Azure Start Guide
Microsoft Azure Setup
1 - Create Application
1. Select Azure Active Directory in Azure Portal.
2. Under 'Manage' select App registrations → +New registration.
3. Insert the following information for your Azure Application:
Name: cloudaware-api-access
Supported account types: Accounts in this organizational directory only (Default Directory only - Single tenant) OR Accounts in any organizational directory (Any Azure AD directory - Multitenant)
Redirect URL (optional): Web - https://cloudaware.com
4. Click Register.
2 - Configure Permissions
1. Select the application that you have just created.
2. Select API permissions → +Add a permission.
3. Select the tab 'Microsoft APIs'. Select Azure Service Management.
4. Select 'Delegated permissions' and check the box 'user_impersonation. Access Azure Service Management as organization users (preview)'.
Click Add permissions.
5. Select Microsoft Graph.
a. In APPLICATION Permissions select:
Directory → Directory.Read.All
Click Add permissions.
b. In DELEGATED Permissions select:
Directory → Directory.Read.All
User → User.Read (Sign in and read user profile) [this permission is added by default when the application is created]
Click Add permissions.
Ensure that all necessary permissions are assigned as below:
You should have two APIs added totally - Azure Service Management and Microsoft Graph.
7. Having added APIs, click Grant admin consent for <Directory Name> to populate them.
Microsoft takes up to 30 minutes to populate the permissions added in previous steps.
8. To grant permissions to Cloudaware for auto-discovery of Azure subscriptions at the tenant level, follow these steps:
a) Select Management Groups in Azure Portal:
b) Select the management group in question (the one from which subscriptions are to be collected, or the Tenant Root Group for Cloudaware to discover all available subscriptions as in the example below):
c) Go to Access Control (IAM) on the left → click +Add → Add role assignment:
d) Grant the Cloud application with access to the management group in question:
Under the tab 'Job function roles' select Reader.
Under the tab 'Members' select the following settings:
a. Role: Reader
b. Assign access to: User, group, or service principal
c. Members: click +Select members → cloudaware-api-access (start typing the application name to choose it from the list)
Click Review + assign.
3 - Configure Certificates & Secrets
Cloudaware supports both ways of Azure Application authentication:
a) Client secret (key)
1. Select 'Certificates & secrets' → the tab 'Client secrets' → +New client secret.
2. Type the description: ca-api-key
3. Set EXPIRES to: 24 months
4. Click Add.
5. Save the secret value in a secure location.
Once the key is created and saved, skip the part below and continue the further configuration.
b) Certificate
1. Select 'Certificates & secrets' → the tab 'Certificates' → Upload certificate.
2. Click Select a file → choose the certificate file*.
*Get the certificate generated by Cloudaware - see step 2 in Adding Azure Active Directory to Cloudaware.
3. Click Add.
Once the certificate is uploaded, continue the configuration following the steps below.
4 - Getting The Active Directory ID (Tenant ID)
Navigate to Azure Active Directory, click Properties and locate Tenant ID. Click Copy to clipboard to save Tenant ID as it is required for integration setup in Cloudaware.
5 - Assigning Role to Subscriptions
1. Navigate to Subscriptions in Azure Portal:
2. Select the subscription that will be added to Cloudaware:
3. Select Access control (IAM):
4. Click +Add → Add role assignment:
5. In 'Add role assignment' select:
a. Role: Reader
b. Assign Access to: User, group, or service principal
c. Members: click +Select members → cloudaware-api-access (start typing the application name to choose it from the list)
The steps 1-5 are required for each subscription that will be integrated into Cloudaware.
6 - Grant Access To Key Vaults
Сloudaware has to be granted with the access to Key Vault* to be able to check the expiration date of keys and secrets. Set up the access policy for Cloudaware application on the Key Vault level.
*Cloudaware retrieves metadata only ('Azure Key Vault Key' and 'Azure Key Vault Secret' objects). No keys or secrets are accessible to Cloudaware.
1. Navigate to Key Vaults in Azure Portal.
2. Select Access Policies → +Add Access Policy.
3. Select the following settings:
a. Key permissions: List
b. Secret permissions: List
c. Certificate permissions: List
d. Select principal: cloudaware-api-access (start typing the application name to choose it from the list → Select)
Click Add.
4. Repeat steps 2-3 for each Key Vault.
7 - Azure Reservations Discovery in Cloudaware (optional)
Cloudaware is capable of discovering and collecting your Azure Reservations, provided that the appropriate permissions are granted in Azure.
1. Log in to your Azure Portal. Navigate to Reservations.
2. Select the tab 'Role Assignment'.
3. Click +Add → Add role assignments.
4. Under the tab 'Job function roles' select Reservations Reader.
Under the tab 'Members' select the following settings:
a. Role: Reservations Reader
b. Assign access to: User, group, or service principal
c. Members: click +Select members → cloudaware-api-access (start typing the application name to choose it from the list)
Click Review + assign.
Please allow up to 24 hours for Azure reservations to be displayed in Cloudaware CMDB.
5. To view your Azure Reservations and related data, log in to your Cloudaware account → Navigator. Select MICROSOFT AZURE → RESERVATIONS.
