Configuring permissions to access remote tenants - BlueCat Cloud Resolver - 1.5.0

BlueCat Cloud Resolver Administration Guide

Product name
BlueCat Cloud Resolver
The following section can be used to configure Azure access when Cloud Resolver is deployed in the following environment:
  • Cloud Resolver is deployed on-premises
  • Cloud Resolver is deployed in Azure
  • Cloud Resolver is deployed in another cloud environment.
To configure permissions to remote tenants:
  1. Create an Application Registration for Cloud Resolver in each remote tenant to discover and resolve queries for data located in remote tenants or subscriptions.
  2. Generate a Client Secret for each Application. The Client Secret will be stored either in Azure Vault or HashiCorp Vault.
  3. In the remote tenant AAD, create an App Role for the Application with Allowed Member type set to Applications
  4. In the remote tenant, create a Custom Role for Cloud Resolver with the following permissions:
    • Microsoft.Network/privateDnsZones/read
    • Microsoft.Network/virtualNetworks/read
    • Microsoft.Network/virtualNetworks/privateDnsZoneLinks/read
    • Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
    • Microsoft.Network/privateDnsZones/ALL/read
    • Microsoft.Network/privateDnsZones/recordsets/read
    • Microsoft.Network/privateEndpoints/read
    • Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read
    • Microsoft.Resources/subscriptions/providers/read
    • Microsoft.Resources/subscriptions/read
  5. In the remote tenant, create a Role Assignment for the Service Principal and the Application Role.