Assessments guide for CSAMs
This page is a guide for CSAMs and will give you more information about On-Demand Assessment Technology for your Premier and Unified customers.
On-Demand Assessment Pre-Requisite Guide for CSAMs
Below are some of the steps you need to complete as a CSAM to enable any customer (Premier or Unified) to get started with one or more assessments through Services Hub:
Caution
If the following steps are not performed, expect significant delays in the assessment setup.
Note
There can be significant delays in the setup if the customer has their Microsoft Entra Directory setup in the wrong way. If users have their work and personal accounts both setup through the same email id, they need to be separated. Follow this guide to get this done if your customer runs into this scenario. If you need more information, you can read this article.
Steps to be performed by the CSAM for every Assessment customer
Important
During the delivery of the engagement, do NOT add the CE with Administrator role to the Customer's workspace. Adding a CE with Administrator role will prompt the system to remove the account from the workspace. The only accepted permissions for a CE during the delivery of an engagement are "Health," "Programs," and "Shared Files." Please use alias@microsoft.com when sending the invitation to the CE.
Sign in to Services Hub and navigate to your profile (top right) -> Workspaces and select your customer workspace from there
Go into agreement -> Manage Users to invite the customer users and CE. (Make sure to include access to Health and Programs while doing this)
Ensure/Confirm the customer user has successfully registered into Services Hub and are able to login into it
If the customer needs us to provide them an Azure subscription, you can request for one the registered email id on Services Hub by creating a support ticket. Refer to the Reporting Services Hub issues documentation for assistance.
Ensure the customer has a credential with necessary privileges to run the assessment and network firewall requirements met on the Server dedicated to collect data
For any Microsoft FTE to have access into customer's Azure subscription, ask the customer to provide Log Analytics Reader access to their Azure subscription. CEs and CSAMs can review the Assessment Setup delivery guide
Additional Considerations for Customers with multiple environments
With every Services Hub workspace, you will get your own set of survey data, reporting from log analytics, and programs. The recommended scenarios are configurations 1 and 3. Configuration 2 comes with an overhead of re-linking every time someone wants to switch context for linked log analytics workspace.
Caution
Reports will be generated per log analytics workspace. If multiple environments are reported into the same log analytics workspace, there will be a consolidated report. If you need separate reports, please have a separate log analytics workspace that follows one of the below configurations in the way it is linked to services hub.
Note
Evaluate the supported configurations below. If a separate Services Hub instance is needed, additional workspaces can be created by the agreement's CSAM or BAM in the Admin Center. If a ROSS was not dispatched on this workspace, refer to the Reporting Services Hub issues documentation for assistance enabling the necessary assessments under the newly created workspace. Please refer to the information on Admin Center for more details on how to use it.
Configuration 1
When all teams want to visualize assessment surveys, programs, and reports under the same Services Hub workspace, use configuration 1. All assessment data (even from multiple environments) would be aggregated in the same workspace.
Configuration 2
When different teams don't want each other to be able to see their data in Log Analytics, but are okay in sharing the same Azure subscription and Services Hub workspace, use configuration 2. Role-based permissions need to be managed in Azure. The customer will have to re-link every time they wish to see results from different Log Analytics workspace.
Configuration 3
When different teams don't want to share the Azure subscription and Services Hub workspace, customers should use configuration 3. CSAMs should review the Admin Center for more information on how to get additional Services Hub instances.
Additional Guidelines for PSfP Customers
PSfP agreements are exempted from running the assessments in Services Hub. To request the exception and to revert to legacy portal for assessments, please refer to the Reporting Services Hub issues documentation noting your PSfP agreement Info and ROSS details for assistance.
Assessment enablement in Azure Government Subscriptions
Services Hub is not supported in Azure Government. Hence the assessment enablement has to be done via a support ticket. To do this, please review the documentation on how to enable On-Demand Assessments for Azure Government.
For Azure Log Analytics firewall details for Gov cloud, review this link.
Need help in having the right conversations with the customer around Assessment Data Security?
