How to Onboard an Azure Enrollment (EA) Subscription

This topic guides you to onboard an Azure Enrollment (EA) Subscription into CoreStack.

πŸ“˜

Note:

Before onboarding the Azure Enrollment (EA) subscription, it is mandatory to onboard the Azure Enrollment (EA) parent account in CoreStack. Click here to know about how to onboard an Azure Enrollment (EA) account.

Pre-onboarding

There are certain pre-requisites that needs to be set up in your Azure Enrollment Subscription tenant before it can be onboarded into CoreStack.

CoreStack uses Daemon Application scenario with Client Credentials flow for OAut2.0 flow and grant type as depicted here. Client Credential flow requires a valid Application registration to be created for a specific Azure Enrollment subscription. This will successfully allow access to the required Azure resources.

To onboard your Azure Enrollment subscriptions into CoreStack, the following values must be generated/copied from your Azure console and configured in CoreStack:

  1. Tenant ID
  2. Application ID
  3. Application Secret

As you retrieve each of these values, keep them ready in a notepad to be able to copy and paste into CoreStack while onboarding.

Step-1: Fetch Application ID and Tenant ID

  1. On the Azure Portal, navigate to Azure Active Directory > App registrations > New registration. The Register an application screen appears.
  1. On the left pane, click App registration and click + New registration.
  1. In the Name box, type a name for the application, for example, CoreStack.App.

The other fields can be left with the default options.

  • The value of the Supported account types field can be Single Tenant.
  • The value of the Redirect URI field can be blank.
  1. Click Register.

The application will be registered, and the Application (client) ID and Directory (tenant) ID will be displayed on the Overview screen. Copy the Application ID and the Tenant ID and paste the details in a notepad.

Step-2: Fetch Application Secret

Application Secret is the password or key that you need to provide for the specific app that was just created.

  1. On the Overview screen, click Certificates & secrets.
  2. Click + New client secret.
  3. Provide a description and expiry duration for the secret. You can leave the duration with the default value of 1 year. You can revoke this anytime later, if required.
  4. Click Add. The Client secret will be created and displayed.

πŸ“˜

Note:

Ensure that you copy this secret value and paste it in a notepad, since you cannot retrieve this later.

Step-3: IAM Access for App

The app that is created in Step-1 must have the required access within the subscription. To provide the access, follow the below steps:

  1. On the Azure Portal, navigate to Subscriptions .

  2. Click Access Control (IAM).

  3. Click + Add and then click to select Add role assignment. The Add role assignment screen appears.

  1. Select Job function roles for Assessment Only.
  1. Select the Reader role for Assessment Only.
  1. Select the privileged administrator roles for Assessment + Governance.
  1. Select Contributor for Assessment + Governance.
  1. Select job function roles for Assessment + Governance.
  1. Select the Resource Policy Contributor for Assessment + Governance.
  1. In the Assign access to field, ensure that the User, group, or service principal option is selected.

  2. Click + Select members and in the Select field, search and select the app that was created earlier. In this example, select CoreStack.App.

  1. Click the Save button to assign the role.

After the role is assigned, it will be listed in the Role Assignments tab.

πŸ“˜

Note:

The "Resource Policy Contributor" role assignment is required only if you intend to use CoreStack to create policies for your Azure subscription.

Step-4: Reservation Reader Role

πŸ“˜

Note:

You can skip this step if you don’t have any reserved instances in your subscription.

CoreStack requires Reservation Reader role for CoreStack.App to fetch the reserved instances in the subscription.

  1. Navigate to Virtual machines > Reservations > View.

You can now see all the reserved instances in your subscription.

  1. Click Role Assignment.
  1. Click +Add and then click Add role assignment.
  1. In the Assignment type field, select Job function roles.
  1. In the Search box, type Reservations Reader and select it from the search result and then click Next.
  1. Ensure that the User, group, or service principal option is selected in the Assign access to field.

  2. Search and select the app that was created earlier. In this example, select CoreStack.App in the Select field.

  3. Click Save button to assign the role.

Copy all these details and provide them while onboarding your Azure Subscription into CoreStack.

