| layout | title | author | modified by |
|---|---|---|---|
default |
Installation & Deployment Guide |
Ajay C |
Julian A |
This article describes how to Automate Governance, Compliance, Reliability and Risk Monitoring for an enterprise using Azure
To deploy Cloudneeti VM from the Azure Marketplace:
Note: User logging into Azure Portal must have Global admin role to make the necessary configuration changes.
-
Log in to the Microsoft Azure portal.
-
Click Marketplace or click Browse > in the left side navigation, and select Marketplace from the list.
-
In Click the Security + Identity blade and search for
Cloudneeti Enterprise. -
Click Cloudneeti Enterprise
-
In the Cloudneeti Enterprise blade, in Select a deployment model, select
Resource Manager. -
Click Create. The Create virtual machine and Basics blades appear.
-
On the Basics blade, complete the following fields:
Name: Type a descriptive name for your virtual machine.VM disk type: Select disk type SSD or HDDUser name: Type a user name for logging in to your virtual machinePassword: Enter password for logging in to your virtual machineConfirm password: Enter the same password for confirmationSubscription: Select the subscription under which to create your virtual machineResource group: Specify the resource group to contain all your Cloudneeti VM resources. You can create a new resource group or select an existing resource groupLocation: Select an Azure region from the Location list- Click OK
-
On the Choose a size blade, select a size and pricing tier for your virtual machine, and click Select.
-
On the Settings blade, review the preconfigured values for each field, and click OK. Most fields have additional settings that are not displayed on the Settings To see all settings, expand each field. after validation, review the Summary information, and then click OK.
-
On the Purchase blade, review the offer details, Terms of use, privacy policy, and Azure Marketplace Terms and then click Purchase. The deployment is submitted
-
Depending on the disk types and VM instance type, It might take approximately 8-20 minutes before your new virtual machine is running
-
Update Network Security Group rules you must create rules that allow inbound for communication for the Cloudneeti application refer Opening ports to a VM
-
When installation is complete, we need to configure certain parameters to open the application, follow below mentioned steps
- Go to left pane of Microsoft Azure portal click on Resource Group and find for resource group which is created above under your subscription
- Then select the resource name against the the resource type "Public IP address" and go to the configuration settings of Public IP address resource type. Update the DNS name label in the configuration blade. Note the DNS Name you specified it would be *<DNSname>.<region>.cloudapp.azure.com.
*it will be the Azure region / location which you have selected for creating VM - In order to get an access to the Cloudneeti application you must set up an Azure Active Directory (AD) application and assign the required permissions to it Refer Azure Active Directory application
Cloudneeti uses AD Application for requesting consent accessing your Azure Subscription resources. To create an Active Directory Application. Refer to documentation Integrating applications with Azure Active Directory
- In the Azure Portal, select App Registrations.
- Click on New application registration button. Enter the Name for example "Cloudneeti" Select the Application Type as "Web App/API" Enter the Sign-on URL as "<DNSname>.<region>.cloudapp.azure.com."
- Click Create.
- Click on the registered application "Cloudneeti"
- Click Settings
- Click Reply URL
- Enter Reply URL with DNS name created above <DNSname>.<region>.cloudapp.azure.com/Account/SignIn
- Click Save
- In the Azure Portal, select App Registrations.
- In App Registration blade, Click on the newly registered application if you had given the name "Cloudneeti" then click on the same.
- Click Settings
- Click Keys
- Enter a new description, Select a Expires value from the drop down and Click Save
- The key value is generated, Copy the same for your record.
- To access resources in your subscription, you must assign the application to a role refer Assign application to role
You can do both the steps i.e. Create an Active Directory Application using automated script and Authorize Application ID to access your Subscription resources using automated scripts provided below:
<#
Powershell Version : 5.0
Pre-requisites to run this script -
Required Modules & Version-
AzureRM 4.1.0
AzureADPreview 2.0.0.129
You can Install the required modules by executing below command.
Install-Module AzureRM
Install-Module AzureADPreview
Account permissions -
The account to execute this script must be an Azure AD Account with Global Administrator Permission at Tenant level and Owner permission at Subscription level.
Description
This script creates an AD Application, Service Principal, Add Response URL and Grant permission at Subscription or ResourceGroup level. By default this will grant 'Reader'
permission to the App if only SubscriptionID is provided as a parameter input. This script requires SubscriptionID as a mandatory input.
Example
Creates a service principal without response url.
.\Create-ServicePrincipal.ps1 -subscriptionId xxxxxxx-xxxx-xxxx-xxxx-xxxxxxx
Example
Creates a Service Principal with response url.
