Introduction
To simplify the management of granting PyraCloud access to your Azure subscriptions, you can use Azure Management Groups to assign permissions across multiple subscriptions in a single step. This has the following benefits:
- Access for PyraCloud to your Azure subscriptions can be assigned to multiple subscriptions in a single step.
- Access for PyraCloud to Azure subscriptions created in the future will be automatically assigned. This means when you add an Azure subscription to your tenant, there is no need to then activate it in PyraCloud.
What are the security implications?
As you onboard your tenant in PyraCloud (see the Pre-requisites section below), the process creates an Enterprise Application in your tenant called “PyraCloud (Azure)”.
The process below describes assigning the following roles to the “PyraCloud (Azure)” Enterprise Application:
- Tag Contributor (see Microsoft Docs)
- Reader (see Microsoft Docs)
These roles allow PyraCloud to read a list of all the resources in your Azure subscriptions, and read and write tags on those resources.
You can control whether PyraCloud will write tags back to resources in your Azure subscription by using the Cloud Tenant Setup feature (under Setup) in PyraCloud.
Grant access using the Azure CLI
Prerequisites
To complete these steps using the Azure CLI, you need to install PowerShell and the Azure CLI. You can download and install these by following the Microsoft documentation:
I’m a Power User! Just give me the commands!
Following are the commands to execute to onboard your Azure subscriptions in PyraCloud.
Please note that it is important to execute this script at a PowerShell prompt (and not a normal command prompt) since it utilizes PowerShell variables.
IMPORTANT: If you execute the script below at a PowerShell prompt, you can ignore the rest of this article.
az login az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01" az ad sp create --id 2a4807a4-d9e4-457d-b32f-a455e0d3662a az ad app permission grant --id 2a4807a4-d9e4-457d-b32f-a455e0d3662a --api 00000003-0000-0000-c000-000000000000 --scope "User.Read" $root_mg=$(az account management-group list --query "[?displayName == 'Tenant Root Group'] | [0] | id" --output tsv) az role assignment create --assignee "2a4807a4-d9e4-457d-b32f-a455e0d3662a" --role "Reader" --scope "$root_mg" az role assignment create --assignee "2a4807a4-d9e4-457d-b32f-a455e0d3662a" --role "Tag Contributor" --scope "$root_mg"
What does each command do?
An explanation of each command follows:
Log in to your Microsoft tenant
az login
Elevate your permissions to manage all Azure subscriptions and management groups.
See Microsoft Documentation.
az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"
Create the PyraCloud (Azure) service principal (Enterprise Application) in your tenant.
az ad sp create --id 2a4807a4-d9e4-457d-b32f-a455e0d3662a az ad app permission grant --id 2a4807a4-d9e4-457d-b32f-a455e0d3662a --api 00000003-0000-0000-c000-000000000000 --scope "User.Read"
Get the ID of your Tenant Root Group.
$root_mg=$(az account management-group list --query "[?displayName == 'Tenant Root Group'] | [0] | id" --output tsv)
Assign the Reader and Tag Contributor roles to the PyraCloud (Azure) application in your Tenant Root Group
az role assignment create --assignee "2a4807a4-d9e4-457d-b32f-a455e0d3662a" --role "Reader" --scope "$root_mg" az role assignment create --assignee "2a4807a4-d9e4-457d-b32f-a455e0d3662a" --role "Tag Contributor" --scope "$root_mg"
Grant access using the Azure Portal
Prerequisites
Before following the instructions below, your tenant must first be onboarded in PyraCloud. To do this, follow the steps in the following KB article: Activate your EA Cloud Account
Elevate your account permissions
To complete the steps below, you must have the correct permissions to manage access to all Azure subscriptions and management groups in your tenant.
This can be achieved easily if you are a Global Administrator in your tenant. Follow the steps below.
Log in to the Azure Management Portal and search for “Azure Active Directory”
Click “Properties”
Under “Access management for Azure resources”, click “Yes”. Then click Save.
Grant Access to PyraCloud
Log in to the Azure Management Portal and search for “Management groups”
A simple Management Group hierarchy may look similar to the screenshot below. More complex Management Groups may exist in your tenant.
Regardless of your organization’s configuration, you will still have a Tenant Root Group. This may have been renamed, but will always appear at the top of the hierarchy.
Click on the Tenant Root Group.
Click the “Access control (IAM)” menu item on the left.
Click “Role Assignments”
Click “Add” -> “Role assignment”
In the “Add role assignment” blade:
- Select “Reader” as the Role
- In the “Select” textbox, search for “Pyra”
- Click the “PyraCloud (Azure)” application
- Click “Save”
Repeat steps 1 to 4 above but choose “Tag Contributor” in step 1 (instead of “Reader”).
The final result:
