Azure Credentials - Adaptive Applications - BlueCat Gateway - 23.3.2

Cloud Discovery & Visibility Administration Guide

Locale
English
Product name
BlueCat Gateway
Version
23.3.2

The Credentials section of the Microsoft Azure Setup page lets you set and configure the credentials that Cloud Discovery & Visibility uses to access your Azure infrastructure.

In order to configure Cloud Discovery & Visibility for Azure, you must have the following:
  • Azure Service Principal credentials to access your Azure infrastructure.

  • At least one Subscription and Resource Group created on Azure.

Attention: As of Cloud Discovery & Visibility v22.1, the Basic authentication method has been removed from Azure due to a change in Azure Security policies. Azure Security policies now require Multi-factor authentication for accounts. Azure now offers only Service Principal accounts, and no longer offers service accounts with Basic Credentials.


If you're running Cloud Discovery & Visibility (CDV) on an Azure Virtual Machine (VM) with a configured Managed Identity, you can tell CDV to automatically acquire authorization credentials from the Managed Identity for its VM environment. You can assign the built-in Reader role (Discovery) or the Contributor role (Discovery and Visibility) to the VM's Managed Identity, or use a custom role.

Setting up Azure credentials

If you're running Cloud Discovery & Visibility (CDV) on an Azure Virtual Machine (VM) with a configured Managed Identity, you can tell CDV to automatically acquire authorization credentials from the Managed Identity for its VM environment. You can assign the built-in Reader role (Discovery) or the Contributor role (Discovery and Visibility) to the VM's Managed Identity, or use a custom role.

If you're not running on a VM, you must set up Azure credentials manually, specifying a Tenant and Client ID. (You can also simply choose to manually set up Azure credentials.) You will also need the secret value for the Service Principal account that CDV will use.

To automatically authenticate CDV using the Managed Identity credentials on the VM:

  1. If you haven't already done so, set up a Managed Identity that has permission to run CDV for the Azure VM:

    1. In Microsoft Azure settings (for your Azure VM), go to the Subscriptions page and click your subscription.

    2. In the Subscription detail page, click Access Control (IAM).

    3. Click the +Add button to add a new role assignment.

      Tip: If you want to use a custom role, you can create one now. The custom role must have all necessary permissions to access all of CDV's features. For more details, see Azure environments.
    4. Click Add Role Assignment, then choose the role you want to assign.

      This can be the built-in Reader role (Discovery), the built-in Contributor role (Discovery and Visibility), or a custom role.

    5. In Assign access to, select Managed Identity.

    6. In Members, click Select members, then select the VM.

    7. Click Review and assign.

  2. In Cloud Discovery & Visibility, click Azure in the banner at the top, then click the Setup tab.

  3. Click to select the Use Virtual Machine credentials checkbox.

    Note: This checkbox is available only if CDV is running on a VM with a Managed Identity.

    You will no longer be able to directly configure the Service Principal Azure Parameters for the Service Principal account. Any changes to that account must be done through Azure itself.

  4. From now on, CDV will automatically log in using the Managed Identity role's assigned credentials.

    Tip: If you see the message "Cannot fetch subscriptions: ManagedIdentityCredential authentication unavailable", then the VM's Managed Identity status is turned off. You can turn it back on again in the VM environment's system settings. To do so, in Microsoft Azure settings for the VM, click Identity. Then, in the System assigned tab, toggle Status to On.

To configure Azure Credentials manually (without using a Managed Identity):

Under Azure Credentials, enter your Azure credentials:

  • In Cloud Discovery & Visibility, click Azure in the banner at the top, then click the Setup tab.

  • In the Azure Credentials section, in Directory (Tenant) ID, enter the tenant ID of the Service Principal account with which you authenticate with Azure.

  • In Application (Client) ID, enter the client ID of the Service Principal account with which you will authenticate with Azure.

  • In Client Secret Value, enter the secret value of the Service Principal account with which you will authenticate with Azure.

Specifying subscriptions and resource groups for Azure discovery

By default, CDV performs discovery on all resource groups within all subscriptions. To restrict the scope of discovery, you can instead specify a specific subscription, as well as a specific resource group within that subscription.

To select a specific subscription and/or resource group in which to perform discovery:

  • In Cloud Discovery & Visibility, click Azure in the banner at the top, then click the Setup tab.

  • In the Azure Credentials section, in Azure Subscription, select the subscription ID in Azure on which you would like to perform the discovery.

    By default, discovery is performed on all subscriptions in Azure.

  • In Resource Groups, select the resource group in Azure that you would like to perform the discovery on. To perform discovery on all resource groups within that subscription, select All subscriptions.

    This field appears only if you select a specific Azure subscription. If you are performing discovery on all subscriptions, discovery is performed on all resource groups in those subscriptions.

    Attention: Depending on the configuration and resources available in your Azure infrastructure, information may be overwritten, resulting in data loss. For more details on different discovery scenarios based on your defined Subscription and Resource Groups, see Azure Subscription and Resource Groups discovery scenarios.