< All Topics
Print

CSP setup for Teamwork Analytics

Overview

Teamwork Analytics can be deployed under a Cloud Solution Provider (CSP) arrangement – where the resources and data stay in a dedicated subscription under your Azure tenant, but access is delegated to Nasstar / Modality to deploy, update and support the solution.

Nasstar / Modality do not require or request delegated administration privileges on your Azure AD and Office 365 for Teamwork Analytics. This adds some setup steps below but limits access to the Azure subscription only. The customer retains control of the subscription and can change Nasstar / Modality’s access at a later date if necessary.

These steps are for customers to follow, if a CSP model has been discussed and agreed between the customer and Nasstar / Modality. They are not necessary for the standard SaaS model.

1. Agreement to the CSP relationship

Use this link to accept the CSP invitation, and authorise Nasstar / Modality Systems (CSP) to be your Microsoft Cloud Solutions Provider and accept the Microsoft Customer Agreement. You must be signed in with a user that has Global Admin permission on your tenant.

https://admin.microsoft.com/Adminportal/Home?invType=ResellerRelationship&partnerId=79d0925f-c43c-49d9-ba43-fc556c55104f&msppId=0&DAP=false#/BillingAccounts/partner-invitation

Please notify your Nasstar / Modality contact when this has been done, as the partner (Nasstar / Modality) also needs to accept the customer before proceeding.

2. Azure Application ID creation

Third-party applications that use protected APIs (reading user identifiable data, etc such as Teamwork Analytics) require Microsoft approval.

Two Azure applications need to be registered in your tenant, one for each Teamwork Analytics module. This will also need to be done by a user with Global Admin permission on your tenant.

Submit the tenant ID, plus Application ID, Application Secret for each to your Nasstar / Modality Systems contact, so that these can be sent for Microsoft approval. The approval process at Microsoft takes up to a week.

Usage & Governance: Registering Teamwork Analytics as an Azure Application

Calls & Meetings: Register Calls and Meetings app with Azure Active Directory

3. Teamwork Analytics Automation permission

Automation (sending relevant targeted messages to end users based on Teamwork Analytics data) uses a Modality hosted service, that needs permissions to send messages to end users.

Follow this link, sign in as a Global Admin, then review and accept the requested permissions: https://mod.qa/AutomationConsent 

Further information about the permissions requested and how to revoke (if necessary later) are here:
Teamwork Analytics Authorisation steps – Setup (modalitysystems.com)

4. Azure Lighthouse delegation to subscription

Once the CSP agreement from step 1 is in place, access needs to be delegated to Modality. This step will need to be done by a user with Global Admin permission on your tenant. 

Elevate access for a Global Administrator

The CSP subscription is hidden by default, so the administrator will need to temporarily elevate their account to manage it.

Follow the directions at:
Elevate access to manage all Azure subscriptions and management groups | Microsoft Docs  

Global admin account should now be able to see “Azure Subscription 1” under the Subscriptions view in Azure Portal.

Add self as owner to subscription

Follow directions at: Assign a user as an administrator of an Azure subscription – Azure RBAC | Microsoft Docs 

Grant the Global Admin account “Owner” privileges on the subscription.

Set up Resource Providers

Under Settings for the subscription, go to Resource Providers > Microsoft.ManagedServices and click Register.

Allow a few minutes for this change to take effect before proceeding

Delegate permissions to Nasstar / Modality

In the Azure Portal search bar, type “modality” and select the Managed Services : 30-Minute Implementation Marketplace result.

Under subscription select ‘Azure subscription 1’

Select your preferred Azure region

Leave the name as it is and select the Review + Create button. 

Select the “Give your partner access” link, or go to Service Providers in the Azure Portal, and follow these steps to delegate: 

https://docs.microsoft.com/en-us/azure/lighthouse/how-to/view-manage-service-providers#delegate-resources

  1. Check the box for the row containing the service provider, offer, and name. Then select Delegate resources at the top of the screen.
  2. In the Offer details section of the Delegate resources page, review the details about the service provider and offer. To review role assignments for the offer, select Click here to see the details of the selected offer.
  3. In the Delegate section, select Delegate subscriptions or Delegate resource groups.
  4. Choose the subscriptions and/or resource groups you’d like to delegate for this offer, then select Add.
  5. Select the checkbox at the bottom of the page to confirm that you want to grant this service provider access to the resources that you’ve selected, then select Delegate.

Advise your Modality contact once complete and we can verify that permissions have been delegated correctly. We can then deploy Teamwork Analytics into your tenant for you.

Table of Contents