Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

...

b. In DELEGATED Permissions select:
Directory → Directory.Read.All
User → User.Read (Sign in and read user profile) [this permission is added by default when the application is created]

6. Go back to All APIs. Select Azure Active Directory Graph*.

a. In APPLICATION Permissions select:
Directory → Directory.Read.All

b. In DELEGATED Permissions select:
Directory → Directory.Read.All
User → User.Read (Sign in and read user profile)

*NOTE: Azure Active Directory Graph will be deprecated in June 2022. If you are currently using Azure Active Directory Graph, migration to Microsoft Graph is recommended by Microsoft.

Ensure that all necessary permissions are assigned as below:

...

6 - Grant Access To Key Vaults


Сloudaware has to be granted with the access to Key Vault* to be able to check the expiration date of keys and secrets. Set up the access policy for Cloudaware application on the Key Vault level.

*Cloudaware retrieves metadata only ('Azure Key Vault Key' and 'Azure Key Vault Secret' objects). No keys or secrets are accessible to Cloudaware.

...

If AKS cluster is AD managed, check this guide to set up the cluster role binding and grant required permissions to Cloudaware.

Cloudaware Setup

1 - Adding Azure Active Directory to Cloudaware
Anchor
AddingAzureActiveDirectorytoCloudaware
AddingAzureActiveDirectorytoCloudaware

...

3. The green light in 'Status' means that Azure Active Directory has been successfully added. If there is a red light, please contact support@cloudaware.com.

...

2 - Adding Azure Subscription to Cloudaware

In case you haven't checked the checkbox 'Automatically Discover Subscriptions' as described in the previous section, follow these steps to manually add subscriptions.

...

5. Given the checkbox 'Automatically Discover Subscriptions' is checked, the tab 'Untracked Subscriptions' shows all Azure subscriptions Cloudaware has discovered in your Active Directory but is not able to collect due to insufficient access caused by an incorrect role assigned (check step 5 in Assigning Role to SubscriptionsReader by default or higher).

3 - Understanding Azure Application in Cloudaware

Such Azure Active Directory credentials as Application ID (Client ID) and Client Secret are stored as Azure Application entity in Cloudaware. Please note that Azure Application can be created only when adding Azure AD.

...