Skip to main content

Cloud Labs: Bring Your Own Azure Account – Advanced

A secure, robust process for connecting your Azure account to Vocareum.

M
Written by Mary Gordanier
Updated this week

For Admins

To provision Azure resources in Cloud Labs, you will need to grant Vocareum permission to manage relevant aspects of your Azure account.

This article provides step-by-step instructions on how to give Vocareum the required access.

Choosing between the Basic and Advanced Guides

We generally recommend the process detailed in this advanced guide for connecting your Azure account to Vocareum for use in Cloud Labs. However, if you would like a quicker setup option, you can refer to the basic guide here: Cloud Labs: Bring Your Own Azure Account.

The Basic Guide offers a less complex setup suitable for straightforward integrations, while the Advanced Guide provides a more in-depth, customizable, and secure approach for organizations with advanced requirements.

Select the Basic Guide if:

  • You have an Azure subscription and seek a straightforward integration process.

  • Your organization does not require extensive customization or granular access controls.

  • You prefer a quicker setup with minimal configuration steps.

Opt for the Advanced Guide if:

  • You need to manage multiple Azure subscriptions under a unified structure.

  • Your organization requires detailed access controls, custom roles, and specific security configurations.

  • You aim to implement centralized policies and compliance measures across various departments or projects.

Setting up a Microsoft Entra ID app

  1. Sign in to the Azure Portal

  2. From the Azure services select 'Microsoft Entra ID'

  3. Select '+ Add' and then 'App Registration'

  4. Give the app a name. Select a Supported account type to determine who can use the application. Under Redirect URI select 'Web' for the type of application you want to create. Enter the URI where the access token is sent. You cannot create credentials for a native application. Once you have enter your values select Register at the bottom.

  5. You will now be redirected to the Overview of the app you have just created

  6. Note down the 'Application (client) ID' and 'Tenant ID' to share with Vocareum. These credentials are required to pass with our authentication request for signing in programmatically.

  7. If you have not already, you will need to create a certificate for an authentication key or client secret key

    1. Navigate to the App Registrations page in the Microsoft Entra admin center and select your App

    2. Next click on 'Certificates & secrets'

    3. Select 'Client secrets' and '+ New client secret'

    4. Include a description of the secret and set the duration. Select 'Add' when ready.

    5. The Value and Secret ID will now be displayed under the Client secrets. Copy the value because you won't be able to retrieve the key later. You will need to provide the key value with the app ID to sign in as the application. Store the key value where your application can retrieve it.

Management Groups

Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions. Create these containers to build an effective and efficient hierarchy that can be used with Azure Policy and Azure Role Based Access Controls.

Create a Management Group

  1. Log in to the Azure Portal

  2. Navigate to Azure Service and Select 'more services'

  3. Under the categories select 'Management and governance' and then use the search filter to find 'Management groups'. Hovering over Management groups will display a '+' symbol. Select this symbol to create a group.

  4. Fill the required field. You can name your management group whatever you want. When ready select 'Save'

For Resource Level Labs

  1. You will have to create one management group inside the management group that you have created for your org. You can name this management group as per your choice.

  2. Now move your new or existing subscriptions from your tenant root management group to the new management group you have created.

For Subscription Level Labs

  1. You will have to create one management group inside the management group that you have created for your org. You can name this management group as per your choice.

  2. Next you will create subscriptions programmatically into this subscription level lab group. To create subscriptions assign the following role to your app in 'Cost Management + Billing'

  3. Search for 'Cost Management' from your Azure portal.

  4. Select 'Access Control' and click '+ Add'.

  5. From the 'Add role assignment' menu choose the 'Billing account owner' role.

  6. Select your app from the search bar below and press 'Add' when you are finished.

Assigning A Role to Your App in a Management Group

  1. Navigate to Management Group and select Access Control from the left side menu

  2. Select '+ Add' and then 'Add Role Assignment'

  3. Under the Role tab, select the 'Owner' role. This role grants full access to manage all resources, including the ability to assign roles in Azure RBAC and enable Vocareum to fetch invoice of subscriptions linked with Management group

  4. Under the Members tab, assign access to 'User, group, or service principal'. Click '+ Select members' and select your app. If the app doesn't appear, search its name first

  5. Under the Conditions tab, select 'Allow use to assign all roles (highly privileged)'

  6. When ready select 'Review + Assign'

Create a Custom Role within your management group

Next you will need to create a custom role inside your organization's management group so that we can assign this role to the user within your organization which will enable the user to access Azure services. Because of this role users will be able to access resources offered by the subscription linked with your organizations management group.

  1. Go to your organization's management group

  2. Click on Access Control (IAM)

  3. Select '+ Add' and then 'Custom Role'

  4. Assign the permissions you want users to have. These permissions can be modified as needed based on your organization's requirements. Here are sample permissions that can be defined for the "permissions" value in the JSON tab:

    "permissions": [
    {
    "actions": [
    "*",
    "*/read",
    "Microsoft.Support/*",
    "Microsoft.Authorization/*/read",
    "Microsoft.Billing/*/read",
    "Microsoft.Commerce/*/read",
    "Microsoft.Consumption/*/read",
    "Microsoft.Management/managementGroups/read",
    "Microsoft.CostManagement/*/read"
    ],
    "notActions": [
    "Microsoft.Authorization/policyAssignments/delete",
    "Microsoft.Authorization/policyDefinitions/delete",
    "Microsoft.Authorization/policyDefinitions/write",
    "Microsoft.Authorization/policySetDefinitions/write",
    "Microsoft.Authorization/policyAssignments/write",
    "Microsoft.Authorization/policyExemptions/write",
    "Microsoft.Authorization/policyExemptions/delete",
    "Microsoft.Authorization/locks/write"
    ],
    "dataActions": [],
    "notDataActions": []
    }
    ]

  5. Add a name for your custom role and when ready select 'Review + create'

  6. Share the Role ID of this custom role with Vocareum by finding the custom role from 'Access Control IAM'. Then navigate to 'Details' and select 'View'.

  7. Select 'JSON' and in the value for 'id' in the second line you will find the role id at the end of the string

API Permissions

For the app to access the resources API we will have to give it some API permissions

Allocate Permissions to an App

  1. From the Azure portal select Microsoft Entra ID.

  2. Navigate to and open 'Manage' and select 'App Registrations'

  3. Select your app and navigate to 'API Permissions'

  4. Click 'Add a Permission' and in the API Permission panel that opens select 'Microsoft Graph' under the 'Microsoft APIs' tab

  5. When prompted for the type of permissions your application requires, select 'Application Permissions'

  6. Add the following minimum required API permissions

    User-related:

    • User.ReadWrite.All

    • User.ReadBasic.All

    • User.Export.All

    Policy-related:

    • Policy.ReadWrite.ConditionalAccess

    • Policy.ReadWrite.ConsentRequest

    • Policy.ReadWrite.Authorization

    Role Management:

    • RoleManagement.ReadWrite.Directory

    Directory:

    • Directory.ReadWrite.All

    AppRoleAssignment:

    • AppRoleAssignment.ReadWrite.All

  7. Select 'Add Permissions' to complete the process. You should now see the selected permissions under 'Configured' permissions

  8. Click 'Grant admin consent' and confirm. The selected permissions should now all have the status of 'Granted'

API Permission Details

More information about the permissions granted to the Vocareum app can be found here

Adding the New Tenant to Your Control Center Dashboard

  1. Navigate from the Vocareum Dashboard to the 'Azure' tab on the side menu

  2. Select 'Setup Tenant'

  3. Select '+ Setup Tenant', fill in the required details and save

    1. Customer key: A key used to identify your organization, should not contain spaces (ex: MyOrg-ResourceGroup-Lab)

    2. Username: Not necessary, can fill in '-'

    3. Password: Not necessary, can fill in '-'

    4. Tenant ID: Found under the Overview for your application or under 'Tenant properties'

    5. Domain: The domain for your tenant (ex: sampleorg.onmicrosoft.com)

    6. Client ID: Found under the Overview for your application as 'Application (client) ID'

    7. Secret ID: The Value for the Client secret created for your application

    8. Root management group: ID for the first management group that you created

    9. Lab management group: ID for the second management group that you created under the root management group

    10. Customer Support Email: An email that Vocareum can use to contact you in case of any issues

  4. Select 'Subscription Details', '+ Add Subscription', fill in the required details and save

  5. Select 'Role Config', '+ Add Role Config', fill in the required details and save

Did this answer your question?