Articles in this section

See more

Create Azure AD Application for the SkyFormation Azure Connector

Avatar
Nadav Lavy
  • Updated
Follow

If you're having trouble at any stage please contact us at support@skyformation.com

Preface

The goal of this guide is to show you how to add an Azure AD application that could be used by the SkyFormation's Azure Cloud App Connector in your SkyFormation Platform.

You could use one of the following two processes to create the needed Azure AD application:

- Automated process (PowerShell based)

  This option is based on a PowerShell script provided by SkyFormation that would automatically
  create the needed Azure AD application in your Office Azure AD with its needed permissions.
 

- Manual process

  The entire app creation process is based on manual steps done by the Azure AD administrator.

 

Automated Process Steps

1. Download the PowerShell script attached in this post.

2. Review the PowerShell content before executing and make sure the script procedure is
      understood and accepted by your Azure admin.

3 Run the PowerShell script in a PowerShell shell.

4 Commit the permissions added to the new Azure AD app added 

- Log into your Azure account (https://portal.azure.com).

- Open: "Azure Active Directory" service page

- Open: "App registrations" and press "View all application"

- Open: "SkyFormationApp4AzureConnector" app page

- Press on the "Settings" button

- Open: "Required permissions" page

    -  In the "Required Permissions" click on the "Grant Permissions" button. and press "Yes
       If the entire permissions added and granted correctly you should see a screen says:

      

Azure AD app creation is DONE ! 

You could close this guide

 

Manual Process Steps

1. Log into your Azure account (https://portal.azure.com).

2. Open Azure Active Directory

00-open-aad.png

3. Navigate to Properties , keep aside the value of Directory ID , a.k.a Tenant ID

0001-save-tenant-id.png

4. Navigate to App registrations , create a new app by clicking + New application registration

01-create-app.png 

5. Fill application details:
    Name: SkyFormationApp;
    Application type: Choose "Web app/API"
    Sign-on URL: Type "https://www.skyformation.com"

6. Click "Create"

7. From the page of the just created app keep aside the value of Application ID, a.k.a Client ID

04-client-id-to-keep.png

8. Choose "Settings" from the just created app page

9. Create a Key (a.k.a Secret) by navigating to Keys, insert a name for the key, and select 
    duration of Never expires , click Save (only than will the key/secret be generated)

10. Keep aside the generated key (a.k.a Secret)

06-keep-generated-secret.png

11. Add permissions for the application by navigating to Required permissions link in the app page

12. In the Required Permissions:
      - Click Add
      - Click Select an API you need to add the app permissions to according to the below table.
        (e.g. Microsoft Graph API)
      - Check the needed permissions to the API according to the below table 
        (e.g. In the Application permissions check the "read all users full profiles" permission)
      - Repeat this for each permission needed in the API page
      - Click "Select"
      - Click "Done"

        You should now see in the "Required permissions" table the just added permissions to
       the specific API you added permissions to.

      Repeat the above step in section 12 for each API you need to add permissions to
      according to the table below.
 

      NOTE: Do not click the Select All checkbox. Azure has a UI glitch where this button does not                   really check the permissions (only checks them visually) 

API Permissions needed table:

API name Category (Application/Delegated) Permissions needed
Microsoft Graph API Application read all users full profiles
    read all groups
Windows Azure Service Management API Delegated Access Azure Service Management as organization users
Windows Azure Active Directory Application read directory data

 

13. Click Grant Permissions to really save all the permissions added above

Make sure you see a message that verify the permissions were successfully granted as

14. Navigate to Subscriptions in the Main Azure services menu by searching for "Subscriptions"
      in the "All Services" page  

15. Select a subscription you wish to monitor (you need to repeat the below process for each subscription you would like the SkyFormation Azure connector to monitor).

16. Click Access control (IAM) and  

NOTE: If the UI shows an error where it states the user does not have permission to set permissions, it could be caused by either:
a. The user is not an administrator of the Subscription
b. The subscription was generated by Office365. This is a bug with Office365. To overcome it create a new Subscription. A Free or Pay-As-You-Go are sufficient.

12-start-add-app-to-subscription.png

17. For each of the following Roles:

() Log Analytics Reader 
() Network Contributor  
() Storage Account Contributor

      Repeat the below steps:

      a. Press the + Add link
      b. In the "Add permissions" page put the following values:
          () "Role": Choose from the list role we are adding permissions to
              (e.g. Log Analytics Reader)
          () "Assign access to": Choose "Azure AD user, group, or application
          () "Select": Put the name of the added Azure app name 
              (e.g. AzureAuditSK4)

          Press "Save"

          After adding the Roles to the Azure app you should see a screen as below:

Make sure you see the new Role assigned to the Azure app in the IAM window.

    
 NOTE: The application will only have the permissions granted to it in step 11.

18. (Optional) Log Analytics (used to be Operational Insights)

Note: This step, although described as required by MS in order to access this data source, was found to be optional as long as the role Log Analytics Reader role was assigned in step #15.

In Mid 2017 Microsoft introduced a new API for Log Analytics. As per MS docs, these are the steps required to authenticate with it (though see note above). (From Microsoft guide here).

1. Using a Windows machine Powershell, create an Azure application with appId ca7f3f0b-7d91-482c-8e09-c5d840d0eac5 : 

  1. If you do not have the Connect-AzureAD cmdlet installed in Powershell, install it first by running Install-Module AzureAD in a new Powershell session
  2. Connect-AzureAD -TenantId <tenantId>
  3. New-AzureADServicePrincipal -AppId ca7f3f0b-7d91-482c-8e09-c5d840d0eac5 -DisplayName "Log Analytics API"

2. Repeat step #10, but choose the "Log Analytics API" application just created, grant the permission Read log analytics data and Read log analytics data as user , select and click Grant Permissions

search-log-analytics-app.png

 

 log-analytics-app-select-permissions.png

 

Your are done !

Next Steps

Now you are ready to add a SkyFormation Azure Connector to your SkyFormation Platform.

Please make sure you keep your:
- client ID of your new created Azure app
- Your tenant ID and generated secret ID 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk