Add Azure BYOC instructions for granting permissions#23110
Merged
Conversation
✅ Deploy Preview for cockroachdb-interactivetutorials-docs canceled.
|
✅ Deploy Preview for cockroachdb-api-docs canceled.
|
Files changed: |
✅ Netlify Preview
To edit notification comments on pull requests, go to your Netlify project configuration. |
Diagram Anchor Check: PassedAll |
rgcase
reviewed
Apr 10, 2026
jhlodin
commented
Apr 14, 2026
Contributor
Author
jhlodin
left a comment
There was a problem hiding this comment.
some wordsmithing with Ryan
Co-authored-by: Vishal Jaishankar <[email protected]>
rmloveland
approved these changes
Apr 16, 2026
Contributor
rmloveland
left a comment
There was a problem hiding this comment.
LGTM just some small comments/suggestions/formatting things
|
|
||
| ## Step 2. Set up the admin App Registration | ||
|
|
||
| When BYOC is enabled for your account, Cockroach Labs dynamically provisions a multi-tenant admin App Registration associated with your CockroachDB {{ site.data.products.cloud }} organization and provides you with a URL to grant tenant-wide admin consent to the application. Granting admin consent creates an admin Service Principal in your tenant, which is used by Cockroach Labs support to act on the Kubernetes cluster, running automation that initializes support infrastructure. |
Contributor
There was a problem hiding this comment.
suggest bolding 'Service Principal', 'App Registration', etc. if they are proper names from the Azure UI
Contributor
Author
There was a problem hiding this comment.
I don't believe they're proper names specific to the UI. The actual UI term is Enterprise Application which is the tab in the UI that contains both App Registrations and Service Principals, but we're not (currently) documenting the specifics of a third party UI.
Bolding I think makes sense for the first mention of these terms to differentiate them, but not throughout this doc.
|
|
||
| When BYOC is enabled for your account, Cockroach Labs dynamically provisions a multi-tenant admin App Registration associated with your CockroachDB {{ site.data.products.cloud }} organization and provides you with a URL to grant tenant-wide admin consent to the application. Granting admin consent creates an admin Service Principal in your tenant, which is used by Cockroach Labs support to act on the Kubernetes cluster, running automation that initializes support infrastructure. | ||
|
|
||
| Visit this URL with a user account that is [authorized to consent on behalf of your organization](https://learn.microsoft.com/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal#prerequisites). Once the Cockroach Labs App Registration has been granted admin consent in the tenant, grant the following set of roles to the admin Service Principal: |
Contributor
There was a problem hiding this comment.
same here and elsewhere re: bolding proper names of Azure things
Contributor
Author
There was a problem hiding this comment.
See above, I think the first time on this page makes sense to bold but not the rest (they're entity types, not UI components)
|
|
||
| Use [Azure Lighthouse](https://learn.microsoft.com/azure/lighthouse/overview) to enable cross-tenant management that establishes the support infrastructure that allows Cockroach Labs to assist in the event of a support escalation. Permissions are granted least-privilege access and full visibility, allowing you to review and remove access at any time from the Azure portal. | ||
|
|
||
| This Azure Lighthouse deployment grants permissions to Cockroach Labs's managed tenant, which has a tenant ID of `a4611215-941c-4f86-b53b-348514e57b45`, by assigning the following roles to the reader and admin Entra groups within the tenant: |
Contributor
There was a problem hiding this comment.
i think this can be Cockroach Labs' managed tenant ?
Contributor
Author
There was a problem hiding this comment.
That's not the formal title of the tenant, just a descriptor. So plaintext should be correct.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://cockroachlabs.atlassian.net/browse/DOC-16396
https://cockroachlabs.atlassian.net/browse/DOC-16141