Traditional RAP as a Service data was stored in an Azure Subscription in the West US Datacenter. With the On-Demand Assessments, your customer data will be stored in an Azure Subscription that is owned by the customer and in a region that the customer chooses to store their data. In On-Demand Assessments, only findings with affected objects are uploaded to the customer's Azure subscription. For a full list of data collection methods and types, please review the appendix section of each of the assessment pre-requisites documents.
Assessments run as a native instance within Azure Log Analytics and is compliant with the Azure Log Analytics GDPR Guidance.
Exact IP Addresses for Azure datacenters are listed in the Azure Monitor section of the below IP ranges. They are also categorized per Azure region. Azure IP Ranges
Note
If your customers are looking for the assessment data that gets uploaded to Azure Log Analytics for each of our assessments, you can [Download the data that gets uploaded to Azure Log Analytics](./work-with-results/Assessment Data Uploaded to Azure Log Analytics.zip) and pass it along to them. The files in here are samples from a demo environment and is the exact data that would be ingested into Azure Log Analytics.
Support Guidance to follow for Assessments
To expedite the response and address any concern you may have related to the Services Hub support, please refer the QRC (Quick Reference Card) regarding Services Hub Support Matrix QRC.
Note
Purpose of this DL “Services Hub Support Escalation SHSEsc@microsoft.com” is to use ONLY for reporting Services Hub Support related concerns or dissatisfactory support experience from our support after you have a support ticket.
- Delay in responses or no updates on ticket
- Not satisfied with the response from support
- Customer impact
| Issue | Support Contact |
|---|---|
| Microsoft Entra | Azure Support |
| Services Hub Registration | Refer to the Reporting Services Hub issues documentation for assistance. |
| Linking | Refer to the Reporting Services Hub issues documentation for assistance. |
| Add Assessment in Services Hub | Refer to the Reporting Services Hub issues documentation for assistance. |
| Installation and configuration of the Microsoft Monitoring Agent including connectivity to the Azure Log Analytics workspace. | Azure Support |
| Push of assessment configurations to applicable agent computers through Microsoft Monitoring Agent. | Azure Support |
| Push of assessment bits to applicable agent computers through Microsoft Monitoring Agent. | Azure Support |
| Capture of results data including upload and ingestion into Azure Log Analytics. | Azure Support |
| PowerShell Cmdlets to Setup Assessment | Refer to the Reporting Services Hub issues documentation for assistance. |
| Installation and configuration of prerequisite software and policies as part of the assessment. | Refer to the Reporting Services Hub issues documentation for assistance. |
| Operations of assessments including collection and analysis of logging along with execution issues with assessment application(s). | Refer to the Reporting Services Hub issues documentation for assistance. |
| Data Upload in Azure & Network firewall connectivity | Azure Support |
| Services Hub Assessment Landing Page | Refer to the Reporting Services Hub issues documentation for assistance. |
| Assessment Reports in Services Hub | Refer to the Reporting Services Hub issues documentation for assistance. |
| Sponsored Azure Subscriptions (Manage Activation/Expiration/Extension) | AIRS Support |
Service SKUs to sell to Customers
The below table will explain the services that you can request from the Phoenix catalog for your customers belonging to a specified support agreement. Please dispatch a RAP as a Service/Plus for Premier Customers. They will be provisioned in Services Hub and delivered via On-Demand Technology. The On-Demand SKUs in the catalog are only for Unified agreements. The difference in pricing exists because Unified Customers pay more upfront to include assessments in their base agreement and that's the reason why RAP SKUs are priced higher than On-Demand SKUs.
| Service | Unified agreement | Premier agreement |
|---|---|---|
| Setup and Configuration | Included in Base agreement | Included in RAP/RAP Plus dispatch |
| Remote CE Review | On-Demand Assessment: "Technology" Remote Engineer | RAP as a Service for "Technology" |
| Onsite CE Review | On-Demand Assessment: "Technology" Onsite Engineer | RAP as a Service Plus for "Technology" |
| Offline Engagement | Offline Assessment for "Technology" | Offline Assessment for "Technology" |
Assessment Documentation for Customers
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for