Home / Nerdio Academy / Microsoft Azure / Nerdio for Azure Fundamentals: The Nerdio Admin Portal

Nerdio for Azure Fundamentals: The Nerdio Admin Portal

0 commentsMay 07, 2019Videos

Joseph Landes:
In this session, we will introduce you to the Nerdio Admin Portal, otherwise known as the NAP. The NAP is the one single pane of glass MSPs use to interact with Nerdio for Azure, including managing all customer accounts, and Azure resources. With the Nerdio Admin Portal, we have simplified the way MSPs interact with Azure, as most every task can be accomplished in three clicks or less, truly a breakthrough and simplified way to manage your customer accounts in Microsoft Azure. Enjoy the session.

Vadim Vladimirskiy
From a terminology perspective, when we talk about an account, an account is a single line item here. So this is an account, account number 1006. It’s also sometimes referred to as a tenant, as opposed to a user, is a login into the admin portal that has different varying levels of access and visibility. So you know, when we’re talking about an account, it’s a specific sort of customer or specific deployment or specific tenant, and then when we talk about users and user logins, those are the objects that you login with into the admin portal to then see different visibility and different scope. So I guess let’s start at the highest level.

Vadim Vladimirskiy
So we talked about Adar admin users. We also have something called the distributor admin. A distributor admin is meant for our partners who are two-tier distributors, meaning that they have resellers and then those resellers have end customers. So we have Adar at the very high level, then you have a distributor, a distributor has a reseller, and then the reseller has end customers. And those end customers are basically accounts, okay? So a distributor can have either resellers who have accounts, or they can have their own direct accounts. Same way as Adar can have a distributor, we can have a reseller, or we can have a direct customer, okay? If we look at the users that are in the system here.

Vadim Vladimirskiy
So right now I’m logged in as a reseller or a partner administrator, which means that I can see all of my accounts that are associated with this particular reseller and I cannot see the accounts associated with any other reseller or distributor or Adar user or anything else. A yellow flag on the left-hand side here indicates that it’s a indirect account, meaning it’s an account of a reseller, and if you mouse over it will actually tell you who the reseller is. And this view is available from either Adar admin or tier two admin or whatever login access you have, this little flag is handy. You can mouse over it and see who the reseller is and you can also search, when you search in this field, you can search by the reseller name and it will filter by that particular reseller, okay?

Vadim Vladimirskiy
As a reseller administrator, there are a few things I can do. I can provision individual accounts and any accounts I provision will be associated to my reseller account. So anyone with an access higher than my looks at it, they will see a yellow flag with my name associated there. Again, that applies to both NFA and NBC account. And I can also add additional users who can login and manage my customers’ accounts and there are different roles that can be used. So there is another partner admin. So I can add someone who has the same level of access as I do, meaning they can provision new accounts. I can add someone who is a billing admin and a billing admin can view invoices and manage payment details, but cannot manage the accounts from an IT perspective. They can just sort of be doing billing stuff. I can add a tier one support. A tier one support can login and manage these individual accounts, but only see everything that’s in their home, users, groups, and shared mailboxes and nothing below. So they cannot get into servers, they cannot get into networking, they cannot make any of those changes.

Vadim Vladimirskiy
And then finally there is a user role called tier two admin, or I’m sorry, tier two support. And tier two support can manage individual accounts with full access, but has no access to the billing information and no ability to purchase new things. Let’s go look at what levels of access are available within accounts. So if I click to manage … So right now I’m a partner admin. I’m going to click to manage your particular account and what I can do is you can see I have no way of adding additional special management users, but I can take any of the existing Nerdio users that are in the active directory and I can make them administrators or support users inside of the NAP. All I do is I check this box and I have two access levels. I have IT admin and tier one support. So let’s see, we call it IT admin, which is full access. They can do everything, but only within this one particular account. So if I make Andy the IT admin an IT … An account IT admin off this account, Andy will be able to go to app.nerdio.net, login with aitadmin5009.nerdio.net, and be immediately placed inside of this account. So he won’t see any other accounts that are associated with the reseller, the partner or the distributor or Adar, but will see everything that’s within this account.

