UpGuard can utilise the Azure Resource Manager (ARM) API to represent a resource group as a node. To do so, you will need your subscription, AD tenant and AD client IDs, along with a user account that has access to at least one non-empty resource group. In addition, a Windows connection manager of at least version 4.8.0 is required to facilitate the scan.

Prerequisites

  • You will need a Microsoft Azure account.
  • You will the subscription, AD tenant and AD client IDs for that account.

Adding

  1. Log into UpGuard and select Discover -> Discover.
  2. From the node select screen click Windows and then select Manual
  3. On the resulting page, fill out the fields as follows:

    Field Description
    Node Type This should be set to “Cloud App”
    Cloud App This should be set to “Azure RM”
    Connection Manager Group This should be set to a connection manager group that has access to Azure
    Hostname The name of the resource group to monitor
    Username The name of a user that has access to the resource group
    Password The password for the aforementioned user
    Subscription ID The subscription ID associated with the account that contains the resource group
    AD Tenant ID The Azure Active Directory Tenant ID associated with the account that contains the resource group
    AD Client ID An Azure Active Directory Client ID associated with the account that contains the resource group
  4. Click Add Node to add the node at the bottom of the form.
  5. Click “Scan” on the node’s show page.

Subscription ID, AD Tenant ID and AD Client ID

  • Your Azure subscription ID can be found on the settings page after logging into the Azure management portal.
  • Your Active Directory Tenant ID can be found in the URL for your AAD management page, per the following screenshot.

    w600

  • Your Active Directory Client ID can be found on the Active Directory Application page for the application that you wish to use when scanning your Azure resources.

Azure Active Directory Applications

You must specify an AAD application (via it’s client ID) to use when connecting from UpGuard to Azure. This can be an existing native AAD application, or you can create a new one per the following steps:

  1. Navigate to the Active Directory management page for your Azure account.

    w600

  2. Select the Active Directory to use.

  3. Select “Applications”, and click “Add” at the bottom of the page.

    w600

  4. Enter a name for the application, and choose Native Client Application.

    w600

  5. Enter a sign on URL. UpGuard does not use this URL, so it can be any valid URL.

    w600

  6. You will now be presented with your new application. Select “Configure” at the top.

    w600

  7. The “Client ID” field on this page contains the ID that you will use when connecting from UpGuard to Azure.

    w600

  8. Under “permissions to other applications”, you must have the “Windows Azure Service Management API” entry, with the “Access Azure Service Management…” delegated permission enabled.

    w600

Common failure scenarios

  • The following message indicates that you have not entered a password, or that the password cannot be decrypted by the current connection manager. Re-enter your credentials and try again.

    w600

  • The following message indicates that you are using a Web API application instead of a Native Client application to connect to Azure. Specify a Native Client application client ID and try again.

    w600

  • The following message indicates that either the resource group you are attempting to scan either contains no resources, or the user account specified does not have the required permissions. In the latter case, add the user to the resource group and try again.

    w600