How do I provide access for Nodinite Logging and Monitoring agents to my Azure related services?
This page provides a step by step guide for creating and/or retrieving the required connectivity configuration values used by Nodinite.
The Service Management API is a REST API that provides programmatic access to much of the functionality available through the Azure Management Portal.
All API operations Nodinite performs are sent using SSL and are mutually authenticated using X.509 v3 certificates.
Nodinite is built to keep you secure
Use this guide to find the following set of fields that are usually part of the configuration for the Azure Log- and Monitor-Agents: 1. SubscriptionId 2. ResourceGroup 3. TenantId 4. ClientId and ClientSecret
You must explicitly pinpoint which Resource Groups to use. The name for the ResourceGroup field can easily be verified in the Azure Portal, navigate to the Resource Group from the list of Resource Groups:
Get the Name of the resource group
Resource groups provide a way to monitor, control access, provision and manage billing for collections of assets that are required to run an Azure application/service/function
The Microsoft Azure subscription is the unique user account in Azure. All resources available via the Service Management API are organized beneath the subscription. When you create an Azure subscription, it is uniquely identified by a SubscriptionId. The subscription Id is part of the URI, in every request the different Nodinite service use to enage with the Azure Service Management API.
- The SubscriptionId is a GUID
- An Azure subscription may have multiple storage accounts.
- A storage account may have multiple containers.
To acquire the SubscriptionId simply open up the Resource Group that you want to provide access for Nodinite to in the Azure portal and copy the GUID value:
SubscriptionId GUID to copy
The TenantId is the GUID uniquely identifying the Azure Active Directory instance.
There are at least two easy ways to acquire the TenantId, see example images below:
|1. From Help | Diagnostics||2. From the Old Portal|
- One or more Applications (ClientId) must be created for users to authenticate against your active directory accessing containing resources groups
- An Application is required to issue authentication tokens when authenticating users
See next step for additional details on Applications.
To retrieve the 'ClientId' and the 'ClientSecret' an Application must first exist/be created.
The following steps are required to create a new Application (Client Id):
- Select Azure Active Directory
- From the Selected Active Directory instance, click on App registrations
- Click on the New registration button
- Enter the name of the Application
- Select Accounts in this organizational directory only - least privileges
- Select the Web option
- Enter the URL to your user management web site (can be changed later)
Note: The redirect URI can be any address like https://yournonexistinguserportal.nowhere.org
- Click the Register button to begin the creation process
This operation may take some time
Click on the newly created Application to start creating permissions.
- Click on the Add a Permission button
Next step is to select which API Permissions to assign for the Application
- Click on the APIs my organization uses tab
- Click on the Windows Azure Service Management API
Another modal is now displayed and you need to specify the type of permissions required by the Application:
- Select Delegated permissions
- Check the user_impersonation checkbox
- Click on the Add permissions button
Steps to perform when specifying the type of permissions granted for Application
You can safely skip this step.
- Select the Certificates & secrets
- Click on the New client secret button
In the following dialogue enter:
- A user-friendly name for the client secret
- Select when the secret expires
- Click on the Add button
Next, the client secret will be presented (once - this time only)
Now you will add permissions to the Resource Group. It is possible to assign rights to everything within the Subscription(s), we at Nodinite recommend you assign permission for each resource group, remember Least Privileges.
- Select Resource Groups
- Select the Resource Group to add the permission to
- Select Access Control (IAM)
- Click on the Add button
- Select Add role assignment
- Select the built-in Contributor Role
- Select Azure AD user, group. pr service principal
- Select one or more members (Application Name from step 4 - ClientId and ClientSecret)
You need to type chars to find the named Applications
Click on the Save button to persist the role assignment
You will now see all User (Application) permissions in the list for Resource group(s) and/or subscriptions When finished. The User (Application) will be listed as part of the Contributor role for the selected Resource Group.