Onboarding an Azure Enrollment (EA) Subscription

The following steps need to be performed to onboard an Azure Subscription:

  1. Sign-in to the CoreStack application.
  2. On the CoreStack dashboard, click Add New, select Single Account, and then click Start Now. The onboarding screen appears.
  1. In the Public Cloud field, select Azure and click Get Started.
  1. In the Access Type field, select the required option. The options are: Assessment and Assessment + Governance.
  1. In the Azure Environment field, select the required option. The options are: Azure Global, Azure China, and Azure Government.
  2. In the Currency dropdown list, click to select the required currency.
  3. In the Environment dropdown list, click to select the appropriate option. The options are: Production, Staging, QA, and Development.
  4. Click Next.
  1. Provide the details for other fields (Tenant ID, Application ID, Application Secret) as explained in the Pre-onboarding section.
  2. Click Validate.

The Advanced Settings section will be displayed with additional fields (Name, Subscription, Subscription Type, Parent Account, and Scope).

  1. In the Name field, modify the pre-populated name of the account, if required.
  2. In the Subscription dropdown list, select the required subscription.
  3. In the Subscription Type field, select the Enterprise option.
  4. In the Scope field, select the required option. The options are: Account, Private, and Tenant.
  5. Click List Parent Account and select the parent account.
  1. Click I’m Done.

The Azure Subscription will be onboarded successfully into CoreStack. Relevant insights and information about the resources available in the account will be populated under each cloud governance pillars in CoreStack.

Why are these Permissions Required?

CoreStack requires Contributor access to the following Service Providers. However, the account owner can restrict access to specific services that will only be managed through CoreStack.

Following table explains the need for access to the service with the rationale:

Azure ProviderProduct/CategoryReader Access (For Discovery)Contributor Access (For Actions)
Microsoft.ComputeVirtual Machines

Virtual Machines Scale Sets

Virtual Machines Sizes

Availability Sets

Image Publishers

Images

Disks
MandatoryMandatory
Microsoft.ContainerInstanceContainer GroupsPreferredOptional
Microsoft.ContainerRegistryContainer RegistryPreferredOptional
Microsoft.ContainerServiceContainer Service

Kubernetes
PreferredOptional
Microsoft.StorageStorage accounts

Storage Snapshots
MandatoryMandatory
Microsoft.RecoveryServicesRecovery VaultPreferredOptional
Microsoft.NetworkRoute Tables

Network Security Group

Virtual Networks

Public IP Address

Traffic Manager Profiles

Load Balancer

Express Routes

Application Gateway

Application Gateway

Available SSL Policy
MandatoryMandatory
Microsoft.SqlSQLPreferredOptional
Microsoft.DBforPostgreSQLPGSQLPreferredOptional
Microsoft.DBforMySQLMysqlPreferredOptional
  • Preferable: Access is not mandatory. However, some of the automation features will not be functional without the required access. You can exclude them for β€œAssessment-Only”.
  • Optional: Not mandatory, similar to that of Preferable, core features will continue to work. Some low-level actions will have an Impact. You can exclude them for β€œAssessment-Only”.
  • Mandatory: Non-negotiable, even to onboard account with read-only permissions (β€œAssessment-Only”), these access details would be needed.

Impact on the Azure Subscription

If you intend to use CoreStack for remediation and automation, CoreStack creates resources and applies some configurations in Azure while configuring these capabilities in CoreStack.

Alert Rules and Alert Actions

Alert rules will be created when monitoring thresholds configured as part of the Operations – Alerts module.

A new alert action will be added to the created rules to invoke CoreStack notification webhook when threshold alert is triggered.

Azure Policy

CoreStack will create the Policy Definitions and Assignments based on the GuardRails you prefer to set-up for your Azure Subscription.

Security Center

CoreStack will enable the Free-tier or Standard Tier for the resources based on the security configurations. (Enabling Standard Tier has cost implications, please exercise caution during configuration).

Billing Impact due to CoreStack Onboarding

There is no billing impact as such in configuring your account with CoreStack until certain services are consumed through CoreStack. Following are the few areas where there might be cost implications.

FeatureFree Units IncludedPriceCS Remarks
Alert Notifications100,000 web hooks per month$0.60/1,000,000 web hooks
Dynamic ThresholdsNone$0.10β€―per dynamic threshold per monthCoreStack does not create Dynamic Thresholds as part of account onboarding. However, you can configure through Operations template, if required.
Azure Security CenterFree TierPricing varies per resource type.Standard Tier if opted will have higher cost impact.
Refer Azure pricing page for more details.
Monitoring Metrics10 monitored metric time-series per month$0.10β€―per metric time-series monitored per month