Our Azure quickstart guide can be found here.
Setting up a Microsoft Entra ID app
Sign in to the Azure Portal
From the Azure services select 'Microsoft Entra ID'
Select '+ Add' and then 'App Registration'
Give the app a name. Select a Supported account type to determine who can use the application. Under Redirect URI select 'Web' for the type of application you want to create. Enter the URI where the access token is sent. You cannot create credentials for a native application. Once you have enter your values select Register at the bottom.
You will now be redirected to the Overview of the app you have just created
Note down the 'Application (client) ID' and 'Tenant ID' to share with Vocareum. These credentials are required to pass with our authentication request for singing in programmatically.
If you have not already, you will need to create a certificate for an authentication key or client secret key
Navigate to the App Registrations page in the Microsoft Entra admin center and select your App
Next click on 'Certificates & secrets'
Select 'Client secrets' and '+ New client secret'
Include a description of the secret and set the duration. Select 'Add' when ready.
The Value and Secret ID will now be displayed under the Cient secrets. Copy this value because you won't be able to retrieve the key later. You will need to provide the key value with the app ID to sign in as the application. Store the key value where your application can retrieve it.
Management Groups
Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions. Create these containers to build an effective and efficient hierarchy that can be used with Azure Policy and Azure Role Based Access Controls.
Create a Management Group
Log in to the Azure Portal
Navigate to Azure Service and Select 'more services'
Under the categories select 'Management and governance' and then use the search filter to find 'Management groups'. Hovering over Management groups will display a '+' symbol. Select this symbol to create a group.
Fill the required field. You can name your management group whatever you want. When ready select 'Save'
For Resource Level Labs
You will have to create one management group inside the management group that you have created for your org. You can name this management group as per your choice.
Now move your new or existing subscriptions from your tenant root management group to the new management group you have created.
For Subscription Level Labs
You will have to create one management group inside the management group that you have created for your org. You can name this management group as per your choice.
Next you will create subscriptions programmatically into this subscription level lab group. To create subscriptions assign the following role to your app in 'Cost Management + Billing'
Search for 'Cost Management' from your Azure portal.
Select 'Access Control' and click '+ add'.
From the 'Add role assignment' menu choose the 'Billing account owner' role.
Select your app from the search bar below and press 'Add' when you are finished.
Assigning A Role to Your App in a Management Group
Navigate to Management Group and select Access Control from the left side menu
Assign the Owner role to your to your app. This role grants full access to manage all resources, including the ability to assign roles in Azure RBAC and enable Vocareum to fetch invoice of subscriptions linked with Management group.
When ready select 'Review + Assign'
Create a Custom Role within your management group
Next you will need to create a custom role inside your organization's management group so that we can assign this role to the user within your organization which will enable the user to access Azure services. Because of this role users will be able to access resources offered by the subscription linked with your organizations management group.
Go to your organization's management group
Click on Access Control (IAM)
Select '+ Add' and then 'Custom Role'
Add a name for your custom role and when ready select 'Review + create'
Share the Role ID of this custom role with Vocareum by finding the custom role from 'Access Control IAM'. Then navigate to 'Details' and select 'View'.
Select 'JSON' and in the value for 'id' in the second line you will find the role id at the end of the string
API Permissions
For the app to access the resources API we will have to give it some API permissions
Allocate Permissions to an App
From the Azure portal select Microsoft Entra ID.
Navigate to and open 'Manage' and select 'App Registrations'
Select your app and navigate to 'API Permissions'
Click 'Add a Permission' and in the API Permission panel that opens select My APIs and select the API you registered as part of the prerequisites
Delegated permissions are selected by default. Delegated permissions are appropriate for client apps that access a web API as the signed in user, and whose access should be restricted to the permissions you select in the next step. Leave Delegated permission selected for this example.
Application permissions are for service or daemon type applications that need to access a web API as themselves, without user interaction for sign in or consent. Unless you have defined application roles for your web API, this option is disabled.
Under 'Select Permissions' expand the resource whose scopes you defined for your web API, and select what permissions the client app should have on behalf of the signed-in user.
If you used the example scope names specified in the previous quickstart, you should see 'Employees.Read.All' and 'Employees.Write.All'. Select 'Employees.Read.All' or another permission you might have created when completing the prerequisites.
Select 'Add Permissions' to complete the process. You should now see the selected permissions under 'Configured' permissions
โ
API Permission Details
More information about the permissions granted to the Vocareum app can be found here
Setup Tenant in Microsoft Entra admin center
Open the Microsoft Entra admin center
Under 'Identity' select 'Overview' and click 'Manage Tenants'
Select '+ Create'
Select '+ Setup Tenant', fill in the required details and save
Select 'Subscription Details', 'Add Subscription', fill in the required details and save
Select 'Role Config', '+ add Role Config', fill in the required details and save
After this Vocareum will set up the account on behalf of the client.