Content Comparison

Microsoft Azure Setup

1 - Create Application

...

2. Under 'Manage', select App registrations → +New registration.

...

Redirect URL (optional): Web - https://cloudaware.com

...

4. Click Register.

2 - Configure Permissions

1. Select the application that you have just created.

2. Select API permissions → +Add a permission.

...

3. Select the tab 'Microsoft APIs'. Select Azure Service Management.

...

4. Select 'Delegated permissions' and check the box 'user_impersonation. Access Azure Service Management as organization users (preview)'.

...

Click Add permissions.

5. Select Microsoft Graph.

...

a. In APPLICATION Permissions select:
Directory → Directory.Read.All

Click Add permissions.

b. In DELEGATED Permissions select:
Directory → Directory.Read.All
User → User.Read (Sign in and read user profile) [this permission is added by default when the application is created]

Click Add permissions.

Ensure that all necessary permissions are assigned as below:

...

...

8. To grant permissions to Cloudaware for auto-discovery of Azure subscriptions at the tenant level, follow these steps:

a) Select Management Groups in Azure Portal:

...

b) Select the management group in question (the one from which subscriptions are to be collected, or the Tenant Root Group for Cloudaware to discover all available subscriptions as in the example below):

...

c) Go to Access Control (IAM) on the left → click +Add → Add role assignment:

...

d) Grant the Cloud application with access to the management group in question:

Under the tab 'Job function roles' select Reader.

Under the tab 'Members' select the following settings:

a. Role: Reader

b. Assign access to: User, group, or service principal

c. Members: click +Select members → cloudaware-api-access (start typing the application name to choose it from the list)

Click Review + assign.

3 - Configure Certificates & Secrets

Cloudaware supports both ways of Azure Application authentication:

a) Client secret (key)

1. Select 'Certificates & secrets' → the tab 'Client secrets' → +New client secret. 

2. Type the description: ca-api-key

3. Set EXPIRES to: 24 months

4. Click Add.

5. Save the secret value in a secure location.

...

Once the key is created and saved, skip the part below and continue the further configuration.

b) Certificate

1. Select 'Certificates & secrets' → the tab 'Certificates' → Upload certificate. 

2. Click Select a file → choose the certificate file*.

...

3. Click Add.

Once the certificate is uploaded, continue the configuration following the steps below.

4 - Getting The Active Directory ID (Tenant ID)

Navigate to Azure Active Directory, click Properties and locate Tenant ID. Click Copy to clipboard to save Tenant ID as it is required for integration setup in Cloudaware.

...

5 - Assigning Role to Subscriptions

...

2. Select the subscription that will be added to Cloudaware:

...

3. Select Access control (IAM):

...

5. In 'Add role assignment' select:

a. Role: Reader

b. Assign Access to: User, group, or service principal

...

6 - Grant Access To Key Vaults

...

1. Navigate to Key Vaults in Azure Portal.

...

2. Select Access Policies → +Add Access Policy.

...

3. Select the following settings:

a. Key permissions: List

b. Secret permissions: List

c. Certificate permissions: List

d. Select principal: cloudaware-api-access (start typing the application name to choose it from the list → Select)

...

Click Add.

...

4. Repeat steps 2-3 for each Key Vault.

7 - Azure Reservations Discovery in Cloudaware (optional)

...

2. Select the tab 'Role Assignment'.

...

3. Click +Add → Add role assignments.

...

4. Under the tab 'Job function roles' select Reservations Reader.

Under the tab 'Members' select the following settings:

a. Role: Reservations Reader

b. Assign access to: User, group, or service principal

c. Members: click +Select members → cloudaware-api-access (start typing the application name to choose it from the list)

Click Review + assign.

5. To view your Azure Reservations and related data, log in to your Cloudaware account → Navigator. Select MICROSOFT AZURE → RESERVATIONS.

...

8 - Azure Kubernetes Discovery in Cloudaware (optional)

...

Azure AKS Cluster
Azure AKS Cluster Agent Pool Profile
Azure AKS Cluster Config Map
Azure AKS Cluster Daemon Set
Azure AKS Cluster Deployment
Azure AKS Cluster Endpoint
Azure AKS Cluster Limit Range
Azure AKS Cluster Namespace
Azure AKS Cluster Node
Azure AKS Cluster Node Address
Azure AKS Cluster Node Condition
Azure AKS Cluster Pod
Azure AKS Cluster Pod Container
Azure AKS Cluster Public IP Address Link
Azure AKS Cluster Public IP Prefix Link
Azure AKS Cluster Replica Set
Azure AKS Cluster Resource Quota
Azure AKS Cluster Service
Azure AKS Cluster Stateful Set

1. Log in to your Azure Portal. Navigate to Subscriptions.

2. Select the subscription in question → Access Control (IAM).

...

a. Role: Azure Kubernetes Service Cluster User Role

b. Assign access to: Azure AD user, group, or service principal

c. Members: click +Select members → cloudaware-api-access (start typing the application name to choose it from the list)

...