8 - Azure Kubernetes Discovery in Cloudaware (optional)
Cloudaware supports auto-discovery of Azure AKS Clusters and Azure AKS Cluster Agent Pool Profiles by default. Grant Cloudaware the permission Microsoft.ContainerService/managedClusters/listClusterUserCredential/read to enable discovery and collection of the following Azure AKS cluster objects:
Azure AKS Cluster
Azure AKS Cluster Agent Pool Profile
Azure AKS Cluster Config Map
Azure AKS Cluster Daemon Set
Azure AKS Cluster Deployment
Azure AKS Cluster Endpoint
Azure AKS Cluster Limit Range
Azure AKS Cluster Namespace
Azure AKS Cluster Node
Azure AKS Cluster Node Address
Azure AKS Cluster Node Condition
Azure AKS Cluster Pod
Azure AKS Cluster Pod Container
Azure AKS Cluster Public IP Address Link
Azure AKS Cluster Public IP Prefix Link
Azure AKS Cluster Replica Set
Azure AKS Cluster Resource Quota
Azure AKS Cluster Service
Azure AKS Cluster Stateful Set
1. Log in to your Azure Portal. Navigate to Subscriptions.
2. Select the subscription in question → Access Control (IAM).
3. Click +Add → Add role assignment. Select the following settings:
a. Role: Azure Kubernetes Service Cluster User Role
b. Assign access to: Azure AD user, group, or service principal
c. Members: click +Select members → cloudaware-api-access (start typing the application name to choose it from the list)
Click Save.
4. To view your Azure AKS resources, log in to your Cloudaware account → Navigator. Select MICROSOFT AZURE → Compute → AKS.
If AKS cluster is AD managed, check this guide to set up the cluster role binding and grant required permissions to Cloudaware.
9 - Microsoft Devices Discovery (Intune) (optional)
Microsoft Intune is a cloud-based endpoint management solution helping to manage user access and simplify app and device management across Microsoft infrastructure. Learn more
Cloudaware requires the following permissions to be assigned to Azure Active Directory Application:
DeviceManagementManagedDevices.Read.All
DeviceManagementConfiguration.Read.All
The following objects are supported:
Azure Active Directory Devices
Azure Active Directory Compliance Policies
Azure Active Directory Device Config
10 - Tagging Permissions for Cloudaware (optional)
Use the Tag Contributor role or create a custom role to define the scope of provided permissions on tagging (see 'Custom Role For Tagging').
To assign the Tag Contributor role to Cloudaware application, follow the steps below:
1. Log in to your Azure Portal. Navigate to Subscriptions.
2. Select the subscription in question → Access Control (IAM).
3. Click +Add → Add role assignment. Select the following settings:
a. Role: Tag Contributor
b. Assign access to: Azure AD user, group, or service principal
c. Members: click +Select members → cloudaware-api-access (start typing the application name to choose it from the list)
Click Save.
The role Tag Contributor uses a recently released Azure API method. Learn more about the role
Cloudaware Setup
1 - Adding Azure Active Directory to Cloudaware
1. Log in to your Cloudaware account. Select Admin in the main menu under your username → Azure Active Directories & Subscriptions. Click +Add.
2. Fill out the form:
a. Name: Azure Active Directory name
b. Active Directory ID (Tenant ID): Tenant ID (to locate, log in Azure portal → Azure Active Directory → Overview → copy 'Tenant ID')
c. Check the box 'Automatically Discover Subscriptions' to allow Cloudaware automatically discover and add all the subscriptions it has been granted access to in Azure Active Directory. Leave it unchecked if you would like to add your Azure subscriptions manually.
d. Environment: select Azure environment (Azure, Azure China, Azure Government, Azure Germany)
e. Under 'Select Application' click +CREATE NEW.
a) If you selected Client Secret (key) in Configure Certificates & Secrets:
Check the radio button Using Client Secret.
Provide Application ID (Client ID) and Client Secret that you saved in a secure location﹣ see a) in Configure Certificates & Secrets.
b) If you selected Certificate in Configure Certificates & Secrets:
Check the radio button Using Certificate.
Provide Application ID (Client ID).
Click Generate Certificate to download the file.
Go back to the step Configure Certificates & Secrets to upload the certificate in your Azure environment.
Once the certificate is uploaded, click Save and continue the configuration from the step Getting The Active Directory ID (Tenant ID).
3. The green light in 'Status' means that Azure Active Directory has been successfully added. If there is a red light, please contact support@cloudaware.com.
2 - Adding Azure Subscription to Cloudaware
In case you haven't checked the checkbox 'Automatically Discover Subscriptions' as described in the previous section, follow these steps to manually add subscriptions.
1. Log in to your Cloudaware account. Select Admin in the main menu under your username → Azure Active Directories & Subscriptions. Click +Add.
2. Select the tab 'Subscriptions'. Click +Add Azure Subscription.
3. Fill out the form:
Name: Azure subscription name
Subscription ID: Azure subscription ID [to locate, log in to Azure portal → Subscriptions → select the subscription in question → copy 'Subscription ID']
Active Directory: select Active Directory from the list
Click Save.
4. Review all subscriptions under the tab 'Subscriptions'. The green light in 'Status' means that the Azure Subscription has been successfully added. If there is a red light, please contact support@cloudaware.com.
5. Given the checkbox 'Automatically Discover Subscriptions' is checked, the tab 'Untracked Subscriptions' shows all Azure subscriptions Cloudaware has discovered in your Active Directory but is not able to collect due to insufficient access caused by an incorrect role assigned (check step 5 in Assigning Role to Subscriptions ﹣ Reader by default or higher).
3 - Understanding Azure Application in Cloudaware
Such Azure Active Directory credentials as Application ID (Client ID) and Client Secret are stored as Azure Application entity in Cloudaware. Please note that Azure Application can be created only when adding Azure AD.
Cloudaware supports updating the Azure Application credentials. In 'Azure Active Directories & Subscriptions' open the tab Applications, click three dots → Edit.
