Deploy the management environment

These instructions will deploy a new Safe Haven Management Environment (SHM). This is required to manage your Secure Research Environments (SREs).

Important

The SHM must be setup before any SREs can be deployed.

Note

A single SHM can manage all your SREs. However, you may choose to use multiple SHMs if, for example, you want to separate production and development environments.

Requirements

• A Microsoft Entra tenant for managing your users

  • An account with Global Administrator privileges on this tenant

• An Azure subscription where you will deploy your infrastructure

  • An account with at least Contributor permissions on this subscription

Deployment

Ensure you are using a hatch shell

You must use a hatch shell to run any dsh commands. From the project base directory run:

$ hatch shell

This ensures that you are using the intended version of Data Safe Haven with the correct set of dependencies.

Before deploying the Safe Haven Management (SHM) infrastructure you need to decide on a few parameters:

entra_tenant_id

Tenant ID for the Entra ID used to manage TRE users

How to find your Microsoft Entra Tenant ID

• Go to the Microsoft Entra admin centre

• Click on your username / profile icon in the top right

• Click Switch directory in the dropdown menu

• Ensure that you have selected the directory you chose above

• Browse to Identity ‣ Overview from the menu on the left side.

• Take note of the Tenant ID

fqdn

Domain name that your TRE users will belong to.

Hint

Use a domain that you own! If you use e.g. example.org here your users will be given usernames like ada.lovelace@example.org

location

Azure location where you want your resources deployed.

Hint

Use the short name without spaces, e.g. uksouth not UK South

Once you’ve decided on these, run the following command: [approx 5 minutes]:

$ dsh shm deploy --entra-tenant-id YOUR_ENTRA_TENANT_ID \
                 --fqdn YOUR_DOMAIN_NAME \
                 --location YOUR_LOCATION

Note

You will be prompted to log in to the Azure CLI and to the Graph API.

• Azure CLI: use your infrastructure user credentials

• Graph API: use your Entra tenant administrator credentials

Important

You may be asked to delegate your domain name to Azure. To do this, you’ll need to know details about the parent domain. For example, if you are deploying to dsh.example.com then the parent name is example.com.

• Follow this tutorial if the parent domain is hosted outside Azure

• Follow this tutorial if the parent domain is hosted in Azure