Setup Azure for nOps

Content

  1. Prerequisites

  2. Ensure you have the required permissions in Azure Active Directory (AAD)

  3. Creating an Azure AD application

  4. Obtain the Tenant ID

  5. Create the application and obtain its ID

  6. Create and obtain the application secret

  7. Grant API access to your application

  8. Grant the Reader role to the application

Prerequisites

You must have access to register an Azure AD application in order to continue. To ensure that you have proper access to be able to complete the steps, your account will need specific permissions. There are two main paths to follow:

  • For Admin roles, you should already have access to register applications

  • For User roles, ensure that you can register applications, or you have been assigned the Application administrator or Application developer role for Azure AD

Use the following process to check which roles and permissions have been assigned to you.

Ensure you have the required permissions in Azure Active Directory (AAD)

  1. Log in to the Azure portal

  2. Select Azure Active Directory. in the left pane. (Or use search bar at the top of the page.)

  3. Select the overview pane to see your login information (2) and your role (marked in red).


    If you are an Administrator or Global Admin, you are all set – skip to Creating an Azure AD application section.

  4. If you are a User, click on your email address to open your user page. Click on Assigned roles in the left pane to check if you have either Application administrator or Application developer roles. If either one is listed, you will be able to finish this process.

  5. If no additional roles are assigned, you will only be able to continue if non-admin users have the option of creating apps. To check that, use the following steps:

  1. Log in to the Azure portal if you are not already logged in.

  2. In the left pane, select Azure Active Directory. (Or use the search bar at the top of the page)

  3. Click User Settings (1) in the left pane.

  4. In the right pane, review the App registrations settings (2)

    Yes - Allows any user in the Azure AD tenant to register AD apps.

    No - Only admin users can register AD apps.

  5. If the setting is Yes, continue to Creating an Azure AD application section.

  6. If App Registrations for your account is set to No, you do not have the correct permissions to continue

    In this case, please contact your administrator to allow access using one of the steps listed below.

    Once the permissions are set you can proceed to the next section of creating the application.

    • Assign you application administrator/application developer role

    • Assign you to an administrator role for the entire tenant

    • Change the App registrations setting to Yes (simplest option)

      NOTE: Options are listed following the principal of least privilege, i.e., assigning application developer is safer than allowing all users to create apps on the tenant.

For more information about checking the Azure Active Directory permissions, see Check Azure Active Directory permissions.

Creating an Azure AD application

Successfully linking your account with nOps is a manual process of creating a customer application on your Azure tenant. The application you create and the information you will provide during nOps onboarding process allows access to your Azure account through REST APIs and for nOps a way to get the necessary information about your resources.

Using these steps, you will:

  • Create and correctly configure the Azure AD application

  • Create an application secret

  • Assign correct permissions to the application

  • Link the application with the appropriate subscriptions within your tenant

Obtain the Tenant ID

  1. Log in to the Azure portal

  2. In the left pane, select Azure Active Directory. (Or use search bar at the top of the page)

  3. Select the Overview page from the left pane.

  4. Under Tenant information, find Tenant ID and note it. You will need this ID later.

Ensure that you have the required permissions in Azure Active Directory (AAD)

  1. Using the steps documented above in Ensure you have the required permissions in Azure Active Directory (AAD), check that your permissions are correctly set in order to continue.

For more information about checking the Azure Active Directory permissions, see Check Azure Active Directory permissions.

Create an AAD application to access the Azure resources

  1. Log in to the Azure portal

  2. In the left pane, select Azure Active Directory. (Or use search bar at the top of the page)

  3. In the left pane of Azure Active Directory, click App Registrations and click New registration.

    Graphical user interface, text, application, email

Description automatically generated

  4. Specify the following details and click Register.

    • Enter a Name for your application.

    • Under Supported account types, leave the default setting: Accounts in this organizational directory only.

    • Under Redirect URI (optional), leave the default drop-down, Web, and in the blank text field, type ‘https://localhost.’

Graphical user interface, application, Teams

Description automatically generated

Your AAD application is now created and added to Azure Active Directory.

For more information about creating the Azure Active Directory application, see Create an Azure Active Directory application.

Obtain the application ID, create and the application secret

  1. Log in to the Azure portal

  2. In the left pane, select Azure Active Directory. (Or use search bar at the top of the page)

  3. In the left pane of Azure Active Directory, click App Registrations, and in the right pane, select the application that you created in AAD.

    Graphical user interface, text, application, email

Description automatically generated

  4. Note the Application (client) ID for the application. You will need to enter this later.

  5. To generate an authentication secret, click on Certificates & secrets in the left pane

    Graphical user interface, text, application, email

Description automatically generated
  6. Under Client secrets, click + New client secret to create a new secret.
    Provide a basic description (which will be seen only by you) and expiry duration (a longer period is advised to avoid credential issues from your nOps app) for the secret and click Add.

    Graphical user interface, application

Description automatically generated

    Once that is complete, you will see the newly created entry. From there, note the content of the Value field.

    IMPORTANT: Please pay close attention to this step and copy the correct field.

    Diagram

Description automatically generated

For more information about obtaining the application ID and generating the authentication secret, see Get application ID and authentication key.

Grant API access to your application

  1. Log in to the Azure portal

  2. In the left pane, select Azure Active Directory. (Or use search bar at the top of the page)In the left pane of Azure Active Directory, click App Registrations, and in the right pane, select the application that you created in AAD

  3. In the left pane, select API permissions, and in the right pane, select Add a permission.

  4. In the Select an API pane, search for Azure Service Management or Microsoft Graph and select it. The five required permissions to ensure the nOps application works properly and has the minimum required access are listed below:

    • Microsoft Graph – Delegated permission
      a. User.Read

    • Microsoft Graph – Application permission

      a. AuditLog.Read.All

      b. Directory.Read.All

      c. Reports.Read.All

    • Azure Service Management

      a. user_impersonation

      For each section, after checking the permissions, click on the Add permissions in the bottom left corner.

The final screen with correctly configured permissions should look as seen below.

Graphical user interface, text, application, email

Description automatically generated

Note that for all the three Application Graph permissions, you will need to Grant admin consent using the button outlined in red.

Grant the Reader role to the application

Ensure that the account in your Azure subscription has the Owner or User Access Administration role to manage access to Azure resources. If your account is assigned the Contributor role, you cannot grant roles.

Only subscriptions that have the Reader role for the application will be displayed to you on nOps.

  1. Log in to the Azure portal

  2. In the left pane, select Subscriptions. (Or use search bar at the top of the page.)

  3. Locate and select the required subscription from the list.

  4. n the left pane, choose Access control (IAM) and click + Add followed by Add Role assignment.

    Graphical user interface, text, application

Description automatically generated

  5. In the Add role assignment pane, select Reader role Assign access to ‘User, group, or service principal’.

    NOTE: If you are Global Admin and you don't see this button/menu being enabled, you need to check the Azure Portal.
    Navigate to Azure Active Directory > Properties > Access Management for Azure resources and set the toggle to YES.

    Save the settings, sign out from the portal and sign back in to see this menu.

  6. Select your Application and click Save

For more information about granting the Reader role to the application, see Assign application to role.

The following information should be captured after successfully completing these steps:

  • TenantID

  • Application ID

  • Authentication secret

All values will be required for onboarding your Azure tenant to nOps.

Did this answer your question?