For Admins
To provision Azure resources in Cloud Labs, you will need to grant Vocareum permission to manage relevant aspects of your Azure account.
This article provides step-by-step instructions on how to give Vocareum the required access.
Choosing between the Basic and Advanced Guides
Choosing between the Basic and Advanced Guides
We generally recommend the process detailed in this advanced guide for connecting your Azure account to Vocareum for use in Cloud Labs. However, if you would like a quicker setup option, you can refer to the basic guide here: Cloud Labs: Bring Your Own Azure Account.
The Basic Guide offers a less complex setup suitable for straightforward integrations, while the Advanced Guide provides a more in-depth, customizable, and secure approach for organizations with advanced requirements.
Select the Basic Guide if:
You have an Azure subscription and seek a straightforward integration process.
Your organization does not require extensive customization or granular access controls.
You prefer a quicker setup with minimal configuration steps.
Opt for the Advanced Guide if:
You need to manage multiple Azure subscriptions under a unified structure.
Your organization requires detailed access controls, custom roles, and specific security configurations.
You aim to implement centralized policies and compliance measures across various departments or projects.
Setting up a Microsoft Entra ID app
Sign in to the Azure Portal
From the Azure services select 'Microsoft Entra ID'
Select '+ Add' and then 'App Registration'
Give the app a name. Select a Supported account type to determine who can use the application. Under Redirect URI select 'Web' for the type of application you want to create. Enter the URI where the access token is sent. You cannot create credentials for a native application. Once you have enter your values select Register at the bottom.
You will now be redirected to the Overview of the app you have just created
Note down the 'Application (client) ID' and 'Tenant ID' to share with Vocareum. These credentials are required to pass with our authentication request for signing in programmatically.
If you have not already, you will need to create a certificate for an authentication key or client secret key
Navigate to the App Registrations page in the Microsoft Entra admin center and select your App
Next click on 'Certificates & secrets'
Select 'Client secrets' and '+ New client secret'
Include a description of the secret and set the duration. Select 'Add' when ready.
The Value and Secret ID will now be displayed under the Client secrets. Copy the value because you won't be able to retrieve the key later. You will need to provide the key value with the app ID to sign in as the application. Store the key value where your application can retrieve it.
Management Groups
Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions. Create these containers to build an effective and efficient hierarchy that can be used with Azure Policy and Azure Role Based Access Controls.
Create a Management Group
Log in to the Azure Portal
Navigate to Azure Service and Select 'more services'
Under the categories select 'Management and governance' and then use the search filter to find 'Management groups'. Hovering over Management groups will display a '+' symbol. Select this symbol to create a group.
Fill the required field. You can name your management group whatever you want. When ready select 'Save'
For Resource Level Labs
You will have to create one management group inside the management group that you have created for your org. You can name this management group as per your choice.
Now move your new or existing subscriptions from your tenant root management group to the new management group you have created.
For Subscription Level Labs
You will have to create one management group inside the management group that you have created for your org. You can name this management group as per your choice.
Next you will create subscriptions programmatically into this subscription level lab group. To create subscriptions assign the following role to your app in 'Cost Management + Billing'
Search for 'Cost Management' from your Azure portal.
Select 'Access Control' and click '+ Add'.
From the 'Add role assignment' menu choose the 'Billing account owner' role.
Select your app from the search bar below and press 'Add' when you are finished.
Assigning A Role to Your App in a Management Group
Navigate to Management Group and select Access Control from the left side menu
Select '+ Add' and then 'Add Role Assignment'
Under the Role tab, select the 'Owner' role. This role grants full access to manage all resources, including the ability to assign roles in Azure RBAC and enable Vocareum to fetch invoice of subscriptions linked with Management group
Under the Members tab, assign access to 'User, group, or service principal'. Click '+ Select members' and select your app. If the app doesn't appear, search its name first
Under the Conditions tab, select 'Allow use to assign all roles (highly privileged)'
When ready select 'Review + Assign'
Create a Custom Role within your management group
Next you will need to create a custom role inside your organization's management group so that we can assign this role to the user within your organization which will enable the user to access Azure services. Because of this role users will be able to access resources offered by the subscription linked with your organizations management group.
Go to your organization's management group
Click on Access Control (IAM)
Select '+ Add' and then 'Custom Role'
Assign the permissions you want users to have. These permissions can be modified as needed based on your organization's requirements. Here are sample permissions that can be defined for the "permissions" value in the JSON tab:
"permissions": [
{
"actions": [
"*",
"*/read",
"Microsoft.Support/*",
"Microsoft.Authorization/*/read",
"Microsoft.Billing/*/read",
"Microsoft.Commerce/*/read",
"Microsoft.Consumption/*/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.CostManagement/*/read"
],
"notActions": [
"Microsoft.Authorization/policyAssignments/delete",
"Microsoft.Authorization/policyDefinitions/delete",
"Microsoft.Authorization/policyDefinitions/write",
"Microsoft.Authorization/policySetDefinitions/write",
"Microsoft.Authorization/policyAssignments/write",
"Microsoft.Authorization/policyExemptions/write",
"Microsoft.Authorization/policyExemptions/delete",
"Microsoft.Authorization/locks/write"
],
"dataActions": [],
"notDataActions": []
}
]Add a name for your custom role and when ready select 'Review + create'
Share the Role ID of this custom role with Vocareum by finding the custom role from 'Access Control IAM'. Then navigate to 'Details' and select 'View'.
Select 'JSON' and in the value for 'id' in the second line you will find the role id at the end of the string
API Permissions
For the app to access the resources API we will have to give it some API permissions
Allocate Permissions to an App
From the Azure portal select Microsoft Entra ID.
Navigate to and open 'Manage' and select 'App Registrations'
Select your app and navigate to 'API Permissions'
Click 'Add a Permission' and in the API Permission panel that opens select 'Microsoft Graph' under the 'Microsoft APIs' tab
When prompted for the type of permissions your application requires, select 'Application Permissions'
Add the following minimum required API permissions
User-related:
User.ReadWrite.All
User.ReadBasic.All
User.Export.All
Policy-related:
Policy.ReadWrite.ConditionalAccess
Policy.ReadWrite.ConsentRequest
Policy.ReadWrite.Authorization
Role Management:
RoleManagement.ReadWrite.Directory
Directory:
Directory.ReadWrite.All
AppRoleAssignment:
AppRoleAssignment.ReadWrite.All
Select 'Add Permissions' to complete the process. You should now see the selected permissions under 'Configured' permissions
Click 'Grant admin consent' and confirm. The selected permissions should now all have the status of 'Granted'
API Permission Details
More information about the permissions granted to the Vocareum app can be found here
Adding the New Tenant to Your Control Center Dashboard
Navigate from the Vocareum Dashboard to the 'Azure' tab on the side menu
Select 'Setup Tenant'
Select '+ Setup Tenant', fill in the required details and save
Customer key: A key used to identify your organization, should not contain spaces (ex: MyOrg-ResourceGroup-Lab)
Username: Not necessary, can fill in '-'
Password: Not necessary, can fill in '-'
Tenant ID: Found under the Overview for your application or under 'Tenant properties'
Domain: The domain for your tenant (ex: sampleorg.onmicrosoft.com)
Client ID: Found under the Overview for your application as 'Application (client) ID'
Secret ID: The Value for the Client secret created for your application
Root management group: ID for the first management group that you created
Lab management group: ID for the second management group that you created under the root management group
Customer Support Email: An email that Vocareum can use to contact you in case of any issues
Select 'Subscription Details', '+ Add Subscription', fill in the required details and save
Select 'Role Config', '+ Add Role Config', fill in the required details and save