To simplify the management of granting PyraCloud access to your Azure subscriptions, you can use Azure Management Groups to assign permissions across multiple subscriptions in a single step. This has the following benefits:
- Access for PyraCloud to your Azure subscriptions can be assigned to multiple subscriptions in a single step.
- Access for PyraCloud to Azure subscriptions created in the future can be automatically assigned. This means when you add an Azure subscription to your tenant, there is no need to then activate it in PyraCloud.
What are the Security Implications?
As you onboard your tenant in PyraCloud (see the Pre-requisites section below), the process creates an Enterprise Application in your tenant called “PyraCloud (Azure)”.
The process below describes assigning the following roles to the “PyraCloud (Azure)” Enterprise Application:
These roles allow PyraCloud to read a list of all the resources in your Azure subscription, and read and write tags on those resources.
You can control whether PyraCloud will write tags back to resources in your Azure subscription by using the Cloud Tenant Setup feature (under Setup) in PyraCloud.
Before following the instructions below, your tenant must first be onboarded in PyraCloud. To do this, follow the steps in the following KB article: Activate your EA Cloud Account
Grant Access with Azure Management Groups
Log in to the Azure Management Portal and search for “Management groups”
Navigate to “Management groups”
If necessary, click “Start using management groups”
Create an empty Management group to enable the full user interface. This Management group can be deleted later:
- Enter a Management group ID (e.g. ‘azurepolicy’)
- Enter a Management group display name (e.g. ‘Azure Policy’)
- Click “Save”
If necessary, refresh the screen to show the Tenant Root Group
Click the “details” link next to “Tenant Root Group”
Click the “Access control (IAM)” menu item on the left
Click “Role Assignments”
Click “Add” -> “Role assignment”
In the “Add role assignment” blade:
- Select “Reader” as the Role
- In the “Select” textbox, search for “Pyra” and click the “PyraCloud (Azure)” application
- Click “Save”
Repeat steps 1 to 3 above but choose “Tag Contributor” in step 1 (instead of “Reader”).
The final result: