Mapping Azure Groups to Customer Tenant
Role-Based Access Control enables large conglomerate organizations to deploy a single Azure tenant and map it to multiple Azure Security groups defined on the same tenant. The groups may logically represent Organization Active Directory attributes of the affiliated subsidiary of the conglomerate entity. For example, the R&D group. New customers are onboarded to represent each managed group. Live Platform access permissions can be assigned to each group on Azure. For example, the Customer operator permission is assigned to the R&D group. All members that are defined to R&D group as 'Direct Members' inherit the 'operator' permission. Upon logging into Live Platform, these users login as customer operators and only view data (alarms, statistics and calls) associated with the M365 users that are managed by this Security Group in the organization Active Directory. When they log into the Customer portal, M365 user data is filtered by a GetCsOnlineUser filter query matching the Active Directory attribute of the Security group. For example, Department -eq "R&D" is the matching query for the R&D Security group.
This feature may implemented using the following topologies:
|
■
|
Service provider manages multiple channel groups |
|
■
|
Service provider manage multiple customer groups |
|
■
|
Channels manage multiple customer groups |
The following diagram illustrates an example topology:
|
■
|
The managed tier hierarchy is Service Provider > Channel > Customers. |
|
■
|
Three groups are created on the Channels' Azure tenant: |
|
●
|
Channel_Admin with 'Admin' member 'Lee Gu' |
|
●
|
'Admin_R&D' group with customer operator 'Adele Vance' |
|
●
|
'Admin_Executive Management' group with customer operator 'Alex Wilber' |
|
■
|
Database query filters are defined for each of the departments "R&D" and "Executive Management". |
The setup below implements the above scenario: