Access to Cloudockit denied by your security policies

As a new Cloudockit user on Azure, you could be confronted to the following dialog while login in for the first time:

This usually means that your organization has not yet approved the use of Cloudockit.

Cloud admin action: approve Cloudockit within your organization

To let Cloudockit be accessible to your users in your organization, you’ll need to add 2 Enterprise Applications:

You could manually create these applications but the easiest way to add them is to login to Cloudockit with an admin account (you can later contact Support@cloudockit.com to remove this user).

Add the first Cloudockit Enterprise app

As you login to Cloudockit, you’ll be asked to Consent on behalf of your organization:

As you can see, the required permission is:

• Sign in and read user profile: this permission will let Cloudockit identify users and compare their email address with the license database information in order to let them use Cloudockit.

As soon as you click on Accept, you’ll see the new Enterprise Application appear in the AAD portal:

Add the second Cloudockit Enterprise app

To add the second Cloudockit Enterprise application, select Microsoft Azure as the platform you’d wish to scan, then click on Keep going with this account.

After authenticating a second time, you’ll see the following dialog box:

As you can see, the required permissions are:

• Sign in and read user profile: this permission will let Cloudockit identify users and compare their email address with the license database information in order to let them use Cloudockit
• Access Azure Service Management as organization users: this permission will allow Cloudockit to impersonate the users (or AAD App Registrations) so as to scan the Azure subscriptions this user (or AAD App Reg) has access to

As soon as you click on Accept, you’ll see the second Enterprise Application appear in the AAD portal:

Your users should then be able to login and use the Cloudockit SaaS Application.

Cloudockit login error: Need admin approval

In some situations, companies security policies won’t allow their employees access the Cloudockit application when logging with Azure Active Directory (Azure login).

In such situations, the users will see a message similar to this one:

As indicated in the highlighted text, an Azure administrator will need to grant the user access to the application.

Cloud admin action – Granting access to Cloudockit to users

In the Azure Portal, navigate to the Enterprise applications blade and enter cloudockit in the filter:

For each Enterprise application, add the users who need access to Cloudockit to the Users and groups blade :

Note: Cloudockit requires 2 Enterprise applications: one for the initial authentication of the users when they log into Cloudockit and a second one with the impersonation permission for the subscriptions scanning. The users should be granted access to both.