Add missing onboarding steps for Azure BYOC

jhlodin · jhlodin · commit 8c4b559c9487 · 2026-04-09T22:10:15.000-04:00
diff --git a/src/current/cockroachcloud/byoc-deployment.md b/src/current/cockroachcloud/byoc-deployment.md
@@ -49,36 +49,157 @@ Once this Azure subscription has been created and configured to host CockroachDB
 
 {{ site.data.alerts.end }}
 
-## Step 2. Grant IAM permissions to Cockroach Labs
-
-When BYOC is enabled for your account, Cockroach Labs provisions a multi-tenant App Registration associated with your CockroachDB {{ site.data.products.cloud }} organization and provides you with a URL to grant tenant-wide admin consent to the application. Visit this URL with a user account that is [authorized to consent on behalf of your organization](https://learn.microsoft.com/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal#prerequisites).
-
-Once the Cockroach Labs App Registration has been granted admin consent in the tenant, grant the following set of roles to the app:
-
-- `Role Based Access Control Administrator`
-- `Azure Kubernetes Service Cluster User Role`
-- `Azure Kubernetes Service Contributor Role`
-- `Azure Kubernetes Service RBAC Cluster Admin`
-- `Managed Identity Contributor`
-- `Network Contributor`
-- `Storage Account Contributor`
-- `Storage Blob Data Contributor`
-- `Virtual Machine Contributor`
-- A custom role, `Resource Group Manager`, with the following permissions:
-  - `Microsoft.Resources/subscriptions/resourceGroups/read`
-  - `Microsoft.Resources/subscriptions/resourceGroups/write`
-  - `Microsoft.Resources/subscriptions/resourceGroups/delete`
-  - `Microsoft.Resources/subscriptions/resourceGroups/moveResources/action`
-  - `Microsoft.Resources/subscriptions/resourceGroups/validateMoveResources/action`
-  - `Microsoft.Resources/subscriptions/resourcegroups/deployments/read`
-  - `Microsoft.Resources/subscriptions/resourcegroups/deployments/write`
-  - `Microsoft.Resources/subscriptions/resourcegroups/resources/read`
-  - `Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read`
-  - `Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read`
-
-The custom `Resource Group Manager` role is required to create and manage resource groups in the subscription. This role is used instead of requesting the more broad `Contributor` role.
-
-## Step 3. Register resource providers
+## Step 2. Grant admin consent to Cockroach Labs support
+
+The CockroachDB {{ site.data.products.cloud }} BYOC Reader is an enterprise application in Azure that is used
+by Cockroach Labs support. Granting admin consent to this application gives **read-only** permissions to allow
+Cockroach Labs support engineers to securely view your Azure resources if needed.
+
+Follow these steps to grant admin consent to the reader application and assign the necessary permissions:
+
+1. Log in to the Azure portal as a user with Global Administrator or Privileged Role Administrator permissions.
+2. Open the following URL in your browser:
+    {% include_cached copy-clipboard.html %}
+    ~~~ text
+    https://login.microsoftonline.com/adminconsent?client_id=7f6538cb-f687-4411-9bbe-2f96bfbce028
+    ~~~
+    
+    If you have multiple tenants, replace `customer-tenant-id` in the following URL with the tenant containing your newly-created Azure subscription:
+    
+    {% include_cached copy-clipboard.html %}
+    ~~~ text
+    https://login.microsoftonline.com/<customer-tenant-id>/adminconsent?client_id=7f6538cb-f687-4411-9bbe-2f96bfbce028
+    ~~~
+3. Review the requested permissions and click **Accept**.
+4. A service principal for the CockroachDB {{ site.data.products.cloud }} BYOC reader is created. Grant the following set of roles to the app:
+   - `Role Based Access Control Administrator`
+   - `Azure Kubernetes Service Cluster User Role`
+   - `Azure Kubernetes Service Contributor Role`
+   - `Azure Kubernetes Service RBAC Cluster Admin`
+   - `Managed Identity Contributor`
+   - `Network Contributor`
+   - `Storage Account Contributor`
+   - `Storage Blob Data Contributor`
+   - `Virtual Machine Contributor`
+   - A custom role, `Resource Group Manager`, with the following permissions:
+    
+     - `Microsoft.Resources/subscriptions/resourceGroups/read`
+     - `Microsoft.Resources/subscriptions/resourceGroups/write`
+     - `Microsoft.Resources/subscriptions/resourceGroups/delete`
+     - `Microsoft.Resources/subscriptions/resourceGroups/moveResources/action`
+     - `Microsoft.Resources/subscriptions/resourceGroups/validateMoveResources/action`
+     - `Microsoft.Resources/subscriptions/resourcegroups/deployments/read`
+     - `Microsoft.Resources/subscriptions/resourcegroups/deployments/write`
+     - `Microsoft.Resources/subscriptions/resourcegroups/resources/read`
+     - `Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read`
+     - `Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read`
+    
+    The custom `Resource Group Manager` role is required to create and manage resource groups in the subscription. This role is used instead of requesting the more broad `Contributor` role.
+
+## Step 3. Configure Azure Lighthouse
+
