FinalDivvyCloud

Microsoft Azure

Prerequisites Roles

DivvyCloud supports a large number of Microsoft Azure services and adds services regularly. To access these services, we recommend using either a read-only role or a power-user role.

If you are interested in operating in a read-only fashion, which will prevent DivvyCloud from taking actions against your Microsoft Azure resources, then we recommend using the DivvyCloud Standard User role.

If you would like to use DivvyCloud to manage your Microsoft Azure resources directly or through the use of Bots, then use the DivvyCloud Power User role.

DivvyCloud Standard User Role

{
  "Name": "DivvyCloud Standard User",
  "Id": null,
  "IsCustom": true,
  "Description": "Provides read-only access to resources supported by DivvyCloud.",
  "Actions": [
    "Microsoft.Authorization/*/read",
    "Microsoft.Cache/redis/read",
    "Microsoft.Compute/disks/read",
    "Microsoft.Compute/images/read",
    "Microsoft.Compute/locations/*/read",
    "Microsoft.Compute/skus/read",
    "Microsoft.Compute/snapshots/read",
    "Microsoft.Compute/virtualMachines/*/read",
    "Microsoft.DBforMySQL/locations/performanceTiers/read",
    "Microsoft.DBforMySQL/performanceTiers/read",
    "Microsoft.DBforMySQL/servers/configurations/read",
    "Microsoft.DBforMySQL/servers/firewallRules/read",
    "Microsoft.DBforMySQL/servers/read",
    "Microsoft.DBforMySQL/servers/virtualNetworkRules/read",
    "Microsoft.DBforPostgreSQL/locations/performanceTiers/read",
    "Microsoft.DBforPostgreSQL/performanceTiers/read",
    "Microsoft.DBforPostgreSQL/servers/configurations/read",
    "Microsoft.DBforPostgreSQL/servers/firewallRules/read",
    "Microsoft.DBforPostgreSQL/servers/read",
    "Microsoft.DBforPostgreSQL/servers/virtualNetworkRules/read",
    "Microsoft.DocumentDB/databaseAccounts/read",
    "Microsoft.DocumentDB/databaseAccounts/usages/read",
    "Microsoft.HDInsight/*/read",
    "Microsoft.Insights/LogProfiles/read",
    "Microsoft.Network/dnszones/*/read",
    "Microsoft.Network/locations/usages/read",
    "Microsoft.Network/networkInterfaces/*/read",
    "Microsoft.Network/networkSecurityGroups/*/read",
    "Microsoft.Network/networkSecurityGroups/*/read",
    "Microsoft.Network/publicIPAddresses/*/read",
    "Microsoft.Network/virtualNetworks/*/read",
    "Microsoft.Resources/subscriptions/read",
    "Microsoft.Security/policies/read",
    "Microsoft.Sql/servers/administrators/read",
    "Microsoft.Sql/servers/auditingSettings/read",
    "Microsoft.Sql/servers/databases/auditingSettings/read",
    "Microsoft.Sql/servers/databases/read",
    "Microsoft.Sql/servers/databases/securityAlertPolicies/read",
    "Microsoft.Sql/servers/databases/skus/read",
    "Microsoft.Sql/servers/databases/transparentDataEncryption/read",
    "Microsoft.Sql/servers/firewallRules/read",
    "Microsoft.Sql/servers/read",
    "Microsoft.Sql/servers/securityAlertPolicies/read",
    "Microsoft.Sql/servers/virtualNetworkRules/read",
    "Microsoft.Storage/storageAccounts/blobServices/containers/read",
    "Microsoft.Storage/storageAccounts/read"
  ],
  "NotActions": [
  ],
  "AssignableScopes": [
    "/subscriptions/00000000-0000-0000-0000-000000000000",
    "/subscriptions/11111111-1111-1111-1111-111111111111"
  ]
}

DivvyCloud Power User Role

{
  "Name": "DivvyCloud Power User",
  "Id": null,
  "IsCustom": true,
  "Description": "Provides full access to resources supported by DivvyCloud.",
  "Actions": [
    "Microsoft.Authorization/*",
    "Microsoft.Cache/*",
    "Microsoft.Compute/*",
    "Microsoft.DBforMySQL/*",
    "Microsoft.DBforPostgreSQL/*",
    "Microsoft.DocumentDB/*",
    "Microsoft.HDInsight/*",
    "Microsoft.Insights/*",
    "Microsoft.Network/*",
    "Microsoft.Resources/*",
    "Microsoft.Security/*",
    "Microsoft.Sql/*",
    "Microsoft.Storage/*"
  ],
  "NotActions": [
  ],
  "AssignableScopes": [
    "/subscriptions/00000000-0000-0000-0000-000000000000",
    "/subscriptions/11111111-1111-1111-1111-111111111111"
  ]
}

Creating Custom Roles

To add one of these roles to your account, copy the JSON from one of the desired roles above into a file and use either PowerShell or Azure CLI from the command line to create the role.

PowerShell

New-AzureRmRoleDefinition -InputFile <role_definition>

Azure CLI

az role definition create --role-definition <role_definition>

Updating Custom Roles

To modify an existing custom role:

Retrieve the existing role with either PowerShell or Azure CLI.

PowerShell

Get-AzureRmRoleDefinition -Custom | ConvertTo-Json

Azure CLI

az role definition list --custom-role-only

Copy the JSON for the custom role you wish to modify into a new file and make the desired changes to the role definition. Then update the role in Azure.

