This article provides guidance on how to obtain the following required parameters when you register the
Microsoft Azure account in ePolicy Orchestrator (ePO):
- Subscription id
- Tenant id
- Client id
IMPORTANT: Make sure that the
Azure Resource Manager modules are installed in
Microsoft Azure PowerShell.
Run the
Microsoft Azure PowerShell script. The script obtains the required parameters to use when registering the
Azure account on ePO:
- Download the required script attached to this article, and copy it to the PowerShell installation folder.
NOTE: Make sure that you download the correct script according to the version of the cloud connector in use:
MicrosoftAzure_Prerequisite_CWS50_Ver3.zip (for CWS 5.x users)
- Open the PowerShell as administrator.
- To change directory, type the following command and then press Enter:
cd "PowerShell directory path"
- To run the script, type the following command and then press Enter:
.\MicrosoftAzure_Prerequisite.ps1
This script requests the following parameters to be entered during execution:
- The name of your application. For example: CompanyApp.
- URL to a page that describes your application; this link isn't verified. For example: https://www.companyapp.com.
- URLs that identify your application. For example: https://www.companyapp.com/example.
- Password for your application.
- For CWS 5.0 only, select one option for Limited Role privilege creation, in the numeric format 1 or 2:
Single Subscription
For a single subscription linked to a logged-on user:
- CWS Basic – This set of rules grants only a limited privilege user permission to Discover Azure Instances and NSG rules.
- CWS Advanced – This set of rules grants a user permission to do the following:
- Discover Azure Instances and NSG rules, with Traffic discovery
- Remediate NSG rules
- Shut down Instance
Multiple Subscriptions
- If multiple subscriptions are associated with the user account, follow the steps in either Option A or Option B:
Option A - Create a Web Application for the selected subscription:
- Select a number that corresponds to the subscription, when prompted by the script.
- After you select the number, follow the same steps in the "Single Subscription" section above.
Option B - Create a Web Application for all subscriptions:
NOTE: With this option, the web application is created for all subscriptions that have the correct access rights.
- Select All when prompted.
- Type a prefix string to prepend to the web application name.
Example:
Type a descriptive prefix string such as your company name. For example: ABC.
If there are five subscriptions, five web applications are created with names such as
ABCAzureApp1, ABCAzureApp2, ABCAzureApp3, ABCAzureApp4, ABCAzureApp5.
- To use for all web applications, type a password.
- For CWS 5.0 only, select one of the following options for a Limited Role privilege creation, in the numeric format 1 or 2:
- CWS Basic - This set of rules grants only a limited privilege user permission to Discover Azure Instances and NSG rules.
- CWS Advanced - This set of rules grants a user permission to do the following:
- Discover Azure Instances and NSG rules, with Traffic discovery
- Remediate NSG rules
- Shut down Instance
When you run
MicrosoftAzure_Prerequisite.ps1, it creates a text file named
MicrosoftAzureCloudAccountdetails.txt. The text file is created in the same directory from which the script is executed.
The text file contains the following, which can be used to register the Azure Account in ePO:
- Subscription id
- Tenant id
- Client id
Internally, this script does the following:
- Creates a new Active Directory application
- Creates a service principal for the application
- Grants the service principal permissions on your subscription, as a Contributor
NOTE: For multiple subscriptions in an Azure account, you can select the required subscription when the PowerShell script runs.
