- 7 minutes to read

How do I provide access for Nodinite Logging and Monitoring agents to my Azure related services?

In this user guide, you will learn how to add an Application (ClientId) to allow access to the Azure REST API using the Azure Management Portal for use with Nodinite Monitoring and Logging Agents.

The Nodinite Azure related Log-, and Monitor-Agents executes queries and commands to the Azure Service Management REST API. You must register one or more Applications using the App Registrations page in the Azure portal with membership to some built-in roles. The specific roles are in a list in the Least privileges section on this page.

The Service Management API is a REST API that provides programmatic access to much of the functionality available through the Azure Management Portal.

All API operations Nodinite performs uses SSL, and the authentication uses X.509 v3 certificates.

The Nodinite design help you keep as secure as possible


To configure the Nodinite Log- and Monitor-Agents; use this guide to find the following set of required properties:

1. TenantId
2. SubscriptionId
3. ResourceGroup
4. ClientId and ClientSecret

Connection Properties

1. TenantId

The TenantId is the GUID uniquely identifying the Azure Active Directory instance.

From the Azure Portal ; Enter tenant properties and navigate to Properties for the Azure Active Directory. The TenantId is available on the page.

TenantId

2. SubscriptionId

The Microsoft Azure subscription is the unique user account in Azure. All Azure Resources and services are available to the REST-based Service Management API.

When you create an Azure subscription, it is uniquely identified by a SubscriptionId. The subscription Id is part of the call to the Azure Service Management API.

  • The SubscriptionId is a GUID.

To acquire the SubscriptionId, enter Subscriptions in the search, and navigate to the Subscriptions page. Copy and use the GUID value:

SubscriptionId
Copy the SubscriptionId GUID to use.

3. Resource Group

For each Nodinite Log- and Monitor Agent; You must specify the Resource Groups to Monitor and Manage. There are different ways to manage these lists from within Nodinite depending on the type of agent.

One way to get the value is to use the Azure Portal ; You can view the available Resource Groups.

Resource Group Name
Copy and use the Name of the Resource Group.

4. ClientId and ClientSecret

To retrieve the 'ClientId' and the 'ClientSecret' an Application must first exist/be created.

The following steps are required to create a new Application (Client Id):
CreateApplication

  1. Select Azure Active Directory
  2. From the Selected Active Directory instance, click on App registrations
  3. Click on the New registration button

RegisterApplication

  1. Enter the name of the Application
  2. Select Accounts in this organizational directory only - least privileges
  3. Select the Web option
  4. Enter the URL to your user management website (can be changed later)

NOTE: The redirect URI can be any address like https://yournonexistinguserportal.nowhere.org

  1. Click the Register button to begin the creation process

This operation may take some time.

Create Permissions

Click on the newly created Application to start creating permissions.

  • Click on the Add a Permission button. CreateKey

Request API Permissions

Next; select which API Permissions to assign for the Application

  1. Click on the APIs my organization uses tab
  2. Click on the Windows Azure Service Management API RequestAPIPermissions

Type of Permissions

Another modal is now displayed, and you need to specify the type of permissions required by the Application:

  1. Select Delegated permissions
  2. Check the user_impersonation checkbox
  3. Click on the Add permissions button

TypeOfPermissions
Steps to perform when specifying the type of permissions granted for Application

You can safely skip this step.
Consent

Create Client Secret

  1. Select the Certificates & secrets
  2. Click on the New client secret button CreateClientSecret

In the following dialogue, enter:

  1. A user-friendly name for the client secret
  2. Select when the secret expires
  3. Click on the Add button

AddaClientSecretModal

Next, the client secret presents (once - this time only)
CopyClientSecret

REMEMBER TO COPY THE KEY and store it securely and accessible for your colleagues! Since it will only be displayed upon first save!

Add permission to monitor and manage the Resource Group

You can fine-tune permission on individual levels.

  • Subscription (highest level)
  • Resource Group (recommended)
  • Object (lowest level)

Least Privileges

Our recommendation is to assign as in the section: Roles with least privileges.

To assign the role-membership on Resource Group level:

  1. Search and navigate to the list of Resource Groups.
  2. Select the Resource Group to add the permission to.
  3. Select Access Control (IAM).
  4. Click on the Add button.
  5. Select Add role assignment

AddIAMForResourceGroup

  1. Select the built-in Contributor Role OR, use the table in the Roles with least privileges section on this page.
  2. Select Azure AD user, group. pr service principal.
  3. Select one or more members (Application Name from step 4 - ClientId and ClientSecret).

    To find the named Application(s), you need to type some characters to active the filter.

AddaRoleAssignment

Note: Remember to click on the Save button

Save or Discard button
Click on the Save button to persist the role assignment.

List of permissions

When finished, you will now see all User (Application) permissions in the list for the Resource Group(s) and/or Subscriptions. The User (Application) will be listed as part of the Contributor role.

ListOfAppRegistrationSecurityLevels

Least privileges

If you opt to allow the Client/Application the Contributor role on each Subscription to monitor and manage, then you do not have to fine tune the Role Assignments with one exception; the Nodinite Azure Monitoring Agent requires the Azure Event Hubs Data Sender role assigned in order to send messages to the Event Hub.

Below is a list of specific permissions required to use the following Nodinite Azure Logging and Monitoring Agents:

The Nodinite Pickup Service does not use the Azure REST API. Instead, it uses information from the Shared access policies.

Permission

Clone a role

Keep in mind that updating Azure role assignments may take up to five minutes to propagate. Then, you need to restart the necessary Nodinite agents.

Resource Role Agent Purpose
Subscription Reader Show Details and Match/Validate the Subscription Id with the current configuration.
NOTE: This right inherits to all other Resources in selected Subscription.
API Management Service API Management Service Contributor List resources, Create and delete EventHub Logger, Invoke APIs
App Services Website Contributor View Web Jobs History
Data Factory Data Factory Contributor List Data Factories and pipelines, Read Details, Read performance
Function App Website Contributor List resources, includes the associated Application Insights
Event Hubs Azure Event Hubs Data Sender Send messages to the Event Hub entity
Service Bus Namespace Azure Service Bus Data Owner List namespaces and Resources, Read and use Access Keys, Manage Queues and Topics
Logic App Logic App Operator Enable/Disable Logic App. This role is NOT allowed to Resubmit runs
Logic Apps Logic App Contributor Allow to Resubmit runs. If you assign membership with this role; The Client does not need to be a member of the Logic App Operator role

NOTE: You can either assign role memberships on each Resource, or you can set the role assignment on the Resource Group, or Subscription level.

NOTE: You must restart the agent after changing role-assignments since the token is cached and needs to be updated. Otherwise, it may take up to one hour for changes to be in effect.

Next Step