PowerShell

Set-AzureRmRoleDefinition -InputFile <role_definition>

Azure CLI

az role definition update --role-definition <role_definition>

Adding Azure Cloud Account

Microsoft Azure (Azure) is one of the world’s leading public cloud providers and they offer a variety of cloud services. You can add an Azure account into DivvyCloud following these steps.

1. Azure Dashboard

Azure Active Directory. Login to the Azure Dashboard. Access the Azure Active Directory service from the left-hand side navigation.

2. Azure Active Directory

App registrations. Once you access Azure Active Directory, click on App registrations on the left-hand side navigation.

3. App registrations (part 1 of 3)

Add. Once you access App registrations, click on New application registration above the table of apps.

4. Create

a. Name. Enter an app name to denote that this app is used for DivvyCloud. As an example, you could name the app DivvyCloud-API-Access. By creating a specific DivvyCloud app, you are then able to monitor in Monitor all actions taken by DivvyCloud, which helps you understand what DivvyCloud is doing versus what others are doing and facilitates troubleshooting.

b. Application Type. Select Web app/API.

c. Sign-on URL. This sign-on will not be used, but you can name it something descriptive too, e.g., http://divvycloud-azure.yourcompanyname.com.

d. Create. Click Create to create the app.

5. App registrations (part 2 of 3)

Endpoints. Once you have created the app and are returned to the App registration screen, you will retrieve the Tenant ID that you will need to add Azure to DivvyCloud. You can do so by selecting Endpoints, which is next to New application registration.

6. Endpoints

Federation Metadata Document. Once in Endpoints, copy the value under Federation Metadata Document. You will use this value to obtain the Tenant ID.

7. Notes (part 1 of 4)

Tenant ID. Outside of your browser, using whatever application you prefer to take notes, paste the value you copied under Federation Metadata Document. To obtain the Tenant ID, you need the 36 alphanumeric between login.microsoftonline.com/ and /federationmetadata. Save that value.

8. App registrations (part 3 of 3)

Settings. Return to App registrations and click on your created app to open up its settings.

9. Settings (part 1 of 2)

Application ID. Once you have settings open, copy the details under Application ID.

10. Notes (part 2 of 4)

11. Settings (part 2 of 3)

Required permissions. Return to settings and access Required permissions on the right-hand side.

12. Required permissions
a. Click on the Windows Azure Active Directory API.

b. Under Application Permissions check the ‘Read directory data’ checkbox and click Save.

c. Click the Grant permissions button and then the Yes button.

13. Settings (part 3 of 3)

Keys. Return to Settings and access Keys on the right-hand side.

14. Keys

a. Description. As before, enter a descriptive value that is meaningful to you, e.g., DivvyCloud-API.

b. Expires. Select from the drop down a value, e.g, 1 year, that meets your organization’s security requirements.

c. Value. This value, which is your key value, will not show until you click on Save. When you do, copy the value displayed here. N.b., this will be your only chance to copy this value.

d. Save. Click on Save, so the key value will populate the Value field. Copy the key value.

15. Notes (part 3 of 4)

Key Value. Save the value you copied under Value.

16. Search

Subscriptions. From the main left-hand side navigation menu, select More services> to open a search box. Search for Subscriptions and select.

17. Subscriptions (part 1 of 2)

a. Overview. From Subscriptions, select the subscription that you are adding to DivvyCloud. When you select it, the Overview and other options will open on the right-hand side.

b. Subscription ID. With Overview selected, copy the Subscription ID listed on the right-hand side.

18. Notes (part 4 of 4)

Subscription ID. Save the value you copied under Subscription ID. You now have all of the information DivvyCloud needs to add your Azure account, however, you still need to create a user within Azure for DivvyCloud to use. That user can be read-only or power user.

19. Subscriptions (part 2 of 2)

a. Access control (IAM). Returning to Subscriptions, select Access control (IAM).

b. Add. Select Add to create a DivvyCloud user.

20. Access control (IAM)

a. Select a role. Select a role. You can select either DivvyCloud Standard User or DivvyCloud Power User. DivvyCloud Standard User will grant DivvyCloud read-only permissions to supported resources, so that it can harvest data and report on it. DivvyCloud Power User will grant DivvyCloud all permissions to supported recources so it can act upon cloud resources in addition to monitor and report on them. You may wish to start with DivvyCloud Standard User until you are more familiar with how to use DivvyCloud and then change to DivvyCloud Power User when you are ready to use all of DivvyCloud’s capabilities.

b. Add users. Search for and select the app you created in Step 4, e.g., DivvyCloud-API-Access.

c. Click Save.

21. Add Cloud

Go to your DivvyCloud account. Navigate to Clouds on the left-hand side navigation menu. Click on Add Cloud in the upper right.

22. Enter Cloud Information

a. Select Azure (ARM) in the Select Technology dropbox.
b. Name your cloud account.
c. Provide your tenant ID.
d. Provide your subscription ID.
e. Provide your application ID.
f. Provide your key value.

23. Select the Harvesting Strategies for your cloud account by clicking on the Show Advanced button as shown below

24. Add any Badges you would like to this particular cloud account. Badges provide a way to assign additional metadata about resources within the DivvyCloud platform. They are key/value pairs which can be used for filtering and identifying resources from parent cloud account.

25. Hit Submit!

26. Confirm

You should see a screen that indicates you have successfully added a cloud account. DivvyCloud will begin harvesting immediately and the data should start to surface after five minutes or so depending upon the size of your cloud account.