Versions Compared

Old Version 10

changes.mady.by.user Jyothi KP

Saved on

compared with

New Version Current

changes.mady.by.user Jyothi KP

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Excerpt
nameIntegrating_App_with_AD

You can also register a service principal using the Azure CLI or PowerShell. If you choose to use the CLI or PowerShell, refer to the Microsoft documentation for information about the Azure authentication mechanism and how to create a service principal with Azure Resource Manager. If you choose to use the Azure portal to register a service principal, you may still need to use the Azure CLI or PowerShell to customize the access scope for the newly created service principal. The default scope of access is the subscription scope that is associated with the user who creates the service principal.

To create and integrate an application in the Azure portal, complete the following steps:

  1. Sign in to your Microsoft Azure account.

  2. Register an application in the Azure portal:

    1. Click All Services

    2. Search for and click Microsoft Entra ID to open it, and then click App registrations in the left panel.
      Or,
      Click App registrations.

    3. In the App registrations panel, either select an existing application or click + New registration to add a new application.

      Azure_App_Registration_Panel.png

    4. If you are adding a new application, enter the following details in the Register an application wizard to define your application:

      1. Name: Enter the name of your new application. The name identifies your application in Azure.

      2. Supported account types: Select the account type as Accounts in this organizational directory only.

      3. Redirect URI: Ensure that you use a unique URL for sign-in purposes.

      4. Click Register to add the application.
        Azure notifies you when the application is successfully created and opens the Overview page of the application. The page displays details such as Display name, Application (client) ID, Directory (tenant) ID, and Object ID.

      5. Copy the values of Application ID and the Directory ID that will be used in NIOS as Client ID and Tenant ID respectively when you define vDiscovery or DNS synchronization configurations.

  3. Assign API permissions to your application to allow it to access the selected API.

    1. Click API permissions in the left panel, and then click + Add a permission in the API Permissions panel.

    2. In the Request API permissions panel, under Microsoft APIs, click to select Azure Service Management as the API.

    3. Select Delegated permissions and the user_impersonation checkbox to permit the application to access the API as a user.

    4. Click Add permissions.

  4. Generate a client secret for your application. The application uses it as credentials to identify itself to the authentication service. Complete the following:

    1. In the left panel, click Certificates & secrets, and then click + New client secret:

    2. In the Add a client secret wizard, complete the following:

      • Description: Enter a name or a description for the generated key.

      • Expires: From the drop-down list, select an expiry for the key.
        Details of the client secret is displayed in the Client secrets section. The generated key is displayed in the Value field. It corresponds to the Client Secret in NIOS when you configure an admin account for your application required for vDiscovery jobs and DNS sync tasks.

    3. Click Add.
      Important:
      Click the Copy to clipboard icon to copy the key in the Value field and save it for future use.
      The key value is displayed only at the time of the creation of the client secret. You will not be able to retrieve the key after you leave the page.

  5. Link the application to a subscription or a resource group, and then assign a role to control the access.
    You can configure a vDiscovery job or a DNS sync task in NIOS to discover resources and synchronize data from multiple subscriptions linked to the application.
    When you link the application to a subscription, all resources within the subscription will be discovered including the VMs, network interfaces, and virtual networks. If you do not need all entities within a subscription to be discovered, you can configure additional granularity by individually allotting permissions to a resource group. Resources such as VMs, network interfaces, and virtual networks within the specified resource groups will be discovered.

    1. According to the resources that must be discovered, perform one of the following:

      1. Navigate to All services > Subscriptions and click the name of the subscription to link the application.

      2. Navigate to All services > Resource groups and click the name of your resource group to link the application.

    2. In the left panel, click Access control (IAM).

    3. In the Access control (IAM) panel, click + Add > Add role assignment.

    4. In the Add role assignment wizard:

      1. In the Role panel, click Reader to select the row, and then click Next.
        To discover and synchronize ALIAS records, you must assign the Contributor role to your registered application.

      2. In the Members panel, click + Select members.

      3. In the Select members panel, type the name of your registered application in the Select field to find it.

      4. In the results displayed, click the application name.
        The application gets added to the Selected members list.

      5. Click Select.

    5. Click Save.
      You have completed the configuration in Azure.

  6. Repeat Step 5 to associate multiple subscriptions or resources groups with the application.

Note

Note

If the Reader role IAM permission is given just to the VMs instead of a subscription or a resource group, then vDiscovery will not discover any virtual entities.

...