Azure Credentials - Adaptive Applications - BlueCat Gateway - 22.2.2

Cloud Discovery & Visibility Administration Guide

Product name
BlueCat Gateway

The Azure Credentials section of the Microsoft Azure Setup page lets you set and configure the credentials that Cloud Discovery & Visibility uses to access your Azure infrastructure.

In order to configure Cloud Discovery & Visibility for Azure, you must have the following:
  • Azure Service Principal credentials to access your Azure infrastructure.
  • At least one Subscription and Resource Group created on Azure.
Attention: As of Cloud Discovery & Visibility v22.1, the Basic authentication method has been removed from Azure due to a change in Azure Security policies. Azure Security policies now require Multi-factor authentication for accounts. Azure now offers only Service Principal accounts, and no longer offers service accounts with Basic Credentials.

If you're running Cloud Discovery & Visibility (CDV) on an Azure Virtual Machine (VM) with a configured Managed Identity, you can tell CDV to automatically acquire authorization credentials from the Managed Identity for its VM environment. You can assign the built-in Reader role (Discovery) or the Contributor role (Discovery and Visibility) to the the VM's Managed Identity, or use a custom role.

To automatically authenticate CDV using the Managed Identity credentials on the VM:

  1. If you haven't already done so, set up a Managed Identity that has permission to run CDV for the Azure VM:
    1. In Microsoft Azure settings (for your Azure VM), go to the Subscriptions page and click your subscription.
    2. In the Subscription detail page, click Access Control (IAM).
    3. Click the +Add button to add a new role assignment.
      Tip: If you want to use a custom role, you can create one now. The custom role must have all necessary permissions to access all of CDV's features. For more details, see Azure environments.
    4. Click Add Role Assignment, then choose the role you want to assign.

      This can be the built-in Reader role (Discovery), the built-in Contributor role (Discovery and Visibility), or a custom role.

    5. In Assign access to, select Managed Identity.
    6. In Members, click Select members, then select the VM.
    7. Click Review and assign.
  2. In Cloud Discovery & Visibility, click Azure in the banner at the top, then click the Setup tab.
  3. Click to select the Use Virtual Machine credentials checkbox.

    You will no longer be able to directly configure the Service Principal Azure Parameters for the Service Principal account. Any changes to that account must be done through Azure itself.

    Note: The User Virtual Machine credentials checkbox is disabled if CDV is not running on a VM with a Managed Identity.
  4. From now on, CDV will automatically log in using the Managed Identity role's assigned credentials.
    Tip: If you see the message "Cannot fetch subscriptions: ManagedIdentityCredential authentication unavailable", then the VM's Managed Identity status is turned off. You can turn it back on again in the VM environment's system settings. To do so, in Microsoft Azure settings for the VM, click Identity. Then, in the System assigned tab, toggle Status to On.

To configure Azure Credentials manually (without using a Managed Identity):

Under Azure Credentials, enter your Azure credentials:

  • In Directory (Tenant) ID, enter the tenant ID of the Service Principal account with which you authenticate with Azure.
  • In Application (Client) ID, enter the client ID of the Service Principal account with which you will authenticate with Azure.
  • In Client Secret Value, enter the secret value of the Service Principal account with which you will authenticate with Azure.
  • In Azure Subscription, select the subscription ID in Azure on which you would like to perform the discovery. By default, discovery is performed on all subscriptions in Azure.
  • In Resource Groups, select the resource group in Azure that you would like to perform the discovery on. By default, discovery is performed on all resource groups in Azure.
    Attention: You can now perform discovery at the Azure subscription level. Depending on the configuration and resources available in your Azure infrastructure, information may be overwritten resulting in data loss. For more information on discovery scenarios based on the defined Subscription and Resource Groups, refer to Example Azure Subscription and Resource Groups discovery scenarios.