Setup in Azure

Owned by Daria Lebedeva
Last updated: Dec 19, 2024
3 min read

This article explains how to set up a Cloudaware application in Microsoft Azure. Ensure you have the necessary permissions in the Azure portal.

Summary

 

To integrate Microsoft Azure with Cloudaware:

  1. Create a new Azure application for Cloudaware.

  2. Assign API permissions:

    • Azure Service Management

      • Delegated permissions: user_impersonation

    • Microsoft Graph

      • Application permissions: Directory.Read.All

      • Delegated permissions: Directory.Read.All

  3. Add role assignments:

    • Choose the scope by assigning roles

      • Under Tenant Root Group for subscription auto-discovery

      • Under a specific subscription

    • Roles: Reader

    • Members: Application created in point 1

  4. Upload a certificate from Cloudaware.

For detailed setup instructions, refer to the in-depth guidelines below.

 

Create Azure application for Cloudaware

 

  1. Log in to the Azure portal. Select Microsoft Entra ID.

  2. Under 'Manage', go to 'App registrations' → +New registration.

  3. Set up the application as follows:

    Name: cloudaware-api-access
    Supported account types: Accounts in this organizational directory only (Default Directory only - Single tenant) OR Accounts in any organizational directory (Any Azure AD directory - Multitenant)
    Redirect URI (optional): Web - https://cloudaware.com/

    Click Register.

Configure API permissions

 

  1. Select the created Azure application (in this guide, cloudaware-api-access).

  2. Go to 'API permissions' → +Add a permission.

  3. Select the tab 'Microsoft APIs'.

    For Azure Service Management:
    Select the tile 'Delegated permissions' → check the box 'user_impersonation. Access Azure Service Management as organization users (preview)'. Click Add permissions.

    For Microsoft Graph:
    Select the tile 'Delegated Permissions'* → Directory → check the box Directory.Read.All. Click Add permissions.
    Select the tile 'Application Permissions' → Directory → check the box Directory.Read.All. Click Add permissions.

*Note that User → User.Read (Sign in and read user profile) permission is added by default when the application is created.

Ensure that all necessary permissions are assigned as below:

Azure start guide - setup in Azure - API permissions - check.png

  1. Click Grant admin consent for <Directory Name> to populate permissions.

Microsoft takes up to 30 minutes to populate the permissions added in previous steps.

 

Add role assignments

 

Grant permissions at tenant or subscription level:

Tenant level

Tenant level

Assign permissions to the Tenant Root Group to allow Cloudaware to discover all subscriptions within the group automatically:

  1. Select Management Groups in Azure Portal.

  2. Select the Tenant Root Group.

  3. Go to 'Access Control (IAM)' → click +Add → Add role assignment.

  4. Grant access to the management group for Cloudaware application (in this guide, cloudaware-api-access):
    a. Under the tab 'Role': in 'Job function roles' select Reader → Next
    b. Under the tab 'Members:
    Assign access to: User, group, or service principal
    Members: click +Select members → cloudaware-api-access → Select

    Click Review + assign.

Subscription level

Assign permissions to the specific subscription(s) for Cloudaware to access and discover only those:

  1. Select Subscriptions in Azure Portal.

  2. Select the subscription.

  3. Go to 'Access Control (IAM)' → click +Add → Add role assignment.

  4. In 'Add role assignment' select:
    a. Under the tab 'Role': in 'Job function roles' select Reader → Next
    b. Under the tab 'Members':
    Assign access to: User, group, or service principal
    Members: click +Select members → cloudaware-api-access → Select

    Click Review + assign.

Configure certificates & secrets

Certificate (recommended)

 

Select the application (in this guide, cloudaware-api-access).

  1. Go to 'Certificates & secrets' → the tab 'Certificates' → Upload certificate. 

  2. Click Select a file → choose the certificate file*.

Click Add.

Once the certificate is uploaded, continue the configuration.

 

Client secret

 

Select the application (in this guide, cloudaware-api-access).

  1. Go to 'Certificates & secrets' → the tab 'Client secrets' → +New client secret. 

  2. Set up the client secret:
    Description: ca-api-key
    EXPIRES: 730 days (24 months)

    Click Add.

  3. Click Copy to clipboard to save the secret value.

Once the key is created and saved, continue the configuration.

 

! Next step - Azure setup in Cloudaware

Â