How to Onboard an Azure EA Subscription

This topic guides you to onboard an Azure EA Subscription into CoreStack.

πŸ“˜

Note:

This kind of account is used for Billing Purposes only. No resources will be associated.

Pre-onboarding

There are certain pre-requisites that need to be set up in your Azure Subscription before it can be onboarded into CoreStack.

CoreStack uses Daemon Application scenario with Client Credentials flow for OAuth2.0 flow and grant type as depicted here. Client Credential flow requires a valid Application registration to be created for a specific Azure subscription to successfully allow access to the required Azure resources.

There are two authentication options available to onboard an Azure EA account to CoreStack which has two different options to choose from.

  1. API Key Method
  2. Application Method

To onboard your Azure subscription into CoreStack, the following values must be generated/copied from your Azure console and configured in CoreStack based on the option of On-Boarding.

API Key Method

  1. API Key
  2. Enrolment ID

Application Method

  1. Tenant ID
  2. Application ID
  3. Application Secret
  4. Subscription Information
  5. Enrolment ID

πŸ“˜

**Note: While onboarding an Azure EA account using the API Key method the user should have EA Administrator access.

As you retrieve each of these values, keep them ready in a notepad to be able to copy and paste into CoreStack while onboarding.

API Key Method:

Onboarding an Azure EA account into CoreStack the following steps needs to be followed.

Step-1: Fetch Enrollment ID

To retrieve enrollment ID of the subscription, perform the following steps:

  1. Login to the Azure EA portal (https://ea.azure.com/).
  2. Click Manage in the left-side menu.
  3. Select Enrollment tab at the top of the page. The Enrollment screen appears.
  4. Copy the Enrollment Number from the Enrollment screen.

Step-2: Fetch API Key

To generate and retrieve API Key from the subscription, perform the following steps:

  1. In the Azure EA portal, click Reports in the left-side menu.
  2. Select Download Usage tab at the top of the page. The Download Usage screen appears.
  3. Click API Access Key option.
  4. Click Key symbol in the Primary Key field under Enrollment Access Keys section.
  5. Click Expand Key. The generated API access key will be displayed.
  6. Copy the API access key.

Application Method:

Onboarding an Azure EA account into CoreStack the following steps needs to be followed.

Step-1: Fetch Tenant ID

  1. Login to the Azure Portal (https://portal.azure.com).
  2. Navigate to Azure Active Directory.
  3. Click Properties. The _Properties _screen appears.
  4. The Tenant ID value will be displayed on the _Properties _screen.
  5. Click on the Copy _icon to copy the _Tenant ID.

Step-2: Fetch Application ID

  1. Navigate to Azure Active Directory > App registrations > New registration in the Azure Portal. The Register an application screen appears.
  2. Provide a name for the application, such as β€œCoreStack.App”.

The other fields can be left with the default options.

  1. The value of the Supported account types field can be Single Tenant.
  2. The value of the Redirect URI field can be blank.
  3. Click Register button.

The application will be registered, and the Application ID (Client ID) will be displayed in the Overview _screen. Copy the _Application ID.

Step-3: Fetch Application Secret

Application Secret is the password or key that you need to provide for the specific app that was just created.

  1. Navigate to Certificates & secrets from the _Overview _screen.
  2. Click New client secret.
  3. Provide a description and expiry duration for the secret. You can leave the duration with the default value of 1 year. You can revoke this anytime later if required.
  4. Click Add button. The Client secret will be created and displayed. Ensure that you copy this value since you cannot retrieve this later.

Step-4: Fetch Subscription Information

  1. Navigate to Subscriptions in the Azure Portal. A list of subscriptions will be listed under the selected AD Tenant.
  2. Select the _Subscription _that will be used for onboarding into CoreStack. The _Overview _screen appears.
  3. The subscription details will be displayed in the _Overview _screen.
  4. Copy the Subscription ID and Subscription Name values.

