If you're having trouble at any stage please contact us at firstname.lastname@example.org.
The goal of this guide is to enable you to add a SkyFormation's Azure Cloud App Connector to your SkyFormation Platform.
You are about to create your own Application inside your Azure account.
1. Log into your Azure account (https://portal.azure.com).
2. Open Azure Active Directory
3. Navigate to Properties , keep aside the value of Directory ID , a.k.a Tenant ID
4. Navigate to App registrations , create a new app by clicking + New application registration
5. Fill application details: Name: SkyFormationApp; type: Web app/API; Sign-on URL: https://www.skyformation.com
6. Click to select the newly created application
7. Keep aside the value of Application ID, a.k.a Client ID
8. Create a Key (a.k.a Secret) by navigating to Keys, insert a name for the key, and select duration of Never expires , click Save (only than will the key/secret be generated)
9. Keep aside the generated key (a.k.a Secret)
10. Add permissions for the application by navigating to Required permissions , click + Add ,
Click Select an API to add permissions to, and select each permission by checking its checkbox.
Click Save after each API's permissions are checked.
NOTE: Do not click the Select All checkbox. Azure has a UI glitch where this button does not really check the permissions (only checks them visually)
Repeat the process for the following APIs/permissions:
- Application permissions
- read all users’ full profiles
- read all groups
- NOTE: If you use the Remediation API refer to this document for additional required permissions
Windows Azure Service Management:
- Delegated permissions
- Access Azure Service Management as organization
11. Click Grant Permissions to really save all the permissions
12. Navigate to Subscriptions by clicking More Services -> Subscriptions
13. Select a subscription you wish to monitor (you can repeat the process of steps 13-15 for all the subscriptions)
14. Click Access control (IAM) and + Add
NOTE: If the UI shows an error where it states the user does not have permission to set permissions, it could be caused by either:
a. The user is not an administrator of the Subscription
b. The subscription was generated by Office365. This is a bug with Office365. To overcome it create a new Subscription. A Free or Pay-As-You-Go are sufficient.
15. Select, on by one, by repeating this step, the roles
Log Analytics Reader
Storage Account Contributor
insert the name of the application in the search box, and click it once it is found. Click Save to finish.
NOTE: The application will only have the permissions granted to it in step 10.
Log Analytics (used to be Operational Insights)
Note: This step, although described as required by MS in order to access this data source, was found to be optional as long as the role Log Analytics Reader role was assigned in step #15.
In Mid 2017 Microsoft introduced a new API for Log Analytics. As per MS docs, these are the steps required to authenticate with it (though see note above). (From Microsoft guide here).
1. Using a Windows machine Powershell, create an Azure application with appId ca7f3f0b-7d91-482c-8e09-c5d840d0eac5 :
- If you do not have the
Connect-AzureADcmdlet installed in Powershell, install it first by running
Install-Module AzureADin a new Powershell session
Connect-AzureAD -TenantId <tenantId>
New-AzureADServicePrincipal -AppId ca7f3f0b-7d91-482c-8e09-c5d840d0eac5 -DisplayName "Log Analytics API"
2. Repeat step #10, but choose the "Log Analytics API" application just created, grant the permission Read log analytics data and Read log analytics data as user , select and click Grant Permissions
Your are done !
Now you are ready to add a SkyFormation Azure Connector to your SkyFormation Platform.
Please make sure you keep your:
- client ID of your new created Azure app
- Your tenant ID and generated secret ID