.\Create-ServicePrincipal.ps1 -subscriptionId xxxxxxx-xxxx-xxxx-xxxx-xxxxxxx -dnsNameLabel tjgj7s-enterprise.eastus.cloudapp.azure.com
Example
Creates an App and grant Contributor permission at Subscription.
.\Create-ServicePrincipal.ps1 -subId 'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxx' -prefix 'AdApp' -def 'Contributor' -scope Subscription
Example
Creates an App and grant Contributor permission at given Resource Group.
.\Create-ServicePrincipal.ps1 -subId 'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxx' -prefix 'AdApp' -def 'Contributor' -scope ResourceGroup -resourceGroupName 'testResourceGroup'
#>
Param (
# Provide Subscription ID
[Parameter(Mandatory=$true,
Position=0,
ParameterSetName='Parameter Set 1')]
[ValidateNotNull()]
[Alias("subId")]
$subscriptionId,
# Provide public DNS name label for cloudneeti application. if you are accessing it using azure dns label then enter the same. e.g. cnbasic.eastus2.cloudapp.azure.com
[Parameter(Mandatory=$false,
Position=1,
ParameterSetName='Parameter Set 1')]
[ValidateNotNull()]
[Alias("dnsName")]
$dnsNameLabel = 'null',
# Provide displayname suffix for AD application.
[Parameter(Mandatory=$false,
Position=2,
ParameterSetName='Parameter Set 1')]
[ValidateNotNull()]
[Alias("prefix")]
$adApplicationDisplayNamePrefix = 'cloudneeti',
# Name of the RBAC role that needs to be assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
[Parameter(Mandatory=$false,
Position=3,
ParameterSetName='Parameter Set 1')]
[ValidateNotNull()]
[Alias("def")]
$roleDefinitionName = 'Reader',
# The Scope of the role assignment
[Parameter(Mandatory=$false,
Position=4,
ParameterSetName='Parameter Set 1')]
[ValidateSet ("Subscription", "ResourceGroup")]
$scope = 'Subscription',
# The Resource Group Name to assing permission.
[Parameter(Mandatory=$false,
Position=5,
ParameterSetName='Parameter Set 1')]
[ValidateNotNull()]
[ValidateScript({$scope -eq 'ResourceGroup'})]
$resourceGroupName
)
# Function to create a strong 15 length Strong & Random password
function New-AesManagedObject($key, $IV) {
$aesManaged = New-Object "System.Security.Cryptography.AesManaged"
$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
$aesManaged.BlockSize = 128
$aesManaged.KeySize = 256
if ($IV) {
if ($IV.getType().Name -eq "String") {
$aesManaged.IV = [System.Convert]::FromBase64String($IV)
}
else {
$aesManaged.IV = $IV
}
}
if ($key) {
if ($key.getType().Name -eq "String") {
$aesManaged.Key = [System.Convert]::FromBase64String($key)
}
else {
$aesManaged.Key = $key
}
}
$aesManaged
}
function New-AesKey() {
$aesManaged = New-AesManagedObject
$aesManaged.GenerateKey()
[System.Convert]::ToBase64String($aesManaged.Key)
}
$ErrorActionPreference = 'Stop'
Import-Module AzureRM.Resources
Import-Module AzureADPreview
try {
# To login to Azure Resource Manager
Write-Host ("1: Logging in to Azure Subscription " + $SubscriptionId) -ForegroundColor Yellow
Try
{
Get-AzureRmSubscription -SubscriptionId $subscriptionId
$context = Set-AzureRmContext -SubscriptionId $subscriptionId
}
Catch
{
Login-AzureRmAccount -SubscriptionId $SubscriptionId
$context = Set-AzureRmContext -SubscriptionId $SubscriptionId
}
switch ($scope) {
'Subscription' { $scopeUri = "/subscriptions/" + $SubscriptionId }
'ResourceGroup' { $scopeUri = "/subscriptions/" + $SubscriptionId + '/resourceGroups/' + $resourceGroupName }
}
$homePageURL = ("http://www.cloudneeti.com")
$applicationDisplayName = ($adApplicationDisplayNamePrefix + (Get-Random -Minimum 100 -Maximum 999))
$identifierUris = "http://" + $applicationDisplayName
# Create Active Directory Application
try
{
Write-Host -ForegroundColor Yellow "2: Creating a new azure active directory application - $applicationDisplayName."
