For vScope to inventory your Azure Resource Manager environment you need to give vScope read permissions to your subscription(s). In this guide we will create a vScope application in Azure, generate a key and applying these to the Azure RM credential in vScope.
Important Notes (!):
- Two things needs to be done in Azure for vScope to inventory the data (how, will be described further down):
1. An application for vScope which is allowed to read the Azure Active Directory.
2. The application in (1) needs to be given read access in the subscription you wish to inventory.
- To be able to perform (1) and (2) you’ll need an Azure account that have permission to for these actions.
- vScope is read-only
Start off by ensuring you have the correct permissions. You can find your permissions in the menu up to the right:
1. Create the application/program
1.1 Go to Azure Resource Manager (https://portal.azure.com/) and log in. Open “All services”, search for and click “App registrations”.
1.3 Name the application, this guide chose “vScope Azure”.
- Choose “Accounts in this organizational directory only” for “Supported account types”.
1.4 Note the Application (client) ID, this is a value you will use in the vScope credential.
2. Create an API key (client secret) for the application
2.1 Click “Certificates & secrets” in the application.
2.2 Click “+ New client secret”
- Write a key description , like vScope in this example.
- Choose Never expire.
- Click Add
2.3 IMPORTANT! You must save the client secret value or insert it directly to the vScope credential. It will only be shown once in Azure.
3. Add API permissions for Microsoft Graph
Now you need to add API permissions to the created application.
- Click on “API permissions”
- Click on “Add a permission”
Choose Microsoft Graph and click on Application permissions.
Application permissions for Microsoft Graph
- Under the AuditLog category– Check “Read all audit log data”
- Under under the Directory category – Check “Read Directory Data”
- Click Add permissions
IMPORTANT! Don’t forget to grant the permissions for the application. You do this down at “Grant consent”
Not an admin?
Ask your Azure administrator to grant the permissions. The admin can do this with the following steps:
- Log in to the Azure portal, navigate the the new application in app registrations. Click on API permissions.
- Click “Grant admin consent for…” and click Yes.
4. Grant Access to subscriptions
4.1 Navigate to “All services” and click “Subscriptions”.
4.2 Choose what subscription(s) you want vScope to inventory. (You need to contact the subscription owner if you can’t view any subscriptions).
4.3 Click “Access control (IAM)”. (See video below)
- Click “+Add… role assignment”
- Choose Role “Reader”
- Assign access to: Azure AD user, group or service principal.
- Search och select the vScope application
Create the Azure credential in vScopeLägg till Azure-credential i vScope
Now that the application is created and have read access to Azure you need to add the details to the Discovery Manager in vScope.
Create an AzureRM credential. The Application ID could be seen in step 1.4, the correct Domain can be found in your Azure Active Directory (see where in the picture below) and the Key was created in step 2.4.
Here’s where you can find the Domain for the credential.
vScope is now ready to inventory you Azure Resource Manager!
Tags: Office 365, O365, Office, Azure, Cloud Spend, Subscriptions, Spend