Pre-Onboarding for Azure Subscriptions
Introduction
This user guide will explain how to perform the pre-onboarding steps required for onboarding an Azure Subscription (i.e. Pay-As-You-Go aka PAYG) into the platform.
Pre-onboarding
There are certain prerequisites that need to be set up in your Azure Subscription before it can be onboarded into the platform.
The platform uses Daemon Application scenario with Client Credentials flow for OAuth 2.0 flow and grant type as depicted here. Client Credential flow requires a valid Application registration to be created for a specific Azure subscription to successfully allow access to the required Azure resources.
To onboard your Azure subscription into the platform, the following values must be generated/copied from your Azure console and configured in the platform.
- Tenant ID
- Application ID
- Application Secret
- Subscription Information
As you retrieve each of these values, keep them ready in a notepad to be able to copy/paste into the platform while onboarding.
Step 1: Fetch Tenant ID
- Login to the Azure Portal (https://portal.azure.com).
- Navigate to Azure Active Directory ( Microsoft Entra ID).
- Click Properties. The Properties screen appears.
- The Tenant ID value will be displayed on the Properties screen.
- Click on the Copy icon to copy the Tenant ID.
Step 2: Fetch Application ID
- Navigate to Azure Active Directory > App registrations > New registration in the Azure Portal. The Register an application screen appears.
- Provide a name for the application, such as “CoreStack.App”.
The other fields can be left with the default options.
- The value of the Supported account types field can be Single Tenant.
- The value of the Redirect URI field can be blank.
- Click Register button.
The application will be registered, and the Application ID (Client ID) will be displayed in the Overview screen. Copy the Application ID.
Step 3: Fetch Application Secret
Application Secret is the password or key that you need to provide for the specific app that was just created.
- Navigate to Certificates & secrets from the Overview screen under Manage sub section.
- Click New client secret.
- Provide a description and expiry duration for the secret. You can leave the duration with the default value of 1 year. You can revoke this anytime later, if required.
- Click Add button. The Client secret will be created and displayed. Ensure that you copy this value since you cannot retrieve this later.
Step 4: Fetch Subscription Information
- Navigate to Subscriptions in the Azure Portal. A list of subscriptions will be listed under the selected AD Tenant.
- Select the Subscription that will be used for onboarding into the platform. The Overview screen appears.
- The subscription details will be displayed in the Overview screen.
- Copy the Subscription ID and Subscription Name values.
Step 5: IAM Access for App
The app that is created in Step 2 must have the required access within the subscription. To provide the access, please follow the below steps:
- Navigate to Subscriptions in the Azure Portal.
- Select Access Control (IAM).
- Click + Add and select Add role assignment. Add role assignment screen appears.
- Select Contributor or Reader in the Role drop-down. These should be available under Privileged administrator roles tab.
Note:
Contributor role is required for subscriptions that will be onboarded with Assessment + Governance option. If the subscription will be onboarded with Assessment option, Reader role can be selected.
- Ensure that the Azure AD user, group, or service principal option is selected in the Assign access to field.
- Search and select the app that was created earlier in the Select Members action – in this example “CoreStack.App” – in the Select field.
- Click Save button to assign the role.
Once the role is assigned, it will be listed in the Role Assignments tab.
- Repeat the steps 3 to 7 as specified above, but with Resource Policy Contributor selected in the Role drop-down and everything else remaining the same. This is required only if you intend to use the platform to create policies for your Azure subscription.
Note:
The Resource Policy Contributor role assignment is required only if you intend to use the platform to create policies for your Azure subscription.
Once the role is assigned, it will be listed in the Role Assignments tab.
Copy all these details and provide them while onboarding your Azure Subscription into the platform.
Why are these Permissions Required?
The platform requires Contributor access to the following Service Providers. However, the account owner can restrict access to specific services that will only be managed through the platform.
Following table explains the need for access to the service with the rationale:
Azure Provider | Product/Category | Reader Access (For Discovery) | Contributor Access (For Actions) | Remarks |
---|---|---|---|---|
Microsoft.Compute | Virtual Machines Virtual Machines Scale Sets Virtual Machines Sizes Availability Sets Image Publishers Images Disks | Mandatory | Mandatory | |
Microsoft.ContainerInstance | Container Groups | Preferred | Optional | |
Microsoft.ContainerRegistry | Container Registry | Preferred | Optional | |
Microsoft.ContainerService | Container Service Kubernetes | Preferred | Optional | |
Microsoft.Storage | Storage accounts Storage Snapshots | Mandatory | Mandatory | |
Microsoft.RecoveryServices | Recovery Vault | Preferred | Optional | |
Microsoft.Network | Route Tables Network Security Group Virtual Networks Public IP Address Traffic Manager Profiles Load Balancer Express Routes Application Gateway Application Gateway Available SSL Policy | Mandatory | Mandatory | |
Microsoft.Sql | SQL | Preferred | Optional | |
Microsoft.DBforPostgreSQL | PGSQL | Preferred | Optional | |
Microsoft.DBforMySQL | Mysql | Preferred | Optional |
- Preferable: Access is not mandatory. However, some of the automation features will be not functional without the required access. You can exclude them for “Assessment-Only”.
- Optional: Not mandatory, similar to that of Preferable, core features will continue to work. Some low-level actions will have an Impact. You can exclude them for “Assessment-Only”.
- Mandatory: Non-negotiable, even to onboard account with read-only permissions (“Assessment-Only”), these access details would be needed.
Impact on the Azure Subscription
If you intend to use the platform for remediation and automation, it creates resources and applies some configurations in Azure while configuring these capabilities in the platform.
Alert Rules and Alert Actions:
Alert rules will be created when monitoring thresholds are configured as part of the Operations – Alerts module.
A new alert action will be added to the created rules to invoke the platform notification webhook when threshold alert is triggered.
Azure Policy
The platform will create the Policy Definitions and Assignments based on the GuardRails you prefer to set-up for your Azure Subscription.
Security Center
The platform will enable the Free-tier or Standard Tier for the resources based on the security configurations. (Enabling Standard Tier has cost implications, please exercise caution during configuration).
Billing Impact Due to Onboarding
There is no billing impact as such in configuring your account with the platform until certain services are consumed through it. Following are the few areas where there might be cost implications.
Feature | Free Units Included | Price | CS Remarks |
---|---|---|---|
Alert Notifications | 100,000 web hooks per month | $0.60/1,000,000 web hooks | N/A |
Dynamic Thresholds | None | $0.10 per dynamic threshold per month | The platform does not create Dynamic Thresholds as part of account onboarding. However, you can configure through Operations template, if required. |
Azure Security Center | Free Tier | Pricing varies per resource type. | Standard Tier if opted will have higher cost impact. Refer Azure pricing page for more details. |
Monitoring Metrics | 10 monitored metric time-series per month | $0.10 per metric time-series monitored per month | N/A |
Updated 4 months ago