Step-5: IAM Access for App

The app that is created in Step-2 must have the required access within the subscription. To provide the access, please follow the below steps:

  1. Navigate to Subscriptions in the Azure Portal.
  2. Select Access Control (IAM).
  3. Click + Add and select Add role assignment. Add role assignment screen appears.
  4. Select Contributor or Reader in the _Role _dropdown.

πŸ“˜

Note: _Contributor _role is required for subscriptions that will be onboarded with Assessment + Governance option. If the subscription will be onboarded with Assessment option, _Reader _role can be selected.

  1. Ensure that the Azure AD user, group, or service principal option is selected in the Assign access to field.
  2. Search and select the app that was created earlier – in this example β€œCoreStack.App” – in the _Select _field.
  3. Click Save button to assign the role.

Once the role is assigned, it will be listed in the Role Assignments tab.

  1. Repeat the steps 3 to 7 as specified above, but with Resource Policy Contributor selected in the _Role _dropdown and everything else remaining the same. This is required only if you intend to use CoreStack to create policies for your Azure subscription.

πŸ“˜

Note: The Resource Policy Contributor role assignment is required only if you intend to use CoreStack to create policies for your Azure subscription.

Once the role is assigned, it will be listed in the Role Assignments tab.

Step-6: Fetch Storage Account and Report Path

A data export must be created to export cost data of the subscription. To configure the data export and retrieve its storage account and report path information, perform the following steps:

  1. Login to the Azure portal.
  2. Select Cost Management + Billing in the left-side menu.
  3. Select Cost Management in the left-side menu.
  4. Ensure that the required Enrollment is selected in the Scope field.
  5. Select Exports in the Settings section of the submenu.
  6. Click + Add option. The New Export screen appears.

In the Export details section:

  1. Specify a Name for the data export.
  2. Select Actual cost (Usage and Purchases) option from the Metric dropdown list.
  3. Select Daily export of month-to-date costs option from the Export type dropdown list.
  4. Select a date in the Start date field.

In the Storage section:

  1. Select either Use existing radio button to use an existing storage account for storing the export file or Create new radio button to create a new storage account for storing the export file.

    1. If Use existing option is selected, perform the following steps:

      1. Select the Subscription, where the storage account is available, from the dropdown list.
      2. Select the required Storage account from the dropdown list.
      3. Specify a name for the Container to be created.
      4. Specify a name for the Directory to be created.
    2. If Create new option is selected, perform the following steps:

      1. Select the Subscription, where the storage account should be created, from the dropdown list.
      2. Select a Resource group, in which the storage account should be created, from the dropdown list.
      3. Specify an Account name for the Storage account to be created.
      4. Select a Location, where the storage account should be created, from the list of regions available in the dropdown list.
      5. Specify a name for the Container to be created.
      6. Specify a name for the Directory to be created.
  2. Click Create button. A new data export will be created and listed in the table.

  3. Copy the Export name, Storage account, Container, and Directory values used while creating the data export.

  4. The Storage account name will be used in the Storage Account field of CoreStack.

  5. The Export name, Container, and Directory values will be used for the Report Path field of CoreStack. The Report Path must be entered in the following format: <container name>/<directory path>/<export name>.

Copy all these details and provide them while onboarding your Azure Subscription into CoreStack.

Why are these Permissions Required?

CoreStack requires _Contributor _access to the following Service Providers. However, the account owner can restrict access to specific services that will only be managed through CoreStack.

Following table explains the need for access to the service with the rationale:

Azure ProviderProduct/CategoryReader Access (For Discovery)Contributor Access (For Actions)Remarks
Microsoft.ComputeVirtual Machines

Virtual Machines Scale Sets

Virtual Machines Sizes

Availability Sets

Image Publishers

Images

Disks
MandatoryMandatory
Microsoft.ContainerInstanceContainer GroupsPreferredOptional
Microsoft.ContainerRegistryContainer RegistryPreferredOptional
Microsoft.ContainerServiceContainer Service

Kubernetes
PreferredOptional
Microsoft.StorageStorage accounts

Storage Snapshots
MandatoryMandatory
Microsoft.RecoveryServicesRecovery VaultPreferredOptional
Microsoft.NetworkRoute Tables

