Microsoft Azure Setup

1 - Create Application


1. Select Azure Active Directory in Azure Portal.

2. Under 'Manage' select App registrations +New registration.


3. Insert the following information for your Azure Application:

Name: cloudaware-api-access

Supported account types: Accounts in this organizational directory only (Default Directory only - Single tenant) OR Accounts in any organizational directory (Any Azure AD directory - Multitenant)

Redirect URL (optional): Webhttps://cloudaware.com

4. Click Register.

2 - Configure Permissions

1. Select the application that you have just created.

2. Select API permissions → +Add a permission.

3. Select the tab 'Microsoft APIs'. Select Azure Service Management.

4. Select 'Delegated permissions' and check the box 'user_impersonation. Access Azure Service Management as organization users (preview)'.

Click Add permissions.

5. Select Microsoft Graph.

a. In APPLICATION Permissions select:
Directory → Directory.Read.All

b. In DELEGATED Permissions select:
Directory → Directory.Read.All
User → User.Read (Sign in and read user profile) [this permission is added by default when the application is created]

6. Go back to All APIs. Select Azure Active Directory Graph.

a. In APPLICATION Permissions select:
Directory → Directory.Read.All

b. In DELEGATED Permissions select:
Directory → Directory.Read.All
User → User.Read (Sign in and read user profile)

Ensure that all necessary permissions are assigned as below:

You should have three APIs added totally - Azure Service Management API, Microsoft Graph and Azure Active Directory Graph.


7. Having added APIs, click Grant admin consent for <Directory Name> to populate them.

Microsoft takes up to 30 minutes to populate the permissions added in previous steps.


3 - Configure Certificates & Secrets

Cloudaware supports both ways of Azure Application authentication:

a) Client secret (key)

1. Select 'Certificates & secrets' → under 'Client secrets' click +New client secret. 

2. Type the description: ca-api-key

3. Set EXPIRES to: Never

4. Click Add.

5. Save the secret value in a secure location.

Once the key is created and saved, skip the part below and continue the further configuration.

b) Certificate

1. Select 'Certificates & secrets' → under 'Certificates' click Upload certificate. 

2. Click Select a file → choose the certificate file*.

*Get the certificate generated by Cloudaware - see step 2 in Adding Azure Active Directory to Cloudaware.

3. Click Add.

Once the certificate is uploaded, continue the configuration following the steps below.

4 - Getting The Active Directory ID (Tenant ID)

Navigate to Azure Active Directory, click Properties and locate Tenant ID. Click Copy to clipboard to save Tenant ID as it is required for integration setup in Cloudaware.

5 - Assigning Role to Subscriptions


1. Navigate to Subscriptions in Azure Portal:

2. Select the subscription that will be added to Cloudaware:

3. Select Access control (IAM):


4. Click +Add Add role assignment:

5. In 'Add role assignment' select:

a. Role: Reader

b. Assign Access to: User, group, or service principal

c. Select: cloudaware-api-access (start typing the application name to choose it from the list)

The steps 1-5 are required for each subscription that will be integrated into Cloudaware.

6 - Grant Access To Key Vaults


СloudAware has to be granted with the access to Key Vault* to be able to check the expiration date of keys and secrets. Set up the access policy for Cloudaware application on the Key Vault level.

*Cloudaware retrieves metadata only ('Azure Key Vault Key' and 'Azure Key Vault Secret' objects). No keys or secrets are accessible to Cloudaware.

1. Navigate to Key Vaults in Azure Portal.

2. Select Access Policies +Add Access Policy.

3. Select the following settings:

a. Key permissions: List

b. Secret permissions: List

c. Certificate permissions: List

d. Select principal: cloudaware-api-access (start typing the application name to choose it from the list → Select)

Click Add.

4. Repeat steps 2-3 for each Key Vault.

7 - Azure Reservations Discovery in Cloudaware (optional)


Cloudaware is capable of discovering and collecting your Azure Reservations, provided that the appropriate permissions are granted in Azure.


1. Log in to your Azure Portal. Navigate to Reservations.

2. Select the reserved Azure resource (in this example, a virtual machine).

3. Click Reservation order ID link.

4. Select Access control (IAM). Click +AddAdd role assignments. Select the following settings:

a. Role: Reader 

b. Assign access to: Azure AD user, group, or service principal

c. Select: cloudaware-api-access (start typing the application name to choose it from the list)

Click Save.

5. To view your Azure Reservations and related data, log in to your Cloudaware account → Navigator. Select MICROSOFT AZURE → RESERVATIONS.

