fbpx

How Can We Help?

You are here:
Print

Connect your Azure Subscription

Now that you are logged-in to Cloudockit (click here if you are not logged-in yet), you can connect your Azure Subscription.

From the list of platforms, select Azure

You will be prompted with multiple options to connect to your Azure subscription. Please note that the list of options depends on the identity provider you have chosen when you logged into Cloudockit. 

Connection Options

Keep going with this account: (SaaS, Container) 

  • Choose this option if you want to continue with your Azure Active Directory account 
  • Do not choose this option for Azure Government, China or Germany 
  • This option will display only if you are already connected using Azure Active Directory 

Use another account (SaaS) 

  • Choose this option if you want to use another Azure Active Directory account 
  • Typically, if you are a consultant you may want to use an account provided by your client 
  • Do not choose this option for Azure Government, China or Germany 
  • This option will display only if you are already connected to Azure Active Directory 

Log in with Azure Active Directory (SaaS) 

  • This option will display only if you are not already connected using the Azure Active Directory 
  • Enter the tenant’s name of the Azure Active Directory. Remember that the tenant’s name and the account you are using needs to be linked to at least one Azure Subscription. Click here for more informationon how to find your tenant’s name. 

AAD Application (SaaS, Desktop, Container) – see below for instructions

  • Choose this option if you want to connect to your Azure Subscription using an AAD Application (also called Service Principal) instead of your own identity 
  • Choose this option for Azure Government, China, Germany or Public 

Managed Identity (Desktop) – see below for instructions

  • Choose this option if you want to connect to your Azure Subscription with Managed Identity.  
  • You will need to enable managed identity on the virtual machine where Cloudockit is installed and grant that virtual machine reading privileges on the subscription you want to document. Click here if you want to set this up

Once connected, you should now see the list of Subscriptions you have access to. If you do not see any subscriptions, please click here for help


Creating an AAD Application 

This is a 2 step procedure: 

  • Step 1: Create the AAD Application 
  • Step 2: Give the AAD Application the appropriate permissions 

STEP 1: CREATE THE AAD APPLICATION

Navigate to https://portal.azure.com and select the Azure Active Directory blade: 

Select App Registration

Click New Registration 

  • Name: App Registration Name of your choice 
  • Supported account types: Accounts in this organizational directory only 

Click register 

Once the application has been created, take note of the following values: 

  • Directory (tenant) ID 
  • Application (client) ID 

Click Certificates & secrets then click New client secret 

Fill in the following fields 

  • Description: Enter the description of your choice 
  • Expires: Choose the expiration of your choice 

Click Add 

Copy and paste the value. Keep it with the Directory ID and Application ID. 

Note: This value is only visible right after its creation. You will have to create a new one if you have not saved it. 

STEP 2: GIVE THE AAD APPLICATION THE APPROPRIATE PERMISSIONS

From the Azure Portal go to subscriptions. 

Select the subscription of your choice

Select Access Control (IAM) 

Click Add 

Add role assignment 

Fill in the following fields 

  • Role: Reader 
  • Select: Enter the name of the app registration. Select it from the list below until it is added to the selected members section. 

Click Save 


Activating Managed Identity

ENABLING MANAGED IDENTITY WHEN CREATING A VIRTUAL MACHINE

When creating a new virtual machine, under Identity in the Management tab, check the box System assigned managed Identity. 

ENABLE MANAGED IDENTITY ON A VIRTUAL MACHINE

Open the Azure portal and select the virtual machine. 


Permissions and Privileges 

GENERAL DOCUMENTATION

To generate documentation using Cloudockit, only Reader privileges are required at the subscription level. 

DROP-OFF

To drop off documentation in the storage account, the credentials used to generate the documentation must have Contributor privileges. 

AZURE CLASSIC RESOURCES

Classic resources will not display in the documentation only with reader privileges. 

You must add the user of your choice to the Classic Administrator of the subscription. 

For more information, visit Classic subscription administrator roles, Azure roles, and Azure AD roles 

AZURE ACTIVE DIRECTORY

Cloudockit cannot retrieve data from Azure Directory only with reader privileges. 

The credentials used to generate the documentation must have Azure AD Global Administrator.

AZURE BILLING

Limited billing information can be retrieved using reader privileges. To get access to the billing information you must give the credentials Billing Reader privileges. 

AZURE SECURITY CENTER

To read information from the Azure Security Center through the compliance rules, the credentials used to generate the documentation must have Security Reader privileges.

DEPENDENCY DETECTION IN AZURE APP SERVICES

Cloudockit automatically detects dependencies between components like Azure App Services & Functions and components like storage, queues, etc. 

To do so, Cloudockit scans the App Settings and App Connection Strings to detect the components of the App Service it is communicating with. 

Contributor  access, on the App Service only, is needed to allow Cloudockit to can list the App Settings and Connection Strings. If you only have Reader privileges, you will see the App Service Details but not the dependencies. 

AZURE KUBERNETES SERVICES

The credentials used to generate the documentation must have Azure Kubernetes Service RBAC Writer  access, on the Kubernetes Cluster only, to allow Cloudockit to connect to the cluster and retrieve the details. 

Table of Contents