Setting up an Azure account
Setting up an Azure account
Create an Azure account and set up a policy to register that account in the CloudXper Management Platform.
Step 1: Set permissions for resource collection and synchronization
1. Create an application via CLI and grant a role for subscription.
When registering using this method, you will need a Storage Account within Azure to run the CLI or Powershell.
Please note that during the process, separate Resource Groups, Storage Accounts, and File service/File Share items within the Storage Account may be automatically created.
1-1. portal.azure.comLog in and click on the CLI menu.
1-2. If there is no Storage Account to run the CLI, the following screen will appear. Click "Create" to create one and enter the cli menu.
1-3. In the CLI command window, enter the following command.
create ad user
|
1-4. Copy and record the response results.
important : The password generated at this time is valid for 1 year.
To reissue or renew this password, you can find the registered Application in Azure Active Directory → App registration → All applications and renew it.
1-5. Left menu: Subscription > Click the applicable subscription > Access Control (IAM) menu > Role Assignments to confirm that the AD User created in 1-1-4 is registered as a Contributor.
2024-04-04. Apps created via create-for-rbac will no longer have the Contributor role.
You can view the registered results of the created App in Microsoft EntraID > App Registration > All Applications on the left menu.
2. Registering a Custom Role
2-1. Left menu: Subscription > Click the corresponding subscription > Go to Access Control (IAM) menu > Roles tab.
2-2. Click Add > Add custom role and enter/select as follows.
In Baseline permissions, select “Clone a role” and in “Role to clone”, select Reader.
2-3. Go to the JSON tab, click the Edit button on the right, and change the contents of the actions item under permissions as follows. Then click the Save button.
add permission
|
2-4. Go to the Review + Create tab and click the create button to create a custom role.
3. Modify the Role of the registered Application
3-1. Go back to the Subscription menu > Select Subscription > Access Controle (IAM) menu.
3-2. In the Role assignment tab, select the CloudXper app designated as a Contributor and click “Remove”.
3-3. Click the Add button at the top.
3-4. Select as shown below in the right panel and click the Save button.
4. Register API Permissions
4-1. Go to All Services > Azure Active Directory.
4-2. Left tab: Select App Registration > View all applications.
4-3. Select the Application created in step 1 and go to the details page.
4-4. Left tab: Select API Premissions > Add permission > Microsoft Graph.
4-5. Search for Role Management, User and add the following three permissions.
add permission
RoleManagement - RoleManagement.Read.All -RoleManagement.Read.Directory User - User.Read.All |
After that, click the Grant Admin Consent button for the basic directory to request consent. If there is a separate administrator, you will need to wait until it is approved.
5. Share credentials after completion
5-1. After completing steps 1 through 4 (after obtaining the administrator’s consent), share the results of items 1 through 4 to the cloudxper administrator email (cmpadmin.cloudxper@lgcns.com).
item | detail |
|---|---|
title | [CloudXper] Inventory Collection Registration Request |
reception | cmpadmin.cloudxper@lgcns.com |
detail | Request to register inventory collection. Account name: xx service xx environment (example) Azure Subscription ID: (Enter the Azure subscription ID you registered) { |
5-2. After completion, delete the resource group and storage account created in 1-2 if they are unnecessary.
Step 2: Set permissions for CSR execution (optional)
1. Application registration
1-1. Access the Azure portal and create an application as follows.
(1) Azure Active Directory menu > (2) App registrations tab > (3) Click New registration > (4) Enter 'CSR' in Name > (5) Click Register
(6) After creation, select CSR in Application to go to the details screen.
2. Add Client Secret
2-1. Add the Client secret to the CSR Application as follows.
(1) Click Certificates & secrets tab > New client secret button > (2) Change Expires to 12 months > (3) Click Add
(4) Added Client secret can be confirmed
2-2. The Value of the Client secrets created in this way corresponds to the 'password' item that must be shared with cloudxper.
3. Register API Permissions
3-1. In API permissions, select Azure Active Directory Graph as shown below.
(1) API permissions tab > (2) Click Add a permission button > (3) Select Azure Active Directory Graph at the bottom of Request API permissions on the right
3-2. Add Application permissions as follows.
(1) Select Application permissions > (2) Select 4 items (Application.Read.All, Application.ReadWrite.All, Directory.Read.All, Policy.Read.All) > (3) Click Add permissions
(4) Click Grant admin consent for default directory > Yes > If there is a separate administrator, there will be a waiting time until the approval request is made.
3-3. In API permissions, select Microsoft Graph as shown below.
(1) API permissions tab > (2) Click Add a permission button > (3) Select Microsoft Graph at the top in Request API permissions on the right
3-4. Add Application permissions as follows.
(1) Select Application permissions > (2) Search and select all RoleManagement items and all User items > (3) Click Add permissions
(4) Click Grant admin consent for default directory > Yes > If there is a separate administrator, there will be a waiting time until the approval request is made.
