Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Current »

Before creating a vDiscovery job in NIOS and performing vDiscovery in Azure, you must create a discovery application and integrate it with Microsoft Entra ID (formerly Azure Active Directory) to provide secure sign in and authorization. To integrate the application, you must register the application details with Azure Entra ID in the Azure portal.

You can also register a service principal using the Azure CLI or PowerShell. If you choose to use the CLI or PowerShell, refer to the Microsoft documentation for information about the Azure authentication mechanism and how to create a service principal with Azure Resource Manager. If you choose to use the Azure portal to register a service principal, you may still need to use the Azure CLI or PowerShell to customize the access scope for the newly created service principal. The default scope of access is the subscription scope that is associated with the user who creates the service principal.

To create and integrate an application in the Azure portal, complete the following steps:

  1. Sign in to your Microsoft Azure account.

  2. Register an application in the Azure portal:

    1. Click All Services

    2. Search for and click Microsoft Entra ID to open it, and then click App registrations in the left panel.
      Or,
      Click App registrations.

    3. In the App registrations panel, either select an existing application or click + New registration to add a new application.

      Azure_App_Registration_Panel.png

    4. If you are adding a new application, enter the following details in the Register an application wizard to define your application:

      1. Name: Enter the name of your new application. The name identifies your application in Azure.

      2. Supported account types: Select the account type as Accounts in this organizational directory only.

      3. Redirect URI: Ensure that you use a unique URL for sign-in purposes.

      4. Click Register to add the application.
        Azure notifies you when the application is successfully created and opens the Overview page of the application. The page displays details such as Display name, Application (client) ID, Directory (tenant) ID, and Object ID.

      5. Copy the values of Application ID and the Directory ID that will be used in NIOS as Client ID and Tenant ID respectively when you define vDiscovery or DNS synchronization configurations.

  3. Assign API permissions to your application to allow it to access the selected API.

    1. Click API permissions in the left panel, and then click + Add a permission in the API Permissions panel.

    2. In the Request API permissions panel, under Microsoft APIs, click to select Azure Service Management as the API.

    3. Select Delegated permissions and the user_impersonation checkbox to permit the application to access the API as a user.

    4. Click Add permissions.

  4. Generate a client secret for your application. The application uses it as credentials to identify itself to the authentication service. Complete the following:

    1. In the left panel, click Certificates & secrets, and then click + New client secret:

    2. In the Add a client secret wizard, complete the following:

      • Description: Enter a name or a description for the generated key.

      • Expires: From the drop-down list, select an expiry for the key.
        Details of the client secret is displayed in the Client secrets section. The generated key is displayed in the Value field. It corresponds to the Client Secret in NIOS when you configure an admin account for your application required for vDiscovery jobs and DNS sync tasks.

    3. Click Add.
      Important:
      Click the Copy to clipboard icon to copy the key in the Value field and save it for future use.
      The key value is displayed only at the time of the creation of the client secret. You will not be able to retrieve the key after you leave the page.

  5. Link the application to a subscription or a resource group, and then assign a role to control the access.
    You can configure a vDiscovery job or a DNS sync task in NIOS to discover resources and synchronize data from multiple subscriptions linked to the application.
    When you link the application to a subscription, all resources within the subscription will be discovered including the VMs, network interfaces, and virtual networks. If you do not need all entities within a subscription to be discovered, you can configure additional granularity by individually allotting permissions to a resource group. Resources such as VMs, network interfaces, and virtual networks within the specified resource groups will be discovered.

    1. According to the resources that must be discovered, perform one of the following:

      1. Navigate to All services > Subscriptions and click the name of the subscription to link the application.

      2. Navigate to All services > Resource groups and click the name of your resource group to link the application.

    2. In the left panel, click Access control (IAM).

    3. In the Access control (IAM) panel, click + Add > Add role assignment.

    4. In the Add role assignment wizard:

      1. In the Role panel, click Reader to select the row, and then click Next.

      2. In the Members panel, click + Select members.

      3. In the Select members panel, type the name of your registered application in the Select field to find it.

      4. In the results displayed, click the application name.
        The application gets added to the Selected members list.

      5. Click Select.

    5. Click Save.
      You have completed the configuration in Azure.

  6. Repeat Step 5 to associate multiple subscriptions or resources groups with the application.

Note

If the Reader role IAM permission is given just to the VMs instead of a subscription or a resource group, then vDiscovery will not discover any virtual entities.

To configure vDiscovery jobs in NIOS, you must record the following information from the Azure portal:

  • Token Endpoint: This corresponds to the Service Endpoint field in NIOS. vDiscovery uses the OAUTH 2.0 TOKEN ENDPOINT (v1).
    The endpoint OAUTH 2.0 TOKEN ENDPOINT (v2) is not supported.
    To obtain token information for the endpoints:

    1. In the Azure portal, navigate to All services > App registrations.

    2. In the App registrations panel, click Endpoints.
      The Endpoints page appears showing the endpoint information.

    3. Copy the link from the table and use it to define the vDiscovery endpoint in NIOS. For more information, refer to the Infoblox NIOS Documentation.

  • Application ID: This corresponds to the Client ID when you configure the information of an endpoint in NIOS.

  • Key: Copy the key from the Keys panel and use it in the Client Secret field in NIOS.

    vDiscovery Job Properties dialog box in NIOS

    vDiscovery_job_Properties_Azure.png

Note

You can specify the same client ID and client secret for a vDiscovery job in which multiple subscriptions are associated with a single application.


  • No labels