Configuring Microsoft Customer Agreement

Repeat this process for each directory you manage.

Prerequisite You must have global administrator privileges to register an App. While the connection between CloudHealth and Azure is read-only, a global administrator must register the App to ensure that there are no errors.

1. Open a text editor (such as NotePad or TextEdit) so that you can store specific parameters of the service principal that you need to provide in the CloudHealth platform.

2. Log in to the Azure Portal.

3. From the left menu, select Azure Active Directory.

   If a menu entry for Azure Active Directory does not exist, search for it.

4. Select the App Registrations tile and then click New Registration from the top of the page.

   

5. Fill out the following fields in the form and then click Create:

   • Name: Enter the name of the service principal
   • Supported Account Types: Select Accounts in this organizational directory only.
   • Redirect URI: Select Web from the dropdown and enter https://apps.cloudhealthtech.com

Due to a a rare issue in the Azure Portal, creating a new app registration might fail to create a new service principal as expected. If this occurs, click the Create Service Principal link in App Registrations > Overview.

6. Open the Application Registration you just created.

   • Copy the Display Name into the text document.
   • Copy the Application ID into the text document.

   

7. Go to Certificates & Secrets in the left menu. Click New Client Secret.

   • Add a key description. Make sure there are no spaces.
   • Select a duration. It is recommended that you set the expiration to at least one year.

8. Click Save. A value is generated.

9. Copy the key description and value into the text document.

10. Close the App Registration blade and return to the Active Directory menu.

11. Under the Manage header, select Properties.

    

12. Locate the directory ID. Select the Copy icon to copy the ID and then paste it into the text document.

    

Checkpoint: At this point, you have this information in the text document.

• Display Name
• Application ID
• Key Description
• Key Value
• Directory ID/Tenant ID

Assign a Reader role for subscriptions that are managed in the directory.

For help assigning roles in Azure, see Assign Azure Roles using the Azure Portal.

When assigning the role, make the following selections:

• Role: Reader
• Members: CloudHealth

Repeat this step for each subscription.

Add Permissions to Access Key Vault (Optional)

With the additional get and list permissions, CloudHealth gets access to keys and secrets for each key vault under each subscription. Providing this access offers the following benefits:

• Visibility: Get all keys & secret details under each key vault in Asset reports.
• Policies: Create policies on keys and secrets and get notified if any key/secret doesn’t have an expiry date set.
• Perspectives: Since Key Vault Keys & Secrets are taggable assets, you can create perspective groups based on tags.

Use the following steps to grant additional permissions to the service principal:

1. Log in to the Azure Portal, and click the Cloud Shell icon on the top navigation bar.

2. Enter the following PowerShell script for every active Service Principal that you have added in the CloudHealth platform.

$subs = Get-AzureRmSubscription 
$client_id = 'Application id of service principal' 
foreach ($sub in $subs) {Set-AzureRmContext -SubscriptionId $sub.SubscriptionId 
$key_vaults = Get-AzureRmKeyVault 
foreach ($key_vault in $key_vaults) {Set-AzureRmKeyVaultAccessPolicy -VaultName $key_vault.VaultName -ServicePrincipalName $client_id -PermissionsToKeys get,list -PermissionsToSecrets get,list } } 

Get the Application id of the service principal from the CloudHealth platform. Go to Setup > Accounts > Azure Service Principal.

The script accesses current key vaults and grant permission to the service principal to retrieve and display key vault keys and secrets.

For a newly-added key vault, you need to separately grant permission to the service principal to retrieve and display keys. You can either run the above PowerShell script or manually add the service principal using following steps:

1. In the Azure Portal, go to the newly added key vault.
2. From the Settings menu, navigate to Access Policies, and click Add Access Policy.
3. Select get, list permissions from the Key permissions and Secret permissions dropdown.
4. Select Service principal.
5. Click Add.

Assign the service principal as the billing account reader for the billing account.

Repeat these steps for each billing account. To switch your scope to a different billing account, see Switch Billing Scope in the Azure Portal.

1. Log in to the Azure Portal.

2. In the Azure home page, select Cost Management under Tools.

3. In the left menu, select Access Control (IAM).

4. Select +Add to add a new permission.

   

5. Fill out the Add Permission form as follows and click Save:

6. Select Billing Account Reader from the Role dropdown.

7. Enter the name of the service principal in the Select field.

1. Log in to the CloudHealth platform. From the left menu, select Setup > Accounts > Azure Service Principal. Then click New Service Principal.

2. Select Global Azure from the Account Type dropdown.

   

3. Copy the information from the text document into corresponding fields in the setup form.

   Make sure there are no spaces.

4. Optionally, select the Security Asset Collection dropdown if you want to disable asset collection on certain assets for security reasons. CloudHealth recommends enabling asset collection for all assets and does not store sensitive data.

   Disabled assets are marked as inactive in CloudHealth and cannot be used in policies.

   

5. Click Save Service Principal.

1. Log in to the Azure Portal and go to Azure Active Directory > App Registrations.

2. Copy the display name of the application you registered for CloudHealth and paste it in a Text file (such as NotePad or TextEdit).

3. Log in to the CloudHealth Platform. Go to Assets > Azure and select Savings Plans from the Other section.

4. In the Savings Plan table, click the Go to Azure Portal icon to open the savings plan in the Azure portal.

5. From the left pane, go to Access Control (IAM) and click Add role assignment.

6. Fill out the fields as follows:

7. Select Reader from the Role dropdown menu.

8. In the Select field, copy and paste the service principal display name from step 2 that is associated with the savings plan and select the user returned by the search.

9. Click Save.

10. Repeat steps 4-7 for each Savings Plan.

The CloudHealth platform supports Azure AD User collection through Azure Service Principal. To collect the Azure AD objects, you need to add an additional Graph API permission to the Service Principal.

1. Log in to the Azure Portal, go to Azure Active Directory > App Registrations, and select the CloudHealth app.

2. Click API permissions > Add a permission.

3. Select Microsoft Graph and click Application permissions.

4. Under Select Permissions, expand Users, and select User.Read.All permission.

5. Click Add Permissions.

Once you add the required permissions, click Grant admin consent for Default Directory to allow an admin to grant admin consent to the configured permissions.