Vadim Vladimirskiy
Everyone sees the same kind of stuff when they’re logged in as an administrator. They see a list of accounts, they see a list of users, and then they see logs and settings and then they may or may not see billing, depending on what their role is. But the list of accounts is where they spend 95% of their time and then the list of accounts is simply a filtered list that belongs in the scope of that particular user login. So for instance, for a partner admin itself [inaudible 00:07:21], you’ve got any account that you or your peer, partner admin users created. If you login as a distributor admin, you’ll see two types of accounts. You’ll see accounts that have a yellow flag like this, which is going to be accounts of your resellers/partners, and you’ll also see any accounts that have a blue flag that are your direct accounts, okay? If you want to manage your users, meaning the partner admin users, you do that in this section, because a user is not necessarily tied to any specific account. But the list of accounts is basically customers and then depending on what role you’re logged in with, this flag will point out what partner those customers belong to.

Vadim Vladimirskiy
Where the user information is stored. So if we look again at this list, all of this information is stored in the NAP’s SQL database, meaning there are accounts that get authenticated directly and securely against that database, whereas any of these roles are associated with active directory users. As I showed you, if we go here and we login into a particular account and we go to users and we check that box for any of these users to have access into NAP either as an account IT admin or account tier one support, this role would be tagged down to this existing user object. So when the user goes to log into the NAP, their credentials are going to be authenticated against the domain controller that is within this account. How does it know? Because when the user logs in, they’re going to use a domain and that domain is globally unique, because it’s an email address, so it’s obviously a unique username with a unique domain. And that will get authenticated against the correct active directory domain controller. And if that domain controller happens to be down, let’s say someone shut it off, they turn of DCR1 and it’s not available, then that user will not be able to login because that’s where the authentication needs to be done. And if that server is down, then they will not be able to authenticate.

Vadim Vladimirskiy
On the other hand, any of these accounts, the ones that are partner and distributor admins or any of these support users, they can authenticate without active directory access because they’re not tied to any active directory credentials. Okay?

Vadim Vladimirskiy
One other thing that I want to mention as far as architecture of the product goes, almost everything that is done in the NAP is a task-based or task queue-based system. So as you probably have noticed as you work with the product, anything you do creates a task, which currently has either a pending state, meaning it’s been submitted and it’s waiting to be picked up. Once it gets picked up by the system it goes into in progress and once it completes its in progress stage, it either goes into complete, which means it succeeded, or it generates an error and then the error, there’s some logging that can show you what the error is. But pretty much everything. There are probably some exceptions, but for the most part anything you do in the system gets submitted into a queue and then executed it asynchronously. So what that means is that, for instance, there is a way to pause task processing in a particular account. There’s like a checkbox that allows to pause that. So things will go into queue and they will stay in their pending state and will not transition into a progress state until that queue is un-paused.

Vadim Vladimirskiy
There is also two types of tasks. There is blocking and non-blocking ones. So for instance, there may be a task such as refreshing the AD cache and we’ll talk about that in more detail next time. But every screen that has a date stamp at the top means that this is a cache list and this is the date of when it was cached. And let’s say I’m now updating this cache … Let’s say I click this button, so I’m now updated the cache and there’s going to be corresponding task that’s going to say “in progress” or maybe still pending. See, okay, so right now I just submitted this task. In a few seconds it’s going to go in progress, and then if I were to go, while that task is happening, if I were to go and make a change to one of these users, that would also get submitted as a task, but it would be pending the completion of the cache refresh.

Vadim Vladimirskiy
So it’s just important to keep in mind that things don’t get always or usually don’t get executed in real time. They get executed in a queue type of a fashion and there is a log both at the bottom of each screen or each module that shows you the last three days worth of tasks and you can see over here it says three days. And then you can go on their logs and go to management tasks and this is where you would see a complete listing of all the tasks that have been executed and there’s no way to remove them from this list. So you can go as far back as the age of this particular account.

Videos in the series