NewOrbit Cloud Management Platform BETA

NewOrbit’s Cloud Management Platform (CMP) is currently available in beta.

It gives you, your team and NewOrbit access to reports about your Azure setup and spend in a different way to what you can easily get in the Azure portal.

In the current version we provide a cost summary report to help identify key areas of spend along with a summary report of which users have access to what. We intend to add more features to the Cloud Management Platform over time.

Note that the CMP will not give NewOrbit access to any data you have in your systems, it only gives access to azure infrastructure and cost data.

Get access

In the beta version, there are a couple of steps you need to take - we do intend to simplify this.

The first person who sets this up for your organisation needs permissions to add “Enterprise Applications” to Azure Active Directory - it is easiest if you are a Global Administrator in Azure AD. If you are not sure if you have this, just try signing up and see what happens - there is no harm if it fails. For the final step, you also need at least User Access Administrator permissions to each Azure subscription you wish to add. Different people can carry out each step, if necessary.

We are currently in beta - we hope the sign-up process can be simplified in the future.

1. Go to https://cmp.neworbit.co.uk
2. When prompted, log in with your Azure portal login.
3. You will be asked to consent to single sign-on. You may accept this for yourself or for your whole organisation.
4. Once you are logged in to the Cloud Management Platform, you should see “1 consent is missing” in the top right-hand corner. Please click on this to give consent for the Cloud Management Platform to read the names of your users. This is required for the Access Report to work.
5. The final step is to give the Cloud Management Platform access to read data about your Azure resources and cost. This does not give access to read any data or configuration settings.
   1. Go the Azure Portal
   2. For each subscription, give the NewOrbit-CMP user Reader access as follows:
   3. Select the subscription you wish to give NewOrbit read-only access to
   4. Select "Access control (IAM)" from the menu on the left
   5. Select "Add" from the top of the IAM blade
   6. Select "Add role assignment" from the drop-down
   7. Select the Reader role and click Next
   8. Click "Select Members", search for and then select NewOrbit-CM
   9. Click "Select" at the bottom of the screen
   10. Proceed to review and assign
6. As an alternative to step 5, if you have multiple subscriptions, you can use Management Groups to just give the permission once.
   1. Go to Management Groups in the Azure Portal
   2. If you are told “No management groups to display”, click the “Start using management groups” button. This won’t affect any existing permissions - it will just create a default “root” group. Refresh after a minute or so.
   3. Select the Tenant Root Group.
   4. Select "Access control (IAM)" from the menu on the left
   5. Carry on as in step 5 above.

Security

When your users log in to the Cloud Management Platform, we use their access token to read data from Azure. This means they can never see any more data than they would be able to in the Azure portal. If they can’t see costs in the Azure portal, for example, they will not be able to see costs in the Cloud Management Platform.

For NewOrbit, it works a bit differently. In the steps above, we ask you to give the Enterprise Application “NewOrbit-CMP” the reader role in each of your Azure subscriptions. When a NewOrbit user accesses the CMP, they use the permissions from the NewOrbit-CMP Enterprise Application to read data about your Azure subscription. The reader role gives access to Azure information, such as which resources you have and costs. However, the reader role does not give access to data in databases or to configuration values or anything else that may contain secrets. You retain full control and can customise or revoke the access the NewOrbit-CMP Enterprise Application has to your Azure subscription at any time. If you want to completely block NewOrbit from access, just delete that Enterprise Application from your Azure AD.

Features

At present, we have the following features in NewOrbit’s Cloud Management Platform. We intend to add more features over time.

Cost report

The Cost Report provides a summary of your spend from the previous, full Calendar month. It uses the approach set out in our Spend less on Azure approach to help you - and us - identify the areas that you are spending most on in Azure.

Access report

Azure has comprehensive Role Based Access Control that can be applied at many different levels. However, it is difficult to get a consolidated view of who has which access to what across your Azure estate - which is important for compliance purposes. The Access Reports consolidates this into a single report.