Table of Contents |
---|
...
1. Select Azure Active Directory in Azure Portal.
...
2. Under 'Manage', select App registrations → +New registration.
...
Redirect URL (optional): Web - https://cloudaware.com/
...
4. Click Register.
2 - Configure Permissions
...
5. Select Microsoft Graph.
...
a. In APPLICATION Permissions select:
Directory → Directory.Read.All
Click Add permissions.
b. In DELEGATED Permissions select:
Directory → Directory.Read.All
User → User.Read (Sign in and read user profile) [this permission is added by default when the application is created]
Click Add permissions.
Ensure that all necessary permissions are assigned as below:
...
You should have two APIs added totally total - Azure Service Management and Microsoft Graph.
...
Note |
---|
Microsoft takes up to 30 minutes to populate the permissions added in previous steps. |
8. To grant permissions to Cloudaware for auto-discovery of Azure subscriptions at the tenant level, follow these steps:
a) Select Management Groups in Azure Portal:
...
b) Select the management group in question (the one from which subscriptions are to be collected, or the Tenant Root Group for Cloudaware to discover all available subscriptions as in the example below):
...
c) Go to Access Control (IAM) on the left → click +Add → Add role assignment:
...
d) Grant the Cloudaware application with access to the management group in question:
Under the tab 'Job function roles' select Reader.
Under the tab 'Members' select the following settings:
a. Role: Reader
b. Assign access to: User, group, or service principal
c. Members: click +Select members → cloudaware-api-access (start typing the application name to choose it from the list)
Click Review + assign.
3 - Configure Certificates & Secrets
...
2. Type the description: ca-api-key
3. Set EXPIRES to: 730 days (24 months)
4. Click Add.
5. Save the secret value in a secure location.
...
Note |
---|
*Get the certificate generated by Cloudaware - see step 2 in Adding Azure Active Directory to Cloudaware below. |
...
3. Click Add.
Once the certificate is uploaded, continue the configuration following the steps below.
...
6 - Grant Access To Key Vaults
Сloudaware has to be granted with the access to Key Vault* to be able to check the expiration date of keys and secrets. Set up the access policy for Cloudaware for the Cloudaware application on the Key Vault level.
*Cloudaware retrieves metadata only ('Azure Key Vault Key' and 'Azure Key Vault Secret' objects). No keys or secrets are accessible to Cloudaware.
...
7 - Azure Reservations Discovery in Cloudaware (optional)
Cloudaware is capable of discovering and collecting Cloudaware can discover and collect your Azure Reservations, provided that the appropriate permissions are granted in Azure.
1. Log in to your Azure Portal. Navigate to Reservations.
...
2. Select the reserved Azure resource (in this example, a virtual machine).
...
tab 'Role Assignment'.
...
3. Click Reservation order ID link.
...
4. Select Access control (IAM). Click +Add → Add role assignments. Select .
...
4. Under the tab 'Job function roles' select Reservations Reader.
Under the tab 'Members' select the following settings:
a. Role: Reservations Reader*
b. Assign access to: Azure AD userUser, group, or service principal
c. Members: click +Select members → cloudaware-api-access (start typing the application name to choose it from the list)
...
Click Save.
...
Review + assign.
Note |
---|
Please allow up to 24 hours for Azure reservations |
...
to be displayed in Cloudaware CMDB. |
5. To view your Azure Reservations and related data, log in to your Cloudaware account → Navigator. Select MICROSOFT AZURE → RESERVATIONS.
...
...
8 - Azure Kubernetes Discovery in Cloudaware (optional)
Cloudaware supports auto-discovery of Azure AKS Clusters and Azure AKS Cluster Agent Pool Profiles by default. Grant Cloudaware the permission Microsoft.ContainerService/managedClusters/listClusterUserCredential/read to enable the discovery and collection of the following Azure AKS cluster objects:
...
If AKS cluster is AD managed, check this guide to set up the cluster role binding and grant required permissions to Cloudaware.
9 - Microsoft Devices Discovery (Intune) (optional)
Microsoft Intune is a cloud-based endpoint management solution helping to manage user access and simplify app and device management across Microsoft infrastructure. Learn more
Cloudaware requires the following permissions to be assigned to Azure Active Directory Application:
DeviceManagementManagedDevices.Read.All
DeviceManagementConfiguration.Read.All
Select 'Application' permissions.
The following objects are supported:
Azure Active Directory Devices
Azure Active Directory Compliance Policies
Azure Active Directory Device Config
10 - Tagging Permissions for Cloudaware (optional)
Use the Tag Contributor role or create a custom role to define the scope of provided permissions on tagging (see 'Custom Role For Tagging').
To assign the Tag Contributor role to Cloudaware application, follow the steps below:
1. Log in to your Azure Portal. Navigate to Subscriptions.
2. Select the subscription in question → Access Control (IAM).
3. Click +Add → Add role assignment. Selectthe following settings:
a. Role: Tag Contributor
b. Assign access to: Azure AD user, group, or service principal
c. Members: click +Select members → cloudaware-api-access (start typing the application name to choose it from the list)
Click Save.
The role Tag Contributor uses a recently released Azure API method. Learn more about the role
Cloudaware Setup
1 - Adding Azure Active Directory to Cloudaware
Anchor | ||||
---|---|---|---|---|
|
...
c. Check the box 'Automatically Discover Subscriptions' to allow Cloudaware to automatically discover and add all the subscriptions to which it has been granted access to in Azure Active Directory. Leave it unchecked if you would like to add your Azure subscriptions manually.
...
e. Under 'Select Application', click +CREATE NEW.
a) If you selected Client Secret (key) in Configure Certificates & Secrets:
...
3. The green light in 'Status' means that the Azure Active Directory has been successfully added. If there is a red light, please contact support@cloudaware.com.
...
2 - Adding Azure Subscription to Cloudaware
In case If you haven't checked the checkbox 'Automatically Discover Subscriptions' as described in the previous section, follow these steps to manually add subscriptions manually.
1. Log in to your Cloudaware account. Select Admin in the main menu under your username → Azure Active Directories & Subscriptions. Click +Add.
...
Name: Azure subscription name
Subscription ID: Azure subscription ID [to locate it, log in to Azure portal → Subscriptions → select the subscription in question → copy 'Subscription ID']
Active Directory: select an Active Directory from the list
...
5. Given the checkbox 'Automatically Discover Subscriptions' is checked, the tab 'Untracked Subscriptions' shows all Azure subscriptions Cloudaware subscriptions that Cloudaware has discovered in your Active Directory but is not able to collect due to insufficient access caused by an incorrect role assigned (check step 5 in Assigning Role to Subscriptions ﹣ Reader by default or higher).
3 - Understanding Azure Application in Cloudaware
Such Credentials such as the Azure Active Directory credentials as Application ID (Client Client ID) and Client Secret are stored as within the Azure Application entity in Cloudawarein Cloudaware. Please note that an Azure Application can only be created only when adding Azure AD.
Cloudaware supports updating the Azure Application credentials. In 'Azure Active Directories & Subscriptions' open the tab Applications, and click three dots → Edit.
...