Network Security Group

Virtual Networks

Public IP Address

Traffic Manager Profiles

Load Balancer

Express Routes

Application Gateway

Application Gateway

Available SSL Policy
MandatoryMandatory
Microsoft.SqlSQLPreferredOptional
Microsoft.DBforPostgreSQLPGSQLPreferredOptional
Microsoft.DBforMySQLMysqlPreferredOptional
  • Preferable: Access is not mandatory. However, some of the automation features will be not functional without the required access. You can exclude them for β€œAssessment-Only”.
  • Optional: Not mandatory, similar to that of Preferable, core features will continue to work. Some low-level actions will have an Impact. You can exclude them for β€œAssessment-Only”.
  • Mandatory: Non-negotiable, even to onboard account with read-only permissions (β€œAssessment-Only”), these access details would be needed.

Impact on the Azure Subscription

If you intend to use CoreStack for remediation and automation, CoreStack creates resources and applies some configurations in Azure while configuring these capabilities in CoreStack.

Alert Rules and Alert Actions:

Alert rules will be created when monitoring thresholds are configured as part of the Operations – Alerts module.

A new alert action will be added to the created rules to invoke CoreStack notification webhook when threshold alert is triggered.

Azure Policy

CoreStack will create the Policy Definitions and Assignments based on the GuardRails you prefer to set-up for your Azure Subscription.

Security Center

CoreStack will enable the Free-tier or Standard Tier for the resources based on the security configurations. (Enabling Standard Tier has cost implications, please exercise caution during configuration).

Billing Impact due to CoreStack Onboarding

There is no billing impact as such in configuring your account with CoreStack until certain services are consumed through CoreStack. Following are the few areas where there might be cost implications.

FeatureFree Units IncludedPriceCS Remarks
Alert Notifications100,000 web hooks per month$0.60/1,000,000 web hooks
Dynamic ThresholdsNone$0.10β€―per dynamic threshold per monthCoreStack does not create Dynamic Thresholds as part of account onboarding. However, you can configure through Operations template, if required.
Azure Security CenterFree TierPricing varies per resource type.Standard Tier if opted will have higher cost impact.
Refer Azure pricing page for more details.
Monitoring Metrics10 monitored metric time-series per month$0.10β€―per metric time-series monitored per month

Onboarding

The following steps need to be performed to onboard an Azure Subscription.

  1. Click Add New button in the CoreStack dashboard and select Single Account.
  2. Click Start Now. The onboarding screen appears.
  3. Select Azure EA option in the Enterprise Agreement field.
  4. Click Get Started button.
  5. Select the required option in the Access Type field. The options are: Assessment and Assessment + Governance.
  6. Select the required option in the Azure Environment field. The options are: Azure Global, Azure China, and Azure Government.
  7. Select the required option in the Authentication Protocol field. The options are: API Key and Application.
  8. Select the required currency in the _Currency _dropdown list.
  9. Click Next.
  10. Provide values for the fields displayed Enrollment ID and API Key) if the account is going to be onboarded using the API key method OR _Enrollment ID, Tenant ID, Application ID, and Application Secret if the account is going to be onboarded using Application authentication method. The values can be retrieved as explained in the _Pre-onboarding* section.
  11. Click Validate button.
  12. The Advanced Settings section will be displayed with additional fields (Name and Scope OR Name, Subscription, Storage Account, Report Path, and Scope) based on the Authentication Protocol selected.
  13. Modify the prepopulated name of the account in the _Name _field, if required.
  14. If Application option is selected as Authentication Protocol, select the required subscription in the Subscription dropdown list.
  15. If Application option is selected as Authentication Protocol, specify the values for Storage Account and Report Path fields. These values can be retrieved as explained in the Pre-onboarding section.
  16. Select the required option in the Scope field. The options are: Account, Private, and Tenant.
  17. Click I’m Done button.

The Azure Subscription will be onboarded successfully into CoreStack. Relevant insights and information about the resources available in the account will be populated under each cloud governance pillars in CoreStack.