AI Docs

Creating a Azure Connector | v8.1+

5 min read

certero logo_cropped_png-01 1.png

In order to create a connector for Azure in Certero you will need to acquire your Tenant name, a Client ID, a Client Secret and register an Azure App with the right permissions.

The Certero connector for Azure uses the Microsoft Graph and Azure Management APIs to connect to and retrieve data from Azure. The APIs use industry standard OAuth 2.0 protocols for authentication and authorization.

For more information on what OAuth is and how this flow works between an endpoint server and Microsoft Azure, please see the following link:

Microsoft Identity Platform and OAuth 2.0

Within the Azure Portal

Obtaining the Tenant Name

1. Log into your portal by clicking here

2. In the portal home page search for Azure Active Directory:

3. Click on Azure Active Directory link:

4. In the menu select the ‘Custom domain names’ option:

5. A list of available tenants will be shown. This is the value we will use in our connector for ‘ Tenant Name ’:

Creating the App Registration

1. You will need to register an App within the Azure portal, this will provide us with the Client Id and Client Secret values we need

2. Remaining within the Azure Active Directory, from the Manage menu, select the ‘App registrations’ option:

Click the 'New registration' button:

3. Give the application a meaningful name and select which account types are to be supported (by default Single-tenant will be selected):

4. Click the 'Register' button at the bottom of the form to register the application

Obtaining a Client ID

Once your app is registered you will automatically be taken to the App registration screen. The top of this screen will show your Application (client) ID. This is the value we will use in our connector so make a note of it:

Note: You can navigate to the App at any time by clicking on the App registrations button from the menu blade or searching for App registrations in the main search bar. Clicking on the App name will open the overview.

Creating a Client Secret

1. Navigate to the app that was created in the step above and from the menu select ‘Certificates & secrets’:

2. Click the ‘ New client secret ’ button.

3. Enter a description. Select when the secret should expire and click ‘ Add ’:

4. Your new client secret will be displayed.

Note: This is the only time that the client secret will be shown. Once you have navigated away from the page you will be unable to retrieve the value and will have to revoke the app and create a new secret.

Assigning Built-In “Reader” Role Permissions

The application you have just created will need permission to read data from each of the subscriptions that the connector will discover and inventory. The simplest way to do this is to assign the built-in “Reader” role that is available in all Azure subscriptions.

1. Navigate to each subscription and click ‘Access Control (IAM)’ from the menu

2. Click “Add” and then choose “Add role assignment” from the menu

3. On the “Add role assignment” page, choose “Reader” then click “Next”

4. Click the ‘+ Select members’ link

5. Enter the name of the app registration you created in the text box

6. Click the name of the app and then click the “Select” button

7. Click “Next” then click “Review + assign”

Creating a Custom Role with Fine-Grained Permissions

An alternative to using the built-in 'Reader' role is to create a custom role with explicit read permissions to each of the providers used by the Certero Azure connector. The required permissions have been included in the 'permissions.json' file attached to this article, for use in the instructions below.

  1. Download the permissions.json file attached to the bottom of this article

    1. Navigate to each subscription and click ‘Access Control (IAM)’ from the menu

    2. Click 'Add' and then choose 'Add custom role' from the menu

    3. Under 'Baseline permissions' choose 'Start from JSON'

    4. Click the 'Select a file' input and browse to the permissions.json file that was downloaded in step 1

    5. If desired, amend the role name and description

    6. Click the 'Assignable scopes' tab and then click the '+ Add assignable scopes' button

    7. In the 'Type' list select 'Subscription'

    8. Click the subscription on the right-hand side then click 'Select'

    9. Click the 'Review + create' button then click 'Create'

To create the role assignment, follow the previous set of instructions, using this custom role instead of the built-in 'Reader' role.

Creating the Certero Connector

Prerequisites

The Certero Endpoint being used for the Azure connector must have:

  • HTTPS access to the internet.

  • The Microsoft Azure Connector feature enabled beforehand, via the Administration > Endpoint Servers menu option.

Within Certero

  1. Navigate to Connectors > Microsoft Azure

  2. Click the +New button

  3. Enter your Microsoft Azure Tenant name

  4. Select the Endpoint Server that will perform the data import from Azure (If the Microsoft Azure Connector feature is not enabled on this Endpoint Server, it will just ignore the request and nothing will happen)

  5. Under the Credentials region, enter the Client ID and Client Secret

  6. Head to the Schedule tab and define your preferred schedule for this connector to run

  7. Click the Save button

Required Permissions File:
permissions.json