How do I provide the access rights for Nodinite Logging and Monitoring agents to my Azure-related services?
In this user guide, you will learn how to add an Application (ClientId) to allow access to the Azure REST API using the Azure Management Portal for use with Nodinite Monitoring and Logging Agents.
The Nodinite Azure-related Logging Agents, and Monitor-AgentsMonitoring Agents execute queries and commands to the Azure Service Management REST API. You must register one or more Applications using the App Registrations page in the Azure portal with membership to some built-in roles. The specific roles are in a list in the Least Privileges section on this page.
The Service Management API is a REST API that provides programmatic access to much of the functionality available through the Azure Management Portal.
All API operations Nodinite performs uses SSL, and the authentication uses X.509 v3 certificates.
The Nodinite design help you keep as secure as possible
To configure the Nodinite Log- and Monitor-Agents; use this guide to find the following set of required properties:
1. TenantId
2. SubscriptionId
3. ResourceGroup
4. ClientId and ClientSecret
1. TenantId
The TenantId is the GUID uniquely identifying the Azure Active Directory instance.
From the Azure Portal ; Enter tenant properties and navigate to Properties for the Azure Active Directory. The TenantId is available on the page.
2. SubscriptionId
The Microsoft Azure subscription is the unique user account in Azure. All Azure Resources and services are available to the REST-based Service Management API.
When you create an Azure subscription, it is uniquely identified by a SubscriptionId. The subscription Id is part of the call to the Azure Service Management API.
- The SubscriptionId is a GUID.
To acquire the SubscriptionId, enter Subscriptions in the search, and navigate to the Subscriptions page. Copy and use the GUID value:
Copy the SubscriptionId GUID to use.
3. Resource Group
For each Nodinite Log- and Monitor Agent; You must specify the Resource Groups to Monitor and Manage. There are different ways to manage these lists from within Nodinite depending on the type of agent.
One way to get the value is to use the Azure Portal ; You can view the available Resource Groups.
Copy and use the Name of the Resource Group.
4. ClientId and ClientSecret
To retrieve the 'ClientId' and the 'ClientSecret' an Application must first exist/be created.
The following steps are required to create a new Application (Client Id):
- Select Azure Active Directory
- From the Selected Active Directory instance, click on App registrations
- Click the New registration button
- Enter the name of the Application
- Select Accounts in this organizational directory only - least privileges
- Select the Web option
- Enter the URL to your user management website (can be changed later)
NOTE: The redirect URI can be any address like https://yournonexistinguserportal.nowhere.org
- Click the Register button to begin the creation process
This operation may take some time.
Create Permissions
Click the newly created Application to start creating permissions.
- Click the Add a Permission button.
Request API Permissions
Next; select which API Permissions to assign for the Application. This may be different depending on which Nodinite Monitoring Agent to use.
- Click the APIs my organization uses tab
- Click the Windows Azure Service Management API
Type of Permissions
Another modal is now displayed, and you need to specify the type of permissions required by the Application:
- Select Delegated permissions
- Check the user_impersonation checkbox
- Click the Add permissions button
Steps to perform when specifying the type of permissions granted for Application
Consent
You can safely skip this step.
Create Client Secret
- Select the Certificates & secrets
- Click the New client secret button
In the following dialogue, enter:
- A user-friendly name for the Client secret
- Select when the secret expire
- Click the Add button
Next, the Client secret presents (once - this time only)
Add permission to monitor and manage the Resource Group
You can fine-tune permission on individual levels.
- Subscription (highest level)
- Resource Group (recommended)
- Object (lowest level)
Our recommendation is to assign as in the section: Roles with least privileges.
To assign the role membership on the Resource Group level:
- Search and navigate to the list of Resource Groups.
- Select the Resource Group to add the permission to.
- Select Access Control (IAM).
- Click the Add button.
- Select Add role assignment
- Select the built-in Contributor Role OR, use the table in the Roles with least privileges section on this page.
- Select Azure AD user, group. pr service principal.
- Select one or more members (Application Name from step 4 - ClientId and ClientSecret).
