1. Home
  2. Setup
  3. Grant Access to PyraCloud with Azure Management Groups

Grant Access to PyraCloud with Azure Management Groups

Introduction

To simplify the management of granting PyraCloud access to your Azure subscriptions, you can use Azure Management Groups to assign permissions across multiple subscriptions in a single step. This has the following benefits:

  • Access for PyraCloud to your Azure subscriptions can be assigned to multiple subscriptions in a single step.
  • Access for PyraCloud to Azure subscriptions created in the future will be automatically assigned. This means when you add an Azure subscription to your tenant, there is no need to then activate it in PyraCloud.

What are the security implications?

As you onboard your tenant in PyraCloud (see the Pre-requisites section below), the process creates an Enterprise Application in your tenant called “PyraCloud (Azure)”.

The process below describes assigning the following roles to the “PyraCloud (Azure)” Enterprise Application:

These roles allow PyraCloud to read a list of all the resources in your Azure subscriptions, and read and write tags on those resources.

You can control whether PyraCloud will write tags back to resources in your Azure subscription by using the Cloud Tenant Setup feature (under Setup) in PyraCloud.

Grant access using the Azure CLI

Prerequisites

To complete these steps using the Azure CLI, you need to install PowerShell and the Azure CLI. You can download and install these by following the Microsoft documentation:

  1. Install PowerShell
  2. Install Azure CLI

I’m a Power User! Just give me the commands!

Following are the commands to execute to onboard your Azure subscriptions in PyraCloud.

Please note that it is important to execute this script at a PowerShell prompt (and not a normal command prompt) since it utilizes PowerShell variables.

IMPORTANT: If you execute the script below at a PowerShell prompt, you can ignore the rest of this article.

az login

az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"

az ad sp create --id 2a4807a4-d9e4-457d-b32f-a455e0d3662a

az ad app permission grant --id 2a4807a4-d9e4-457d-b32f-a455e0d3662a --api 00000003-0000-0000-c000-000000000000 --scope "User.Read"

$root_mg=$(az account management-group list --query "[?displayName == 'Tenant Root Group'] | [0] | id" --output tsv)

az role assignment create --assignee "2a4807a4-d9e4-457d-b32f-a455e0d3662a" --role "Reader" --scope "$root_mg"

az role assignment create --assignee "2a4807a4-d9e4-457d-b32f-a455e0d3662a" --role "Tag Contributor" --scope "$root_mg"

What does each command do?

An explanation of each command follows:

Log in to your Microsoft tenant

az login

Elevate your permissions to manage all Azure subscriptions and management groups.
See Microsoft Documentation.

az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"

Create the PyraCloud (Azure) service principal (Enterprise Application) in your tenant.

az ad sp create --id 2a4807a4-d9e4-457d-b32f-a455e0d3662a

az ad app permission grant --id 2a4807a4-d9e4-457d-b32f-a455e0d3662a --api 00000003-0000-0000-c000-000000000000 --scope "User.Read"

Get the ID of your Tenant Root Group.

$root_mg=$(az account management-group list --query "[?displayName == 'Tenant Root Group'] | [0] | id" --output tsv)

Assign the Reader and Tag Contributor roles to the PyraCloud (Azure) application in your Tenant Root Group

az role assignment create --assignee "2a4807a4-d9e4-457d-b32f-a455e0d3662a" --role "Reader" --scope "$root_mg"

az role assignment create --assignee "2a4807a4-d9e4-457d-b32f-a455e0d3662a" --role "Tag Contributor" --scope "$root_mg"

Grant access using the Azure Portal

Prerequisites

Before following the instructions below, your tenant must first be onboarded in PyraCloud. To do this, follow the steps in the following KB article: Activate your EA Cloud Account

Elevate your account permissions

To complete the steps below, you must have the correct permissions to manage access to all Azure subscriptions and management groups in your tenant.

This can be achieved easily if you are a Global Administrator in your tenant. Follow the steps below.

Log in to the Azure Management Portal and search for “Azure Active Directory”

Figure 1: Search for “Azure Active Directory”

Click “Properties”

Figure 2: Overview of Azure Active Directory

Under “Access management for Azure resources”, click “Yes”. Then click Save.

Figure 3: Properties of Azure Active Directory

Grant Access to PyraCloud

Log in to the Azure Management Portal and search for “Management groups”

Figure 4: Search for “Management Groups”

A simple Management Group hierarchy may look similar to the screenshot below. More complex Management Groups may exist in your tenant.

Regardless of your organization’s configuration, you will still have a Tenant Root Group. This may have been renamed, but will always appear at the top of the hierarchy.

Click on the Tenant Root Group.

Figure 5: A simple Management Groups configuration.

Click the “Access control (IAM)” menu item on the left.

Figure 6: Overview of the Tenant Root Group

Click “Role Assignments”

Figure 7: Access Control (IAM) for the Tenant Root Group

Click “Add” -> “Role assignment”

Figure 8: Role Assignments for the Tenant Root Group

In the “Add role assignment” blade:

  1. Select “Reader” as the Role
  2. In the “Select” textbox, search for “Pyra”
  3. Click the “PyraCloud (Azure)” application
  4. Click “Save”
Figure 9: Assign the Reader and Tag Contributor roles to the “PyraCloud (Azure)” app

Repeat steps 1 to 4 above but choose “Tag Contributor” in step 1 (instead of “Reader”).

The final result:

Figure 10: The final result

Updated on June 7, 2021

Was this article helpful?

Related Articles