Give access to Erik and Pris to UToronto

[yuvipanda]

[Damián] See below for the description and latest status.

[yuvipanda]

I've started an email thread with Jeremy from UToronto, along with @pnasrat and @consideRatio to get them access.

Traditionally, this has involved getting everyone a utoronto.ca account. I am hoping instead we can use Microsoft accounts directly.

[yuvipanda]

Now that I've started this, can you both take this forward @pnasrat and @consideRatio?

[pnasrat]

Are there docs re the process/MS accounts for context? Do we have a 2i2c Azure org setup already so that we can have a consolidated view for additional Azure clusters?

[yuvipanda]

Unfortunately we basically have nothing at this point :( We have historically just emailed them, and they have set us up with specific utoronto.ca accounts for each engineer. I am hoping that maybe some systematization can happen this time. But there isn't any prior art here for us.

[pnasrat]

I think we might want to mirror as close as possible what we have learned from GCP for Azure to future proof for shared clusters

I need to read the docs but imagine this might look like

• Have a 2i2c Azure org (or equivalent)
• Add all 2i2c members to it with username=email
• Have a separate billing account cc @jmunroe and @damianavila re billing as someone with Ramp access or billing knowledge would need to setup
• for utoronto See if MS account auth supports adding org or group. If that doesn't work for utoronto add the individuals

[consideRatio]

A big :+1: for already assuming we want to have an Azure organization or what that may be called to handle Azure identities.

I think what we need is Azure Active Directory setup for 2i2c in some way. I understand that this is a feature that can be enabled in different levels described here called Free, Office 365 Apps, Premium 1, Premium 2, costing a few dollars per user and month.

In practice, I think what we need first is an "Azure subscription".

@yuvipanda @pnasrat should we get this setup? I bet it would incurr a running cost, but I guess its on the scale of 100 USD a month which I figure is worth it.

---

There is this guide available, that may be relevant. I'm very confused about terminology, but I see "tenant", "organization", and "subscription" mentioned: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-access-create-new-tenant.

[pnasrat]

@consideRatio I'm not sure how approval for the additional expense would work - I'm guessing it's via central funds and I'm not sure who might need to approve or setup

https://compass.2i2c.org/en/latest/finance/cloud.html

[pnasrat]

@choldgraf will provide CC details when at that stage.

I imagine we want the account created through an aliased 2i2c address to prevent tying to individuals - I'm not a Google workspace admin so can't see the org settings for there to compare.

AWS is choldgraf@ and receipts@ for billing with a California address (not sure if there is a registered business address that should be used)

https://azure.microsoft.com/en-us/pricing/purchase-options/pay-as-you-go/

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-access-create-new-tenant

[jsg-uoft]

Hi 2i2c friends... Looking into this from the UofT end. Pretty sure there was openness in the past to doing some sort of AAD federation (or similar arrangement) to let you manage credentials at your end rather than having to wait for us a UofT to set things up. Will update as soon as I know more. Thanks!

[yuvipanda]

Thanks a lot, @jsg-uoft!

I wanted to flag that https://github.com/2i2c-org/infrastructure/issues/2316 is happening in a few weeks, and I'd love for both these folks to have access to the infrastructure before that, so they can work on the infrastructure if necessary. Thoughts on whether that is possible? If not, we should find alternate arrangements for those exams.

[damianavila]

Sent an email to Nathan (it was ack'ed already) about the time-sensitive nature of this request (included @consideRatio @pnasrat and cc'ed @2i2c-org/partnerships-and-community-guidance).

[pnasrat]

Status update (as seperate email threads to issue) I now can login to UToronto email, and azure via UTorID login, but I believe per email thread that access is waiting for Azure admins to get added to the subscription following a request.

[damianavila]

Yesterday I pinged UoT folks again, today we received ack and they told us they requested an ETA for this process to finally land.

[pnasrat]

I've had no further update in my UTor o365 mailbox

[pnasrat]

I have set a password with UToronto IIS, have duo enabled for both my regular and csadmin utor accounts and can access azure portal and cli for utoronto.

[damianavila]

Both @pnasrat and @consideRatio confirmed access via email, so closing here.