- 5 minutes to read

How do I provide access for Nodinite Logging and Monitoring agents to my Azure related services?

In this user guide, you will learn how to add an Application in the Azure Management Portal for use with Nodinite Monitoring and Logging Agents

Nodinite Azure related Log- and Monitor-Agents sends queries and commands to the Azure Service Management REST API and therefore needs elevated access rights.

This page provides a step by step guide for creating and/or retrieving the required connectivity configuration values used by Nodinite.

The Service Management API is a REST API that provides programmatic access to much of the functionality available through the Azure Management Portal.

All API operations Nodinite performs are sent using SSL and are mutually authenticated using X.509 v3 certificates.

Nodinite is built to keep you secure

Use this guide to find the following set of fields that are usually part of the configuration for the Azure Log- and Monitor-Agents: 1. SubscriptionId 2. ResourceGroup 3. TenantId 4. ClientId and ClientSecret

Connection Properties

1. ResourceGroup

To acquire the ResourceGroup simply open up the Resource Group in the Azure portal:
ResourceGroup
Get the Name of the resource group

Resource groups provide a way to monitor, control access, provision and manage billing for collections of assets that are required to run an Azure application/service/function

2. SubscriptionId

A Microsoft Azure subscription is a unique user account in Azure. All resources available via the Service Management API are organized beneath the subscription. When you create an Azure subscription, it is uniquely identified by a subscription ID. The subscription ID forms part of the URI for every call that you make to the Service Management API.

  • The SubscriptionId is a GUID
  • An Azure subscription may have many storage accounts.
  • A storage account may have many containers.

To acquire the SubscriptionId simply open up the Resource Group that you want to provide access for Nodinite to in the Azure portal and copy the GUID value:
SubscriptionId
SubscriptionId GUID to copy

3. TenantId

The TenantId is the GUID uniquely identifying the Azure Active Directory instance.

There are at least two easy ways to acquire the TenantId, see example images below:

1. From Help | Diagnostics 2. From the Old Portal
  • One or more Applications (ClientId) must be created for users to authenticate against your active directory accessing containing resources groups
  • An Application is required to issue authentication tokens when authenticating users

See next step for additional details on Applications.

4. ClientId and ClientSecret

To retrieve the 'ClientId' and the 'ClientSecret' an Application must first exist/be created.

The following steps are required to create a new Application (Client Id):
CreateApplication

  1. Select Azure Active Directory
  2. From the Selected Active Directory instance, click on App registrations
  3. Click on the New registration button

RegisterApplication

  1. Enter the name of the Application
  2. Select Accounts in this organizational directory only - least privileges
  3. Select the Web option
  4. Enter the URL to your user management web site (can be changed later)

Note: The redirect URI can be any address like https://yournonexistinguserportal.nowhere.org

  1. Click the Register button to begin the creation process

This operation may take some time

Create Permissions

Click on the newly created Application to start creating permissions.

  • Click on the Add a Permission button CreateKey

Request API Permissions

Next step is to select which API Permissions to assign for the Application

  1. Click on the APIs my organization uses tab
  2. Click on the Windows Azure Service Management API RequestAPIPermissions

Type of Permissions

Another modal is now displayed and you need to specify the type of permissions required by the Application:

  1. Select Delegated permissions
  2. Check the user_impersonation checkbox
  3. Click on the Add permissions button

TypeOfPermissions
Steps to perform when specifying the type of permissions granted for Application

You can safely skip this step.
Consent

Create Client Secret

  1. Select the Certificates & secrets
  2. Click on the New client secret button CreateClientSecret

In the following dialogue enter:

  1. A user-friendly name for the client secret
  2. Select when the secret expires
  3. Click on the Add button

AddaClientSecretModal

Next, the client secret will be presented (once - this time only)
CopyClientSecret

REMEMBER TO COPY THE KEY and store it securely and accessible for your colleagues! Since it will only be displayed upon first save!

Add to Resource

Now you will add permissions to the Resource Group. It is possible to assign rights to everything within the Subscription(s), we at Nodinite recommend you assign permission for each resource group, remember Least Privileges.

  1. Select Resource Groups
  2. Select the Resource Group to add the permission to
  3. Select Access Control (IAM)
  4. Click on the Add button
  5. Select Add role assignment

AddIAMForResourceGroup

  1. Select the built-in Contributor Role
  2. Select Azure AD user, group. pr service principal
  3. Select one or more members (Application Name from step 4 - ClientId and ClientSecret)

    You need to type chars to find the named Applications

AddaRoleAssignment

Note: Remember to click on the Save button

Save or Discard button
Click on the Save button to persist the role assignment

List of permissions

You will now see all User (Application) permissions in the list for Resource group(s) and/or subscriptions When finished. The User (Application) will be listed as part of the Contributor role for the selected Resource Group.

ListOfAppRegistrationSecurityLevels


Next Step