Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

This article explains how to set up a Cloudaware application in Microsoft Azure. Ensure you have the necessary permissions in the Azure portal.

...

  1. Select the created Azure application (in this guide, cloudaware-api-access).

  2. Go to 'API permissions'→ +Add a permission.

  3. Select the tab 'Microsoft APIs'.
    For Azure Service Management:
    Select the tile 'Delegated permissions' → check the box 'user_impersonation. Access Azure Service Management as organization users (preview)'. Click Add permissions.

    For Microsoft Graph:
    Select the tile 'Delegated Permissions'*Directory → check the box Directory.Read.All. Click Add permissions.
    Select the tile 'Application Permissions' → Directory → check the box Directory.Read.All. Click Add permissions.

*Note that User → User.Read (Sign in and read user profile) permission is added by default when the application is created.

...

Note

Microsoft takes up to 30 minutes to populate the permissions added in previous steps.

Add role assignments

Grant permissions at tenant or subscription level:

Tenant level

Assign permissions to the Tenant Root Group to allow Cloudaware to discover all subscriptions within the group automatically:

  1. Select Management Groups in Azure Portal.

  2. Select the Tenant Root Group.

  3. Go to 'Access Control (IAM)' → click +AddAdd role assignment.

  4. Grant access to the management group for Cloudaware application (in this guide, cloudaware-api-access):
    a. Under the tab 'Role': in 'Job function roles' select Reader → Next
    b. Under the tab 'Members:
    Assign access to: User, group, or service principal
    Members: click +Select memberscloudaware-api-access → Select

    Click Review + assign.

Subscription level

Assign permissions to the specific subscription(s) for Cloudaware to access and discover only those:

  1. Select Subscriptions in Azure Portal.

  2. Select the subscription.

  3. Go to 'Access Control (IAM)' → click +AddAdd role assignment.

  4. In 'Add role assignment' select:
    a. Under the tab 'Role': in 'Job function roles' select Reader → Next
    b. Under the tab 'Members':
    Assign access to: User, group, or service principal
    Members:click +Select memberscloudaware-api-access → Select

    Click Review + assign.

The steps 1-5 are required for each subscription that will be integrated into Cloudaware.

Configure certificates & secrets

Certificate (recommended)

Select the application (in this guide, cloudaware-api-access).

  1. Go to 'Certificates & secrets' → the tab 'Certificates' → Upload certificate. 

  2. Click Select a file → choose the certificate file*.

Note

*To get the certificate from Cloudaware, refer to Setup in Cloudaware Add Azure Active DirectoryCertificate.

Click Add.

Once the certificate is uploaded, continue the configuration.

Client secret

Select the application (in this guide, cloudaware-api-access).

  1. Go to 'Certificates & secrets' → the tab 'Client secrets' → +New client secret. 

  1. Set up the client secret:

Description: ca-api-key
EXPIRES: 730 days (24 months)

Click Add.

  1. Click Copy to clipboard to save the secret value.

Once the key is created and saved, continue the configuration.

 

! Next step - Azure setup in Cloudaware