To find the named Application(s), you need to type some characters to active the filter.
Click the Save button to persist the role assignment.
List of permissions
When finished, you will now see all User (Application) permissions in the list for the Resource Group(s) and/or Subscriptions. The User (Application) will be listed as part of the Contributor role.
Least privileges
If you opt to allow the Client/Application the Contributor role on each Subscription to monitor and manage, then you do not have to fine tune the Role Assignments with one exception; the Nodinite Azure Monitoring Agent requires the Azure Event Hubs Data Sender role assigned in order to send messages to the Event Hub.
Below is a list of specific permissions required to use the following Nodinite Azure Logging and Monitoring Agents:
- Nodinite Azure Logic Apps Logging and Monitoring agent. The agent also uses Shared access policies to access the Event Hubs and the Storage Accounts.
- Nodinite Azure Monitoring Agent
- Nodinite Azure Service Bus Monitoring
The Nodinite Pickup Service does not use the Azure REST API. Instead, it uses information from the Shared access policies.
Permission
Keep in mind that updating Azure role assignments may take up to five minutes to propagate. Then, you need to restart the necessary Nodinite agents.
| Resource | Role | Agent | Purpose |
|---|---|---|---|
| Subscription | Reader | Show Details and Match/Validate the Subscription Id with the current configuration. NOTE: This right inherits to all other Resources in selected Subscription. |
|
| API Management Service | API Management Service Contributor | List resources, Create and delete EventHub Logger, Invoke APIs | |
| App Registrations | Microsoft.Graph - Application.Read.All | List App Registration, SSO assignments, Branding info and evaluate Secrets NOTE: The type must be Application, NOT delegated |
|
| App Registrations - Owners (Details page) | Microsoft.Graph - User.Read.All | List details about Owners NOTE: The type must be Application, NOT delegated |
|
| App Services | Website Contributor | View Web Jobs History | |
| Application Insights | API Key | Not a role-assignment You must manually create an API Key for each Application Insights instance. API access is required for the Function App Monitoring. If the API key expires, you need to re-create it | |
| Data Factory | Data Factory Contributor | List Data Factories and pipelines, Read Details, Read performance | |
| Event Hubs | Azure Event Hubs Data Sender | Send messages to the Event Hub entity | |
| Function App | Website Contributor | List resources, includes the associated Application Insights | |
| Service Bus Namespace | Azure Service Bus Data Owner | List namespaces and Resources, Read and use Access Keys, Manage Queues and Topics | |
| Key Vaults | Key Vault Reader | List Key vaults and reads meta data (does not read the actual secrets!) NOTE: Azure role-based access control (recommended) must be set in the access configuration. |
|
| Logic App | Logic App Operator | Enable/Disable Logic App. This role is NOT allowed to Resubmit runs | |
| Logic Apps | Logic App Contributor | Allow to Resubmit runs. If you assign membership with this role; The Client does not need to be a member of the Logic App Operator role | |
| Storage Account | Reader and Data Access Note:If you add this role, you do not need all the other specific role assignments |
Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. | |
| Storage Account - Blob (Read/Write) | Storage Blob Data Reader | Read and list Azure Storage containers and blobs | |
| Storage Account - Blob (Delete) | Storage Blob Data Contributor | Read, write, and delete Azure Storage containers and blobs. | |
| Storage Account - File (Read/Write) | Storage File Data SMB Share Reader | Allows for read access on files/directories in Azure file shares. | |
| Storage Account - File (Delete) | Storage File Data SMB Share Contributor | Allows for read, write, and delete access on files/directories in Azure file shares. | |
| Storage Account - Queue (Read) | Storage Queue Data Reader | Read and list Azure Storage queues and queue messages. | |
| Storage Account - Queue (Send/Post) | Storage Queue Data Message Sender | Add messages to an Azure Storage queue. | |
| Storage Account - Queue (Delete) | Storage Queue Data Contributor | Read, write, and delete Azure Storage queues and queue messages. |
NOTE: You can either assign role memberships on each Resource, or you can set the role assignment on the Resource Group, or Subscription level.