Introduction
The following article will guide you through the following steps:
- Provide consent to “PyraCloud (Azure)” in your Azure tenant
- How to use Azure Management Groups to assign “Reader” and “Tag Contributor” roles in “PyraCloud (Azure)” for your Azure subscriptions.
What are the Security Implications?
The below refers to assigning the following roles in “PyraCloud (Azure)”:
- Tag Contributor (see Microsoft Docs)
- Reader (see Microsoft Docs)
These roles allow PyraCloud to read a list of all the resources in your Azure subscription, and read and write tags on those resources.
You can control whether PyraCloud will write tags back to resources in your Azure subscription by using the Cloud Tenant Setup feature (under Setup) in PyraCloud.
Providing Consent to “PyraCloud (Azure)”
Providing consent involves clicking the following link and then accepting the permissions.
- Click the following link:
https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=2a4807a4-d9e4-457d-b32f-a455e0d3662a&prompt=consent&redirect_uri=https://www.softwareone.com/ - The following screen will appear. Review the permissions, and, if acceptable, click Accept.
- To confirm “PyraCloud (Azure)” exists, sign into the Azure portal and navigate to Azure Active Directory -> Enterprise applications.
The “PyraCloud (Azure)” application should be visible in the list. If it is not visible, try searching for “pyra”.
Grant Access with Azure Management Groups
Log in to the Azure Management Portal and search for “Management groups”.
Navigate to “Management groups”.
If necessary, click “Start using management groups”.
Create an empty Management group to enable the full user interface. This Management group can be deleted later:
- Enter a Management group ID (e.g. ‘azurepolicy’)
- Enter a Management group display name (e.g. ‘Azure Policy’)
- Click “Save”
If necessary, refresh the screen to show the Tenant Root Group.
Click the “details” link next to “Tenant Root Group”.
Click the “Access control (IAM)” menu item on the left.
Click “Role Assignments”.
Click “Add” -> “Role assignment”.
In “Add role assignment”:
- Select “Reader” as the Role
- In the “Select” textbox, search for “Pyra” and click the “PyraCloud (Azure)” application
- Click “Save”
Repeat Steps 1-3 above but choose “Tag Contributor” in Step 1 (instead of “Reader”).
The final result:
Inform SoftwareONE
Once the above process is complete, we will need to perform some manual steps in PyraCloud to complete the onboarding of your tenant. To allow us to do this, please provide the following information:
- Your Microsoft Tenant ID (or domain)
- A friendly name for your tenant to recognize it easily across PyraCloud
- The start and end date of your Enterprise Agreement
Once SoftwareONE has added your tenant, you will also need to provide an access token from the EA Portal. Follow the Add an Access Token section of this article to do so.
Remove Assigned Roles
The reader role is mandatory for all consumption modules including Reporting, Budgeting, Resources, and Tag Management.
The TagContributor role is required for PyraCloud to write back resource tagging information to the publisher (Azure). It is recommended to grant such a role to have consistent resource tag representation between Azure and PyraCloud.
However, the TagContributor role can be revoked and PyraCloud will use Virtual Tags that will be visible only in the PyraCloud module.
To remove the role, please go to the scope where the role was granted (Subscription, Management Groups, or Root Management Group) then select Access control (IAM), and remove the assignment as presented below.
