Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

This article explains how to set up a Cloudaware application in Microsoft Azure. Ensure you have the necessary permissions in the Azure portal.

Table of Contents
stylenone

Summary

 

To integrate Microsoft Azure with Cloudaware:

  1. Create a new Azure application for Cloudaware.

  2. Assign API permissions:

    • Azure Service Management

      • Delegated permissions: user_impersonation

    • Microsoft Graph

      • Application permissions: Directory.Read.All

      • Delegated permissions: Directory.Read.All

  3. Add role assignments:

    • Choose the scope by assigning roles

      • Under Tenant Root Group for subscription auto-discovery

      • Under a specific subscription

    • Roles: Reader

    • Members: Application created in point 1

  4. Upload a certificate from Cloudaware.

For detailed setup instructions, refer to the in-depth guidelines below.

Create Azure application for Cloudaware

  1. Log in to the Azure portal. Select Microsoft Entra ID.

  2. Under 'Manage', go to 'App registrations' → +New registration.

  3. Set up the application as follows:

    Name: cloudaware-api-access
    Supported account types: Accounts in this organizational directory only (Default Directory only - Single tenant) OR Accounts in any organizational directory (Any Azure AD directory - Multitenant)
    Redirect URI (optional): Web - https://cloudaware.com/

    Click Register.

Configure API permissions

 

  1. Select the created Azure application (in this guide, cloudaware-api-access).

  2. Go to 'API permissions'→ +Add a permission.

  3. Select the tab 'Microsoft APIs'.

    For Azure Service Management:
    Select the tile 'Delegated permissions' → check the box 'user_impersonation. Access Azure Service Management as organization users (preview)'. Click Add permissions.

    For Microsoft Graph:
    Select the tile 'Delegated Permissions'*Directory → check the box Directory.Read.All. Click Add permissions.
    Select the tile 'Application Permissions' → Directory → check the box Directory.Read.All. Click Add permissions.

*Note that User → User.Read (Sign in and read user profile) permission is added by default when the application is created.

Ensure that all necessary permissions are assigned as below:

...

  1. Click Grant admin consent for <Directory Name> to populate permissions.

Note

Microsoft takes up to 30 minutes to populate the permissions added in previous steps.

Add role assignments

Grant permissions at tenant or subscription level:

Tenant level

Assign permissions to the Tenant Root Group to allow Cloudaware to discover all subscriptions within the group automatically:

  1. Select Management Groups in Azure Portal.

  2. Select the Tenant Root Group.

  3. Go to 'Access Control (IAM)' → click +AddAdd role assignment.

  4. Grant access to the management group for Cloudaware application (in this guide, cloudaware-api-access):
    a. Under the tab 'Role': in 'Job function roles' select Reader → Next
    b. Under the tab 'Members:
    Assign access to: User, group, or service principal
    Members: click +Select memberscloudaware-api-access → Select

    Click Review + assign.

Subscription level

Assign permissions to the specific subscription(s) for Cloudaware to access and discover only those:

  1. Select Subscriptions in Azure Portal.

  2. Select the subscription.

  3. Go to 'Access Control (IAM)' → click +AddAdd role assignment.

  4. In 'Add role assignment' select:
    a. Under the tab 'Role': in 'Job function roles' select Reader → Next
    b. Under the tab 'Members':
    Assign access to: User, group, or service principal
    Members:click +Select memberscloudaware-api-access → Select

    Click Review + assign.

The steps 1-5 are required for each subscription that will be integrated into Cloudaware.

Configure certificates & secrets

Certificate (recommended)

Select the application (in this guide, cloudaware-api-access).

  1. Go to 'Certificates & secrets' → the tab 'Certificates' → Upload certificate. 

  2. Click Select a file → choose the certificate file*.

Note

*To get the certificate from Cloudaware, refer to Azure setup in Cloudaware Add Azure Active DirectoryCertificate.

Click Add.

Once the certificate is uploaded, continue the configuration.

Client secret

Select the application (in this guide, cloudaware-api-access).

  1. Go to 'Certificates & secrets' → the tab 'Client secrets' → +New client secret. 

  2. Set up the client secret:
    Description: ca-api-key
    EXPIRES: 730 days (24 months)

    Click Add.

  3. Click Copy to clipboard to save the secret value.

Once the key is created and saved, continue the configuration.

 

! Next step - Azure setup in Cloudaware