Click Save.

...

9 - Microsoft Devices Discovery (Intune) (optional)

Microsoft Intune is a cloud-based endpoint management solution helping to manage user access and simplify app and device management across Microsoft infrastructure. Learn more

Cloudaware requires the following permissions to be assigned to Azure Active Directory Application:

DeviceManagementManagedDevices.Read.All

DeviceManagementConfiguration.Read.All

Select 'Application' permissions.

The following objects are supported:

• Azure Active Directory Devices

• Azure Active Directory Compliance Policies

• Azure Active Directory Device Config

10 - Tagging Permissions for Cloudaware (optional)

Use the Tag Contributor role or create a custom role to define the scope of provided permissions on tagging (see 'Custom Role For Tagging').

To assign the Tag Contributor role to Cloudaware application, follow the steps below:

1. Log in to your Azure Portal. Navigate to Subscriptions.

2. Select the subscription in question → Access Control (IAM).

...

a. Role: Tag Contributor

b. Assign access to: Azure AD user, group, or service principal

c. Members: click +Select members → cloudaware-api-access (start typing the application name to choose it from the list)

Click Save.

The role Tag Contributor uses a recently released Azure API method. Learn more about the role

Cloudaware Setup

...

1. Log in to your Cloudaware account. Select Admin in the main menu under your username → Azure Active Directories & Subscriptions. Click +Add.

...

2. Fill out the form:

a. Name: Azure Active Directory name

...

c. Check the box 'Automatically Discover Subscriptions' to allow Cloudaware to automatically discover and add all the subscriptions to which it has been granted access in Azure Active Directory. Leave it unchecked if you would like to add your Azure subscriptions manually.

d. Environment: select Azure environment (Azure, Azure China, Azure Government, Azure Germany)

e. Under 'Select Application', click +CREATE NEW.

a) If you selected Client Secret (key) in Configure Certificates & Secrets:

• Check the radio button Using Client Secret.

• Provide Application ID (Client ID) and Client Secret that you saved in a secure location﹣ see a) in Configure Certificates & Secrets.

b) If you selected Certificate in Configure Certificates & Secrets:

• Check the radio button Using Certificate.

• Provide Application ID (Client ID).

• Click Generate Certificate to download the file.

...

• Go back to the step Configure Certificates & Secrets to upload the certificate in your Azure environment.

Once the certificate is uploaded, click Save and continue the configuration from the step Getting The Active Directory ID (Tenant ID).

3. The green light in 'Status' means that the Azure Active Directory has been successfully added. If there is a red light, please contact support@cloudaware.com.

...

2 - Adding Azure Subscription to Cloudaware

If you haven't checked the checkbox 'Automatically Discover Subscriptions' as described in the previous section, follow these steps to add subscriptions manually.

1. Log in to your Cloudaware account. Select Admin in the main menu under your username → Azure Active Directories & Subscriptions. Click +Add.

2. Select the tab 'Subscriptions'. Click +Add Azure Subscription.

3. Fill out the form: 

• Name: Azure subscription name

• Subscription ID: Azure subscription ID [to locate it, log in to Azure portal → Subscriptions → select the subscription in question → copy 'Subscription ID']

• Active Directory: select an Active Directory from the list

...

Click Save.

4. Review all subscriptions under the tab 'Subscriptions'. The green light in 'Status' means that the Azure Subscription has been successfully added. If there is a red light, please contact support@cloudaware.com.

...

5. Given the checkbox 'Automatically Discover Subscriptions' is checked, the tab 'Untracked Subscriptions' shows all Azure subscriptions that Cloudaware has discovered in your Active Directory but is not able to collect due to insufficient access caused by an incorrect role assigned (check step 5 in Assigning Role to Subscriptions ﹣ Reader by default or higher).

3 - Understanding Azure Application in Cloudaware

Credentials such as the Azure Active Directory Application ID (Client  ID) and Client Secret are stored within the Azure Application entity in  Cloudaware. Please note that an Azure Application can only be created when adding Azure AD.

...

For new customers

Check theStarting Cloudaware Trial guide to register a trial account with Cloudaware. Once logged in to the Cloudaware Launcher, you can add cloud accounts.

For existing customers

If you already have a Cloudaware account, use these guides:

• Setup in Azure

• Azure setup in Cloudaware

• Additional permissions in Azure