The following section can be used to configure Azure access when Cloud Resolver is deployed in the following environment:
- Cloud Resolver is deployed on-premises
- Cloud Resolver is deployed in Azure
- Cloud Resolver is deployed in another cloud environment.
To configure permissions to remote tenants:
- Create an Application Registration for Cloud Resolver in each remote tenant to discover and resolve queries for data located in remote tenants or subscriptions.
- Generate a Client Secret for each Application. The Client Secret will be stored either in Azure Vault or HashiCorp Vault.
- In the remote tenant AAD, create an App Role for the Application with Allowed Member type set to Applications
- In the remote tenant, create a Custom Role for Cloud Resolver with the following
- In the remote tenant, create a Role Assignment for the Service Principal and the Application Role.