Security and Permissions
Macquarie Lens.
Overview.
This page details the permissions we request in the Macquarie Lens tool and how you can revoke these permissions at any time.
Permissions We Request.
To use our Macquarie Lens tool, you need to be a global admin of the Azure Active Directory associated with the Azure Subscriptions and Reservations you wish to optimise. When you first sign in to Macquarie Lens, we’ll request some permissions from you. This section describes the user-level permissions we request and why.
Access Azure Service Management as you
Once you sign in we do not store your credentials. Our application is provided with a Id token (via OAuth2) from Microsoft that we leverage to inject our Service Principal and Guest users into the relevant subscriptions you are responsible for selecting throughout Macquarie Lens onboarding screens.
A precondition of use of this tool is that we automatically link Macquarie's CSP MPN ID to your Azure account (known as Partner Admin Link) so we can demonstrate to Microsoft we are driving business outcomes for you.
Maintain access to data you have given it access to
Once you provide us with the relevant information, we store your contact information (Name, Company, Email address) to get in contact with you once you've completed the Macquarie Lens onboarding process.
We also store the guids (IDs) of the subscriptions and reservations you grant us access to for the purposes of completing the Azure Optimise engagement via the Macquarie Lens tool.
Sign you in and read your profile
The Macquarie Lens tool operates on your behalf. Once you have been signed in we extract your company, name and email address and prepopulate fields in our contact form so we can get in contact with you. See our privacy policy to understand what we do with this information.
Read and write applications
Macquarie Government use an analytics tool to survey your Azure Subscriptions and Reservations and provide insights. To do this, we automate the injection of our Macquarie Lens service principal into your Azure Subscriptions and Reservations with read-only role assignments.
You may remove these role assignments at any time. However, upon removal we will no longer have access to your Subscriptions or Reservations. This means we will be unable to complete the Azure Optimise assessment, show you any data in Macquarie Lens, and we will cease the professional services engagement. See the section below for information on how you can revoke these privileges should you need to do so.
Read and write directory data
We read out the name of your AAD Tenant and use this to prepopulate the name of your company (this can be changed if not correct throughout the onboarding wizard).
Additionally, we invite the relevant Macquarie Government Principal Consultants (of your choosing throughout the onboarding wizard) as guest users to your Microsoft tenancy and grant them read-only role assignments to your Azure Subscriptions and Reservations.
Revoking Access
Revoking access to our application is relatively straightforward as long as you are a global admin of your Azure Active Directory tenancy.
When you onboard to the Macquarie Lens tool, we leverage your user permissions to add our Service Principal and selected guest users to your nominated Azure Subscriptions and Reservations.
By following these steps, you’ll clean up any permissions Macquarie Government have configured for your Microsoft tenancy.
Revoking Access to Subscriptions
Go to Azure Portal > Subscriptions.
In every subscription you nominated us access to, click on the subscription then click the Access Control (IAM) tab.
Go to the Role Assignments tab and remove the Service Principal "Macquarie Lens". Also remove any guest users.
Revoking Access to Reservation Orders
Go to Azure Portal > Reservations.
Cycle through your list of reservations.
Click on the Reservation order ID link to go to the Reservation Order view.
Navigate to Access Control > Role Assignments and remove the service principal "Macquarie Lens". Also remove any guest users.
Remove all Billing reader role assignments
If you have a Microsoft Customer Agreement (MCA), you need to navigate to each of your Billing accounts in Cost Management + Billing, and remove the Macquarie Lens Billing Account Reader role assignment from the IAM blade.
If you have an Enterprise Agreement, navigate to Cost Management + Billing > IAM and remove the Macquarie Lens Enrollment Reader role assignment.
Delete the Enterprise Application in Azure Active Directory
Navigate to Azure Portal > Azure Active Directory.
In AAD navigate to Enterprise Applications > All Applications.
Click on "Macquarie Lens" > Properties.
Click Delete to remove the "Macquarie Lens" Enterprise Application.
Delete Macquarie Guest Users in Azure Active Directory
Navigate to Azure Portal > Users.
In the All users pane, add a filter on User Type = Guest.
Check the checkbox next to all users with User principal name in the format flastname_id.macquariegovernment.com#EXT#@your-tenant.
Click Delete user to clean up the user.
In AAD navigate to Enterprise Applications > All Applications.
Click on "Macquarie Lens" > Properties.
Click Delete to remove the "Macquarie Lens" Enterprise Application.
Contact us
Talk to an expert.
We’re here to guide you through your next steps.
- 1800 004 943
- Level 15, 2 Market Street Sydney, NSW, Australia