logo
logo

Home Glossary Australia Colocation

FAQs on the Managed Data Platform permissions

As an authorised Microsoft Direct Bill Partner, and an Azure Expert MSP, Macquarie Cloud Services require access to your Microsoft Data Platform services in order to provide managed services for your business or organisation. On this page you will find answers to FAQs regarding the access we require for services, and the measures that you may take to protect that access.

We request that the User Access Administrator or Global Administrator provision two Entra ID security groups in your directory.
  1. The following Entra ID security groups are required in the Entra Id tenancy with the following names. (NOTE: Group names can be changed to conform to your corporate naming conventions):
    1. MCS_Fabric_Automation_SPs
    2. MCS_Fabric_Workspace_Admins
  2. Add the Enterprise App as a member of the “MCS_Fabric_Automation_SPs” security group.
The Fabric Administrator is requested to grant the privileges below:
  1. Under the Fabric Portal Tenant settings , please grant the “MCS_Fabric_Automation_SPs” security group the following Fabric privileges.
    1. Service principals can access read-only admin APIs.
    2. Service principals can access admin APIs used for updates.
    3. Service principals can create workspaces, connections, and deployment pipelines.
    4. Service principals can call Fabric public APIs.
    5. Allow service principals to create and use profiles.
  2. In the Azure portal, please grant the Enterprise App the capacity administrator role:
    • Log in to the Azure portal,
    • Type in “Fabric” into the search bar
    • Select Microsoft Fabric, Access Control
    • Add role assignment, capacity administrator,
    • Member, Enterprise App
    • Select, Save and close

Without the requested privileges, we are unable to deliver our managed services. The privileges requested are based on Just-Enough or the least privileges principles.

Since the security groups and the enterprise application are in your tenant directory, your existing security measures apply. As part of the managed service, our actions are logged and audited.

We recommend a regular review of service principal and enterprise app permissions.

Once enabled, we are able to continue our on-boarding. You may remove our access at any time by:
  • removing the security groups or
  • members from the security groups or
  • the permissions from the enterprise app or
  • removing the enterprise app.

In this context, we are not requesting An Administer on Behalf of (AOBO)  or a Granular Delegated Administrative Privileges (GDAP) . These permissions provide Azure and Entra ID platform-level  granular roles and privileges that provide just enough permissions in order to execute the managed services.

If relevant, you may receive other requests from us that nominate these privileges.