#Create the 44-character key value
$keyValue = New-AesKey
# create the PSADPasswordCredential and populated it with start and end dates, a generated GUID, and my key value:
$psadCredential = New-Object Microsoft.Azure.Commands.Resources.Models.ActiveDirectory.PSADPasswordCredential
$startDate = Get-Date
$psadCredential.StartDate = $startDate
$psadCredential.EndDate = $startDate.AddYears(100)
$psadCredential.KeyId = [guid]::NewGuid()
$psadCredential.Password = $KeyValue
$azureAdApplication = New-AzureRmADApplication -DisplayName $applicationDisplayName -HomePage $homePageURL -IdentifierUris $identifierUris -PasswordCredentials $psadCredential
}
catch [System.Exception]
{
throw $_
}
# Update Azure AD Application with Response URLs.
if($dnsNameLabel -ne 'null'){
$ReplyUrls = "http://" + $dnsNameLabel + '/Account/SignIn'
Set-AzureRmADApplication -ObjectId $azureAdApplication.ObjectId -ReplyUrls $ReplyUrls
}
# Create Service Principal for the AD app
Write-Host -ForegroundColor Yellow "3: Creating a new azure active directory service principal for applicationClientID - $($azureAdApplication.ApplicationId)"
$servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId
$newRole = $null
$retries = 0;
While ($newRole -eq $null -and $retries -le 6)
{
# Sleep here for a few seconds to allow the service principal application to become active (should only take a couple of seconds normally)
Start-Sleep 30
New-AzureRMRoleAssignment -RoleDefinitionName $roleDefinitionName -ServicePrincipalName $servicePrincipal.ApplicationId -Scope $scopeUri | Write-Verbose -ErrorAction SilentlyContinue
$newRole = Get-AzureRMRoleAssignment -ServicePrincipalName $servicePrincipal.ApplicationId -ErrorAction SilentlyContinue
$retries++;
}
# Create Access Token Policy for Service Principal with one day expiry.
Write-Host -ForegroundColor Yellow "4: Creating access token policy for service principal with one day expiry."
Connect-AzureAD
$adPolicy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"23:59:59","MaxAgeSessionSingleFactor":"23:59:59"}}') -DisplayName "CloudneetiAppToken" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
Add-AzureADServicePrincipalPolicy -Id $servicePrincipal.Id.Guid -RefObjectId $adPolicy.id
############### SCRIPT OUTPUT ##########################
Write-Host -ForegroundColor Yellow "`n5: Copy and provide the below information while configuring Cloudneeti."
$Output = @{
"DomainName" = ($context.Account.Id -split '@')[1];
"TenantId" = $context.Tenant.Id;
"SubscriptionId" = $context.Subscription.Id;
"ADApplicationName" = $azureAdApplication.DisplayName;
"ADApplicationClientId" = $azureAdApplication.ApplicationId;
"ADApplicationPassword" = $KeyValue;
}
Write-Host -ForegroundColor Yellow "$($Output | Out-String)"
}
catch {
Throw $_
}
The following sections will help you configure each App Registration permission sets.
- In the Azure Portal, select App Registrations.
- In App Registration blade, Click on the newly registered application if you had given the name "Cloudneeti" then click on the same.
- Click Settings
- Click Required Permissions
- Click +Add.
- Click Select an API.
- In this step you will modify Windows Azure Active Directory, Microsoft Graph, Windows Azure Service Management API
NOTE the order of your API’s maybe different than listed in this documentation.
-
Select the Windows Azure Active Directory API
-
Select the following 2 application permissions
-
Read and write directory data
-
Read directory data
-
-
Select the following 3 delegated permissions
-
Read all groups
-
Read directory data
-
Access the directory as the signed-in user
-
-
-
Click Select
-
Select Done
-
Click +Add.
-
Select the Microsoft Graph API
-
Select the following 6 application permissions
-
Read files in all site collections
-
Read all groups
-
Read directory data
-
Read and write directory data
-
Read all users’ full profiles
-
Read all identity risk event information
-
-
Select the following 7 delegated permissions
-
Sign in and read user profiles
-
Read all users’ basic profiles
-
Read all users’ full profiles
-
Read all groups
-
Read directory data
-
Read and write directory data
-
Access the directory as the signed in user
-
-
-
Click Select
-
Select Done
-
Click +Add
-
Select the Windows Azure Service Management API
-
Select no application permissions
-
Select the following 1 delegated permission
- Access Azure Service Management as organization user
-
-
Click Select
-
Select Done
If the configurations are successful, you will see a table of permissions similar to the following:
| API | Application permissions | Delegated permissions |
|---|---|---|
| Windows Azure Active Directory | 2 | 3 |
| Microsoft Graph | 6 | 7 |
| Windows Azure Service Management | 0 | 1 |
- After you finish these steps, you are ready with Cloudneeti Application, open a browser and go to : <DNSname>.<region>.cloudapp.azure.com