Skip to main content
Skip table of contents

Additional permissions in Azure

The article explains how to grant Cloudaware access to Key Vaults, Azure Reservations, Kubernetes, Azure AD (Intune) devices, and tagging resources. Ensure you have the necessary permissions in the Azure portal.

Key Vaults

 

Cloudaware needs access to Azure Key Vault* to check the expiration date of keys and secrets. Set up the access policy for the Cloudaware application (in this guide, cloudaware-api-access) on the Key Vault level.

 

  1. Log in to the Azure portal. Select Key Vaults.

  2. Select the key vault. Go to 'Access Policies' on the left +Add Access Policy.

  3. Set up the key vault:
    Key permissions: List
    Secret permissions: List
    Certificate permissions: List
    Click Next.

    Select principal: cloudaware-api-access Click Add.
    Select the application → NextCreate.

  4. Repeat steps 1-3 for each key vault.

*Cloudaware retrieves metadata only ('Azure Key Vault Key' and 'Azure Key Vault Secret' objects). No keys or secrets are accessible to Cloudaware.

Azure Reservations

Cloudaware supports auto-discovery of Azure Reservations. To grant Cloudaware access to Azure reservations:

  1. Log in to the Azure portal. Select Reservations.

  2. Select the tab 'Role Assignment'. Click +AddAdd role assignments.

    a. Under the tab 'Job function roles' select Reservations Reader → Next.

    b. Under the tab 'Members' select the following settings:
    Role: Reservations Reader
    Assign access to: User, group, or service principal
    Members: click +Select members → start typing the name of the Azure application created for Cloudaware access (in this guide, cloudaware-api-access) Select.

    Click Review + assign.

Please allow up to 24 hours for Cloudaware to collect Azure reservations data.

  1. To view Azure Reservations and related data, go to Cloudaware CMDB Navigator. Select MICROSOFT AZURE → RESERVATIONS.

    Azure start guide - additional permissions - reservations - reservations in CMDB.png

Azure Kubernetes

Cloudaware supports auto-discovery of AKS Clusters and AKS Cluster Agent Pool Profiles by default. Grant Cloudaware the permission Microsoft.ContainerService/managedClusters/listClusterUserCredential/read to enable the discovery and collection of AKS Cluster objects.

  1. Log in to the Azure portal. Select Subscriptions.

  2. Select the subscription. Go to 'Access Control (IAM)' on the left. Click +AddAdd role assignment:

    a. Under the tab 'Role': in 'Job function roles' select Azure Kubernetes Service Cluster User Role → Next.

    b. Under the tab 'Members':
    Assign access to: User, group, or service principal
    Members: click +Select members → start typing the name of the Azure application created for Cloudaware access (in this guide, cloudaware-api-access) Select.

    Click Review + assign.

  3. To view Azure AKS resources, go to Cloudaware CMDB Navigator. Select MICROSOFT AZURE → COMPUTE → AKS.

    Azure start guide - additional permissions - AKS - AKS in CMDB.png

If AKS cluster is Active Directory-managed, check this guide to set up the cluster role binding and grant required permissions to Cloudaware.

Microsoft Devices (Intune)

Cloudaware supports discovery of Azure Active Directory Devices managed by Intune. Microsoft Intune is a cloud-based endpoint management solution helping to manage user access and simplify app and device management across Microsoft infrastructure. Learn more

To grant Cloudaware access to Azure Active Directory Devices:

 

  1. Log in to the Azure portal. Select App registrations.

  2. Select the Azure application created for Cloudaware access. Go to API permissions → Add a permission.

  3. Select Microsoft Graph → Application permissions:

    In DeviceManagementManagedDevices: select DeviceManagementManagedDevices.Read.All → check the box → click Add permissions.
    In DeviceManagementConfiguration: select DeviceManagementConfiguration.Read.All → check the box → click Add permissions.

  4. Click Grant admin consent for <Directory Name> to populate permissions.

  5. To view Azure Active Directory Devices and related data, go to Cloudaware CMDB Navigator. Select MICROSOFT AZURE → SECURITY, IDENTITY, COMPLIANCE → Active Directory → Azure Active Directory Devices.

    Azure start guide - additional permissions - Intune - AD devices in CMDB.png



    The following Azure Active Directory objects managed by Intune* are supported:

    Azure Active Directory Device
    Azure Active Directory Device Config
    Azure Active Directory Device Fact
    Azure Active Directory Device MountPoint

Tagging permissions

 

To tag Azure resources directly from Cloudaware using Tag Analyzer, assign the Tag Contributor* role:

 

  1. Log in to the Azure portal. Select Subscriptions.

  2. Select the subscription → go to 'Access Control (IAM)' on the left. Click +AddAdd role assignment.

    a. Under the tab 'Job function roles' select Tag Contributor** → Next.

    b. Under the tab 'Members' select the following settings:
    Assign access to: User, group, or service principal
    Members: click +Select members → start typing the name of the Azure application created for Cloudaware access (in this guide, cloudaware-api-access) Select.

    Click Review + assign.

*You can also create a custom role to define the scope of permissions for tagging.

**The role Tag Contributor uses a recently released Azure API method. Learn more about the role

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close