4. Register Custom Role
4.1 Add a Custom Role to IAM.
(1) Subscriptions menu > (2) Click the corresponding subscription > (3) Access control (IAM) tab > Click the Add button > (4) Select Add custom role
4.2. Add Permissions to Custom Role
(1) Select JSON > (2) Click Edit to copy and write the json file below, then click Save > (3) Review + create > Create
CustomRoleDefinition.JSON
{ "properties":{ "roleName":"CSR-for-CXP", "description":"Role for CSR Purposes for CXP", "assignableScopes":[ "/subscriptions/76e4e1fa-7f2b-4acc-b095-157412ee6fa9" ], "permissions":[ { "actions":[ "*/read", "Microsoft.ClassicCompute/virtualMachines/start/action", "Microsoft.ClassicCompute/virtualMachines/restart/action", "Microsoft.ClassicCompute/virtualMachines/stop/action", "Microsoft.ClassicCompute/virtualMachines/shutdown/action", "Microsoft.ClassicCompute/virtualMachines/detachDisk/action", "Microsoft.ClassicCompute/virtualMachines/attachDisk/action", "Microsoft.ClassicCompute/virtualMachines/delete", "Microsoft.ClassicCompute/virtualMachines/networkInterfaces/associatedNetworkSecurityGroups/write", "Microsoft.ClassicCompute/virtualMachines/networkInterfaces/associatedNetworkSecurityGroups/delete", "Microsoft.ClassicCompute/virtualMachines/associatedNetworkSecurityGroups/write", "Microsoft.ClassicCompute/virtualMachines/associatedNetworkSecurityGroups/delete", "Microsoft.Authorization/locks/read", "Microsoft.Authorization/locks/write", "Microsoft.Authorization/locks/delete", "Microsoft.ClassicCompute/virtualMachines/read", "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/publicIPAddresses/write", "Microsoft.Network/publicIPAddresses/delete", "Microsoft.Network/publicIPAddresses/join/action", "Microsoft.Compute/virtualMachines/deallocate/action", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/delete", "Microsoft.Compute/disks/write", "Microsoft.Resources/subscriptions/resourceGroups/write", "Microsoft.Compute/snapshots/write", "Microsoft.Compute/disks/beginGetAccess/action", "Microsoft.Compute/snapshots/read", "Microsoft.Compute/snapshots/delete", "Microsoft.Compute/snapshots/beginGetAccess/action", "Microsoft.Compute/snapshots/endGetAccess/action", "Microsoft.Compute/disks/read", "Microsoft.Compute/disks/delete", "Microsoft.Compute/disks/endGetAccess/action", "Microsoft.Network/networkInterfaces/UpdateParentNicAttachmentOnElasticNic/action", "Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action", "Microsoft.Network/networkInterfaces/effectiveRouteTable/action", "Microsoft.Network/networkInterfaces/delete", "Microsoft.Network/networkInterfaces/join/action", "Microsoft.Network/networkInterfaces/write", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/networkInterfaces/providers/Microsoft.Insights/metricDefinitions/read", "Microsoft.Network/networkInterfaces/tapConfigurations/delete", "Microsoft.Network/networkInterfaces/tapConfigurations/write", "Microsoft.Network/networkInterfaces/tapConfigurations/read", "Microsoft.Network/networkInterfaces/loadBalancers/read", "Microsoft.Network/networkInterfaces/ipconfigurations/join/action", "Microsoft.Network/networkInterfaces/ipconfigurations/read", "Microsoft.Network/networkInterfaces/diagnosticIdentity/read", "Microsoft.Network/networkSecurityGroups/read", "Microsoft.Network/networkSecurityGroups/write", "Microsoft.Network/networkSecurityGroups/delete", "Microsoft.Network/networkSecurityGroups/join/action", "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read", "Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/diagnosticSettings/read", "Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/diagnosticSettings/write", "Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/logDefinitions/read", "Microsoft.Network/networkSecurityGroups/securityRules/read", "Microsoft.Network/networkSecurityGroups/securityRules/write", "Microsoft.Network/networkSecurityGroups/securityRules/delete", "Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleAssignments/write", "Microsoft.Authorization/roleAssignments/delete" ], "notActions":[ ], "dataActions":[ ], "notDataActions":[ ] } ] } }
5. Assign Role to Application
5.1 Assign the added 'Custom Role' to the 'CSR' Application.
(1) Subscriptions menu > (2) Click the corresponding subscription > (3) Access control (IAM) tab > Click the Add button > (4) Select Add role assignment
(5) Select 'CSR-for-CXP' in Role > Select User, group, or service principal in Assign access to > Search for and select 'CSR' in Select > Click Save
6. Share credentials after completion
6-1. After completing steps 1 through 5 (after obtaining the administrator’s consent), share the results of items 1 through 5 to the cloudxper administrator email (cmpadmin.cloudxper@lgcns.com).
item | detail |
|---|---|
title | [CloudXper] Inventory CSR Performance Registration Request |
reception | cmpadmin.cloudxper@lgcns.com |
detail | Request to register inventory CSR performance. Account name: xx service xx environment (example) Azure Subscription ID: (Enter the Azure subscription ID you registered) { |
※ How to check registration information
You can check appId, displayName, name, and tenant in CSR Application > (1) Overview > (2) Essentials.
You can check the password by checking the Value of Client Secrets in item 2 above.
6-2. If you have separated the authority and users for collection and CSR performance Write an email for each person and share it.
Step 3: Guide to checking reservation purchase (optional)
TSC(Technical Support Center) You can request it through the portal.