How do I provide the access rights for Nodinite Logging and Monitoring agents to my Azure-related services?
The Nodinite Azure-related Log-Log Agents], and Monitor-AgentsMonitoring Agents execute queries and commands to the Azure Service Management REST API. You must register one or more Applications using the App Registrations page in the Azure portal with membership to some built-in roles. The specific roles are in a list in the Least privileges section on this page.
The Service Management API is a REST API that provides programmatic access to much of the functionality available through the Azure Management Portal.
All API operations Nodinite performs uses SSL, and the authentication uses X.509 v3 certificates.
The Nodinite design help you keep as secure as possible
4. ClientId and ClientSecret
The TenantId is the GUID uniquely identifying the Azure Active Directory instance.
From the Azure Portal ; Enter tenant properties and navigate to Properties for the Azure Active Directory. The TenantId is available on the page.
The Microsoft Azure subscription is the unique user account in Azure. All Azure Resources and services are available to the REST-based Service Management API.
When you create an Azure subscription, it is uniquely identified by a SubscriptionId. The subscription Id is part of the call to the Azure Service Management API.
- The SubscriptionId is a GUID.
To acquire the SubscriptionId, enter Subscriptions in the search, and navigate to the Subscriptions page. Copy and use the GUID value:
For each Nodinite Log- and Monitor Agent; You must specify the Resource Groups to Monitor and Manage. There are different ways to manage these lists from within Nodinite depending on the type of agent.
One way to get the value is to use the Azure Portal ; You can view the available Resource Groups.
To retrieve the 'ClientId' and the 'ClientSecret' an Application must first exist/be created.
- Select Azure Active Directory
- From the Selected Active Directory instance, click on App registrations
- Click the New registration button
- Enter the name of the Application
- Select Accounts in this organizational directory only - least privileges
- Select the Web option
- Enter the URL to your user management website (can be changed later)
NOTE: The redirect URI can be any address like https://yournonexistinguserportal.nowhere.org
- Click the Register button to begin the creation process
This operation may take some time.
Click the newly created Application to start creating permissions.
Next; select which API Permissions to assign for the Application
Another modal is now displayed, and you need to specify the type of permissions required by the Application:
- Select Delegated permissions
- Check the user_impersonation checkbox
- Click the Add permissions button
In the following dialogue, enter:
- A user-friendly name for the client secret
- Select when the secret expires
- Click the Add button
You can fine-tune permission on individual levels.
- Subscription (highest level)
- Resource Group (recommended)
- Object (lowest level)
Our recommendation is to assign as in the section: Roles with least privileges.
To assign the role membership on Resource Group level:
- Search and navigate to the list of Resource Groups.
- Select the Resource Group to add the permission to.
- Select Access Control (IAM).
- Click the Add button.
- Select Add role assignment
- Select the built-in Contributor Role OR, use the table in the Roles with least privileges section on this page.
- Select Azure AD user, group. pr service principal.
- Select one or more members (Application Name from step 4 - ClientId and ClientSecret).
To find the named Application(s), you need to type some characters to active the filter.
When finished, you will now see all User (Application) permissions in the list for the Resource Group(s) and/or Subscriptions. The User (Application) will be listed as part of the Contributor role.
If you opt to allow the Client/Application the Contributor role on each Subscription to monitor and manage, then you do not have to fine tune the Role Assignments with one exception; the Nodinite Azure Monitoring Agent requires the Azure Event Hubs Data Sender role assigned in order to send messages to the Event Hub.
Below is a list of specific permissions required to use the following Nodinite Azure Logging and Monitoring Agents:
- Nodinite Azure Logic Apps Logging and Monitoring agent. The agent also uses Shared access policies to access the Event Hubs and the Storage Accounts.
- Nodinite Azure Monitoring Agent
- Nodinite Azure Service Bus Monitoring
The Nodinite Pickup Service does not use the Azure REST API. Instead, it uses information from the Shared access policies.
Keep in mind that updating Azure role assignments may take up to five minutes to propagate. Then, you need to restart the necessary Nodinite agents.
|Subscription||Reader||Show Details and Match/Validate the Subscription Id with the current configuration.
NOTE: This right inherits to all other Resources in selected Subscription.
|API Management Service||API Management Service Contributor||List resources, Create and delete EventHub Logger, Invoke APIs|
|App Services||Website Contributor||View Web Jobs History|
|Data Factory||Data Factory Contributor||List Data Factories and pipelines, Read Details, Read performance|
|Function App||Website Contributor||List resources, includes the associated Application Insights|
|Application Insights||API Key||Not a role-assignment You must manually create an API Key for each Application Insights instance. API access is required for the Function App Monitoring. If the API key expires, you need to re-create it|
|Event Hubs||Azure Event Hubs Data Sender||Send messages to the Event Hub entity|
|Service Bus Namespace||Azure Service Bus Data Owner||List namespaces and Resources, Read and use Access Keys, Manage Queues and Topics|
|Logic App||Logic App Operator||Enable/Disable Logic App. This role is NOT allowed to Resubmit runs|
|Logic Apps||Logic App Contributor||Allow to Resubmit runs. If you assign membership with this role; The Client does not need to be a member of the Logic App Operator role|
NOTE: You can either assign role memberships on each Resource, or you can set the role assignment on the Resource Group, or Subscription level.