Additional permissions in Azure
The article explains how to grant Cloudaware access to Key Vaults, Azure Reservations, Kubernetes, Azure AD (Intune) devices, and tagging resources. Ensure you have the necessary permissions in the Azure portal.
Key Vaults
Â
Cloudaware needs access to Azure Key Vault* to check the expiration date of keys and secrets. Set up the access policy for the Cloudaware application (in this guide, cloudaware-api-access) on the Key Vault level.
Â
Log in to the Azure portal. Select Key Vaults.
Select the key vault. Go to 'Access Policies' on the left → +Add Access Policy.
Set up the key vault:
Key permissions: List
Secret permissions: List
Certificate permissions: List
Click Next.
Select principal: cloudaware-api-access Click Add.
Select the application → Next → Create.Repeat steps 1-3 for each key vault.
*Cloudaware retrieves metadata only ('Azure Key Vault Key' and 'Azure Key Vault Secret' objects). No keys or secrets are accessible to Cloudaware.
Â
Azure Reservations
Â
Cloudaware supports auto-discovery of Azure Reservations. To grant Cloudaware access to Azure reservations:
Â
Log in to the Azure portal. Select Reservations.
Select the tab 'Role Assignment'. Click +Add → Add role assignments.
a. Under the tab 'Job function roles' select Reservations Reader → Next.
b. Under the tab 'Members' select the following settings:
Role: Reservations Reader
Assign access to: User, group, or service principal
Members: click +Select members → start typing the name of the Azure application created for Cloudaware access (in this guide, cloudaware-api-access) → Select.
Click Review + assign.
Please allow up to 24 hours for Cloudaware to collect Azure reservations data.
To view Azure Reservations and related data, go to Cloudaware CMDB Navigator. Select MICROSOFT AZURE → RESERVATIONS.
Azure Kubernetes
Â
Cloudaware supports auto-discovery of AKS Clusters and AKS Cluster Agent Pool Profiles by default. Grant Cloudaware the permission Microsoft.ContainerService/managedClusters/listClusterUserCredential/read to enable the discovery and collection of AKS Cluster objects.
Â
Log in to the Azure portal. Select Subscriptions.
Select the subscription. Go to 'Access Control (IAM)' on the left. Click +Add → Add role assignment:
a. Under the tab 'Role': in 'Job function roles' select Azure Kubernetes Service Cluster User Role → Next.
b. Under the tab 'Members':
Assign access to: User, group, or service principal
Members: click +Select members → start typing the name of the Azure application created for Cloudaware access (in this guide, cloudaware-api-access) → Select.
Click Review + assign.To view Azure AKS resources, go to Cloudaware CMDB Navigator. Select MICROSOFT AZURE → COMPUTE → AKS.
Â
Â
Microsoft Devices (Intune)
Â
Cloudaware supports discovery of Azure Active Directory Devices managed by Intune. Microsoft Intune is a cloud-based endpoint management solution helping to manage user access and simplify app and device management across Microsoft infrastructure. Learn more
Â
To grant Cloudaware access to Azure Active Directory Devices:
Â
Log in to the Azure portal. Select App registrations.
Select the Azure application created for Cloudaware access. Go to API permissions → Add a permission.
Select Microsoft Graph → Application permissions:
In DeviceManagementManagedDevices: select DeviceManagementManagedDevices.Read.All → check the box → click Add permissions.
In DeviceManagementConfiguration: select DeviceManagementConfiguration.Read.All → check the box → click Add permissions.Click Grant admin consent for
<Directory Name>
 to populate permissions.To view Azure Active Directory Devices and related data, go to Cloudaware CMDB Navigator. Select MICROSOFT AZURE → SECURITY, IDENTITY, COMPLIANCE → Active Directory → Azure Active Directory Devices.
The following Azure Active Directory objects managed by Intune* are supported:Azure Active Directory Device
Azure Active Directory Device Config
Azure Active Directory Device Fact
Azure Active Directory Device MountPoint
Tagging permissions
Â
To tag Azure resources directly from Cloudaware using Tag Analyzer, assign the Tag Contributor* role:
Â
Log in to the Azure portal. Select Subscriptions.
Select the subscription → go to 'Access Control (IAM)' on the left. Click +Add → Add role assignment.
a. Under the tab 'Job function roles' select Tag Contributor** → Next.
b. Under the tab 'Members' select the following settings:
Assign access to: User, group, or service principal
Members: click +Select members → start typing the name of the Azure application created for Cloudaware access (in this guide, cloudaware-api-access) → Select.
Click Review + assign.