The following article will guide you through the following steps:
- Consent to the “PyraCloud (Azure)” Enterprise Application in your Azure tenant
- Use Azure Management Groups to assign the Reader and Tag Contributor roles to the “PyraCloud (Azure)” Enterprise Application in all your Azure subscriptions.
What are the Security Implications?
The process below describes assigning the following roles to the “PyraCloud (Azure)” Enterprise Application:
These roles allow PyraCloud to read a list of all the resources in your Azure subscription, and read and write tags on those resources.
You can control whether PyraCloud will write tags back to resources in your Azure subscription by using the Cloud Tenant Setup feature (under Setup) in PyraCloud.
Consent to the “PyraCloud (Azure)” Enterprise Application
Performing consent involves clicking the following link and then accepting the permissions grant to PyraCloud.
- Click the following link:
- The following screen will appear. Review the permissions, and, if acceptable, click Accept.
- To confirm the “PyraCloud (Azure)” Enterprise Application exists, sign in to the Azure portal and navigate to Azure Active Directory -> Enterprise applications.
The “PyraCloud (Azure)” application should be visible in the list. If it is not visible, trying searching for “pyra”.
Grant Access with Azure Management Groups
Log in to the Azure Management Portal and search for “Management groups”
Navigate to “Management groups”
If necessary, click “Start using management groups”
Create an empty Management group to enable the full user interface. This Management group can be deleted later:
- Enter a Management group ID (e.g. ‘azurepolicy’)
- Enter a Management group display name (e.g. ‘Azure Policy’)
- Click “Save”
If necessary, refresh the screen to show the Tenant Root Group
Click the “details” link next to “Tenant Root Group”
Click the “Access control (IAM)” menu item on the left
Click “Role Assignments”
Click “Add” -> “Role assignment”
In the “Add role assignment” blade:
- Select “Reader” as the Role
- In the “Select” textbox, search for “Pyra” and click the “PyraCloud (Azure)” application
- Click “Save”
Repeat steps 1 to 3 above but choose “Tag Contributor” in step 1 (instead of “Reader”).
The final result:
Once the above process is complete, we will need to perform some manual steps in PyraCloud to complete the onboarding of your tenant. To allow us to do this, please provide the following information:
- Your Microsoft Tenant ID (or domain)
- A friendly name for your tenant to recognize it easily across PyraCloud
- The start and end date of your Enterprise Agreement
Once SoftwareONE has added your tenant, you will also need to provide an access token from the EA Portal. Follow the Add an Access Token section of this KB article to do so.