Configure an Active Directory or O365 Account

To allow CloudCheckr to access the resources associated with your Azure subscription, you must create a connection between Azure and CloudCheckr.

Azure Active Directory is Microsoft's cloud-based identity and access management service that enables you to sign and access resources in Microsoft Office 365, the Azure portal, and other Software-as-a-Service (SaaS) products.

To configure your Active Directory account or O365 account, you will need to complete these steps:

  • In Azure, you will obtain some key values, create a new app, grant permissions to the app, and verify your permissions.
  • In CloudCheckr, you will create an Azure account and configure that account to collect your Azure Active Directory or O365 account data.

Procedure

  1. Log in to the  Azure portal.
  2. From the left navbar, click Azure Active Directory.
  3. Select Properties from the list.
  4. Copy the directory ID.
  5. Launch CloudCheckr.
  6. From the Projects page, select the Azure partner.
  7. From the Accounts page, click NEW ACCOUNT.

    The New Account screen displays.

  8. Type a unique name for your account.
  9. In the Cloud Provider section, select Microsoft Azure from the drop-down menu.
  10. At the bottom of the page, click Create.

    The Configure Account page opens.

  11. From the drop-down menu, select Collect Information from my Azure Active Directory.
  12. Paste the Directory ID that you copied earlier from Azure.
  13. Return to the Azure portal.
  14. In the Azure Active Directory blade, click App registrations.
  15. Click + New registration.
  16. Return to the Configure Account page in CloudCheckr.
  17. Copy the application name and sign-on URL.
  18. Return to the Azure portal.
  19. Create your application:
    1. Type a name for your application.
    2. Under Supported account types, leave the default setting: accounts in this organizational directory only.
    3. Under Redirect URI (optional), leave the default drop-down option, Web, and in the blank text field, type ttps://localhost
    4. Click Register.
  20. Copy the Application ID.
  21. In the Manage section of the application blade, click Certificates & secrets.
  22. Under Client secrets, click New client secret.
  23. Type a name for the client secret, select when you want it to expire, and click Add.
  24. Copy the value of the client secret and save it immediately since you will not be able to view it again.
  25. Return to the Configure Account page in the CloudCheckr application.
  26. Paste the client secret in the text field associated with the key value.
  27. Return to the Azure portal.
  28. Click the name of your application from the list.
  29. From the Manage section of the application blade, select API Permissions.
  30. Click + Add a permission.
  31. Select Microsoft Graph from the list.
  32. Select application permissions.
  33. Add the permissions:
    1. Type Read Directory Data and select that permission from the list.
    2. Type Read All Usage Reports and select that permission from the list.
    3. Click Add permissions.
  34. Scroll down to the Grant consent section and click Grant admin consent for CloudCheckr Azure Subscription.

    A prompt asks you to confirm your selection.

  35. Click Yes to grant the required permissions.

    A pop-up message indicates that Azure has granted your permissions.

  36. Return to CloudCheckr.
  37. On the Configure Account page, select the account type: Commercial, Government, or Azure Germany.
  38. Click Update.

Verification

To verify that the appropriate Azure permissions are set, follow these steps.

  1. Return to the Azure portal.
  2. From the left navbar, click Azure Active Directory.
  3. In the Azure Active Directory blade, click App registrations.
  4. Click the name of your application.
  5. Under the Managed application in local directory section, click your application name.
  6. From the Security section of the Enterprise Application blade, select Permissions.
  7. Verify that the two permissions for the Microsoft Graph API are listed.

    If the permissions are not listed, repeat the previous Configuration procedure and make sure that you click Yes in step 34 to ensure that the permissions are added.


How did we do?