8 - Azure Kubernetes Discovery in Cloudaware (optional)


Cloudaware supports auto-discovery of Azure AKS Clusters and Azure AKS Cluster Agent Pool Profiles by default. Grant Cloudaware the permission Microsoft.ContainerService/managedClusters/listClusterUserCredential/read to enable discovery and collection of the following Azure AKS cluster objects:

Azure AKS Cluster
Azure AKS Cluster Agent Pool Profile
Azure AKS Cluster Config Map
Azure AKS Cluster Daemon Set
Azure AKS Cluster Deployment
Azure AKS Cluster Endpoint
Azure AKS Cluster Limit Range
Azure AKS Cluster Namespace
Azure AKS Cluster Node
Azure AKS Cluster Node Address
Azure AKS Cluster Node Condition
Azure AKS Cluster Pod
Azure AKS Cluster Pod Container
Azure AKS Cluster Public IP Address Link
Azure AKS Cluster Public IP Prefix Link
Azure AKS Cluster Replica Set
Azure AKS Cluster Resource Quota
Azure AKS Cluster Service
Azure AKS Cluster Stateful Set

1. Log in to your Azure Portal. Navigate to Subscriptions.

2. Select the subscription in question → Access Control (IAM).

3. Click +AddAdd role assignment. Select the following settings:

a. Role: Azure Kubernetes Service Cluster User Role.

b. Assign access to: Azure AD user, group, or service principal

c. Select: cloudaware-api-access (start typing the application name to choose it from the list)

Click Save.


4. To view your Azure AKS resources, log in to your Cloudaware account → Navigator. Select MICROSOFT AZURE → Compute → AKS.

If AKS cluster is AD managed, check this guide to set up the cluster role binding and grant required permissions to Cloudaware.

Cloudaware Setup

1 - Adding Azure Active Directory to Cloudaware

1. Log in to your Cloudaware account. Select Admin in the main menu under your username → Azure Active Directories & Subscriptions. Click +Add.

2. Fill out the form:

a. Name: Azure Active Directory name

b. Active Directory ID (Tenant ID): Tenant ID [to locate, log in Azure portal → Azure Active Directory → Overview → copy 'Tenant ID']

c. Check the box 'Automatically Discover Subscriptions' to allow Cloudaware automatically discover and add all the subscriptions it has been granted access to in Azure Active Directory. Leave it unchecked if you would like to add your Azure subscriptions manually.

d. Environment: select Azure environment (Azure, Azure China, Azure Government, Azure Germany)

e. Under 'Select Application' click +CREATE NEW.

a) If you selected Client Secret (key) in Configure Certificates & Secrets:

  • Check the radio button Using Client Secret.

  • Provide Application ID (Client ID) and Client Secret that you saved in a secure location﹣ see a) in Configure Certificates & Secrets.

b) If you selected Certificate in Configure Certificates & Secrets:

  • Check the radio button Using Certificate.

  • Provide Application ID (Client ID).

  • Click Generate Certificate to download the file.

Once the certificate is uploaded, click Save and continue the configuration from the step Getting The Active Directory ID (Tenant ID).

3. The green light in 'Status' means that Azure Active Directory has been successfully added. If there is a red light, please contact support@cloudaware.com.

2 - Adding Azure Subscription to Cloudaware

In case you haven't checked the checkbox 'Automatically Discover Subscriptions' as described in the previous section, follow these steps to manually add subscriptions.

1. Log in to your Cloudaware account. Select Admin in the main menu under your username → Azure Active Directories & Subscriptions. Click +Add.

2. Select the tab 'Subscriptions'. Click +Add Azure Subscription.

3. Fill out the form

  • Name: Azure subscription name

  • Subscription ID: Azure subscription ID [to locate, log in to Azure portal → Subscriptions → select the subscription in question → copy 'Subscription ID']

  • Active Directory: select Active Directory from the list

Click Save.

4. Review all subscriptions under the tab 'Subscriptions'. The green light in 'Status' means that the Azure Subscription has been successfully added. If there is a red light, please contact support@cloudaware.com.

5. Given the checkbox 'Automatically Discover Subscriptions' is checked, the tab 'Untracked Subscriptions' shows all Azure subscriptions Cloudaware has discovered in your Active Directory but is not able to collect due to insufficient access caused by an incorrect role assigned (check step 5 in Assigning Role to SubscriptionsReader by default or higher).

3 - Understanding Azure Application in Cloudaware

Such Azure Active Directory credentials as Application ID (Client ID) and Client Secret are stored as Azure Application entity in Cloudaware. Please note that Azure Application can be created only when adding Azure AD.


Cloudaware supports updating the Azure Application credentials. In 'Azure Active Directories & Subscriptions' open the tab Applications, click three dots → Edit.