modern’ Azure Plan in order to obtain Cost Management data from the Microsoft APIs. See the Microsoft Documentation for more details.
What about security, can users now see data they shouldn’t?
The first thing to remember when creating a dashboard in SquaredUp for Azure, is that everything is governed by the permissions users have in Azure Active Directory; this is true whilst you are both creating a dashboard, and looking at a published dashboard. And Azure Lighthouse is likely to make this more apparent than in say, a single tenanted setup.
For example, there are 10 tenants being managed. If you have permission to see all the tenants, and you create a dashboard that pulls data from all 10 tenants, then you will obviously see the data for all the tenants. However, when a user logs in who only has access to one tenant, then their view of the dashboard will only contain data from that tenant.
SquaredUp's tight integration with the Azure APIs ensures that no logged-in user will ever be able to read data on dashboards for Azure resources that they are not allowed to see.
To learn more about managing users and delegating resource management, see Microsoft MVP Martin Ehrnst's blog here:
Finally, let’s talk about two great ways to share dashboards with your users and customers!
Open Access seems like the obvious choice here, as you can create a dashboard and simply share a read only link.
An important point to note, Open Access configuration requires the enterprise application to be assigned the reader role, in the case of Lighthouse, this is going to mean that the enterprise application in Azure will need read access to the resources across all tenants. Therefore, dashboards can display information from any tenant. To avoid accidental disclosure of data to the wrong person, simply ensure the dashboards you share are scoped correctly for the intended audience!
See Open Access documentation for full details and information on how to setup your enterprise application correctly.
Team Folders is the most secure way to share dashboards, since logged in users will only ever see the data for resources that they have permission to see, as discussed above. Consider creating team folders to contain specific tenant dashboards, and then inviting the relevant users as guests into your Azure AD. Those guests can then be added to the team folder that contains their dashboards.
See our Team Folders documentation to learn more about this feature, and learn about inviting guests in to Azure AD on the Microsoft support pages.
How do I get started?
If you’re an existing SquaredUp for Azure user and want to start using these now, you simply need to upgrade to version 4.7 or later (see upgrade documentation for help). Head over to SquaredUp downloads to get the latest version.
To learn more about how best to use Azure Lighthouse, check out Microsoft MVP Martin Ehrnst's Azure Lighthouse jumpstart guide.
Thank you for reading this blog post about the great new functionality.
Please take time to read our other blogs about the other new features we’ve recently released!