+[Azure Lighthouse](https://learn.microsoft.com/azure/lighthouse/overview) enables cross-tenant management to Cockroach Labs with least-privilege access and full customer visibility. You can review or remove this access at any time from the Azure portal.
+
+This Azure Lighthouse deployment grants the following permissions to Cockroach Labs:
+
+- Access to the CockroachDB {{ site.data.products.cloud }} BYOC reader application for observability.
+- Kubernetes read access for cluster inspection.
+- Administrative access for managed operations.
+
+These permissions are granted to Cockroach Labs's managed tenant, which has a tenant ID of `a4611215-941c-4f86-b53b-348514e57b45`
+
+Follow these steps to enable secure, scoped access for Cockroach Labs to your subscription using Azure Lighthouse:
+
+1. Save the following ARM template to a file named `byoc-lighthouse.json`:
+    {% include_cached copy-clipboard.html %}
+    ~~~ json
+    {
+      "$schema": "https://schema.management.azure.com/schemas/2019-08-01/subscriptionDeploymentTemplate.json#",
+      "contentVersion": "1.0.0.0",
+      "parameters": {
+        "mspOfferName": {
+        "type": "string",
+        "metadata": {
+          "description": "Specify a unique name for your offer"
+        },
+        "defaultValue": "CockroachDB Cloud BYOC"
+        },
+        "mspOfferDescription": {
+        "type": "string",
+        "metadata": {
+          "description": "Name of the Managed Service Provider offering"
+        },
+        "defaultValue": "Template to onboard to CockroachDB Cloud BYOC via Lighthouse"
+        }
+      },
+      "variables": {
+        "mspRegistrationName": "[guid(parameters('mspOfferName'))]",
+        "mspAssignmentName": "[guid(parameters('mspOfferName'))]",
+        "managedByTenantId": "a4611215-941c-4f86-b53b-348514e57b45",
+        "authorizations": [
+        {
+          "principalId": "c4139366-960c-431d-afad-29c65fd68087",
+          "roleDefinitionId": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
+          "principalIdDisplayName": "CockroachDB Cloud BYOC Reader Entra Group"
+        },
+        {
+          "principalId": "c4139366-960c-431d-afad-29c65fd68087",
+          "roleDefinitionId": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
+          "principalIdDisplayName": "CockroachDB Cloud BYOC Reader Entra Group"
+        },
+        {
+          "principalId": "6532a4f2-3fa1-4b10-a4c2-05368c87c89a",
+          "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c",
+          "principalIdDisplayName": "CockroachDB Cloud BYOC Admin Entra Group"
+        }
+        ]
+      },
+      "resources": [
+        {
+        "type": "Microsoft.ManagedServices/registrationDefinitions",
+        "apiVersion": "2020-02-01-preview",
+        "name": "[variables('mspRegistrationName')]",
+        "properties": {
+          "registrationDefinitionName": "[parameters('mspOfferName')]",
+          "description": "[parameters('mspOfferDescription')]",
+          "managedByTenantId": "[variables('managedByTenantId')]",
+          "authorizations": "[variables('authorizations')]"
+        }
+        },
+        {
+        "type": "Microsoft.ManagedServices/registrationAssignments",
+        "apiVersion": "2020-02-01-preview",
+        "name": "[variables('mspAssignmentName')]",
+        "dependsOn": [
+          "[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('mspRegistrationName'))]"
+        ],
+        "properties": {
+          "registrationDefinitionId": "[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('mspRegistrationName'))]"
+        }
+        }
+      ],
+      "outputs": {
+        "mspOfferName": {
+        "type": "string",
+        "value": "[concat('Managed by', ' ', parameters('mspOfferName'))]"
+        },
+        "authorizations": {
+        "type": "array",
+        "value": "[variables('authorizations')]"
+        }
+      }
+      }
+    ~~~
+2. Deploy the template at the subscription scope using Azure CLI, Azure PowerShell, or Azure Portal. The following example command uses the Azure CLI:
+    {% include_cached copy-clipboard.html %}
+    ~~~ shell
+    az deployment sub create \
+      --name cockroach-byoc-lighthouse \
+      --location <region> \
+      --template-file byoc-lighthouse.json
+    ~~~
+
+## Step 4. Register resource providers
 
 Register the following [resource providers](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-providers-and-types) in the Azure subscription:
 
@@ -88,7 +209,7 @@ Register the following [resource providers](https://learn.microsoft.com/azure/az
 - `Microsoft.Quota`
 - `Microsoft.Storage`
 
-## Step 4. Create the CockroachDB {{ site.data.products.cloud }} cluster
+## Step 5. Create the CockroachDB {{ site.data.products.cloud }} cluster
 
 In BYOC deployments, CockroachDB clusters are deployed with the {{ site.data.products.cloud }} API and must use the {{ site.data.products.advanced }} plan. Follow the API documentation to [create a CockroachDB {{ site.data.products.cloud }} {{ site.data.products.advanced }} cluster]({% link cockroachcloud/cloud-api.md %}#create-an-advanced-cluster).
 
