Onboard an Azure Cloud Tenant

This topic explains how to onboard an Azure tenant. Onboarding an Azure tenant allows you to connect all the subscriptions and resources under the tenant with CloudSecure. Running the PowerShell script for Azure Tenant onboarding will create a new AD application with the tenant scope. This will allow CloudSecure to retrieve subscriptions and resources under the given tenant. After the Azure AD application is created and required permission are set, the PowerShell script will automatically send the necessary credentials (Client Id and Client Secret). CloudSecure requires these credentials to communicate with the your Azure tenant.

Prerequisites

  • In Azure, you must copy the parent management group id (tenant id). It can be found under the Management Groups. You must provide it in the first step of the onboarding wizard.
  • The user onboarding the tenant must have Owner permissions or the User Access Administrator Role for running the onboarding PowerShell script mentioned in Onboard a Tenant below
  • You must download the newly created CloudSecure Service Account or have access to the credentials of the existing CloudSecure Service Account

Onboard a Tenant

  1. If this is the first time you are logging in, click + Azure on the Onboarding page onboard your first account.
  2. If you've already onboarded other accounts, choose Onboarding from the left navigation. The Onboarding page appears. Click +Add Azure at the top of the page.
  3. The Add Azure Cloud Tenant wizard starts and displays the first step: Connect to Azure
  4. Provide the following information about your Azure account:
    • Name: You specify a name for the account; this name is what will appear in CloudSecure. The name should be descriptive so that you can easily identify it in CloudSecure.
    • Tenant ID: Paste the parent management group ID that you copied from Azure.
    5. NOTE:

    The wizard contains the following toggles:

    • A toggle to enable all member subscriptions along with the tenant. If you want to onboard only some subscriptions in the tenant, set this toggle to No. Then go to the Onboarding page to onboard those subscriptions individually.
    • A toggle to specify the type of access CloudSecure will have to your Azure tenant and the subscriptions in it. Choose Yes to grant the Illumio Cross Account Role permission to view your Azure tenant resources and to apply policy to them. Choose No to provide the Illumio Cross Account Role read-only access. To view the permissions you are granting CloudSecure to your Azure tenant, click Download Permissions.

The wizard advances to step two: Set up Access

  1. Select a service account that you want to use or create a new one. Make sure to download the credentials, as they will be needed for the PowerShell script to return the Azure AD app credentials back to CloudSecure.
  2. Enter the ServiceAccountToken in the appropriate field.
  3. The Set up Access step includes a field containing a PowerShell command to run the illumio-init.ps1 script in Azure. Illumio securely hosts the script so that it can run during the onboarding process. The PowerShell command automatically appends the subscription ID you entered in the first step of the wizard.
  4. To the left of the PowerShell command field, click the copy icon. The icon refreshes with a check mark on a green field indicating you successfully copied the command.
  5. In a new browser window, open your Azure portal.
  6. From the top taskbar, click the Cloud Shell icon to open a console; select the PowerShell option.
  7. After Azure finishes building your Azure drive, paste the copied PowerShell command.
  8. The script runs, creating a Azure AD application with a tenant scope. It adds Reader permissions and an Illumio Network Security Administrator-<subscriptionId> custom role (if you chose the ReadWrite option with the toggle mentioned above in Provide the following information about your Azure account:Name: You specify a name for the account; this name is what will appear in CloudSecure. The name should be descriptive so that you can easily identify it in CloudSecure. Tenant ID: Paste the parent management group ID that you copied from Azure.).
  9. Creation of the AD app registration and the roles allows CloudSecure access to the tenant resources. CloudSecure will be able to discover tenant resources and write policies for them.
  10. For the complete list of permissions granted to CloudSecure for your account, see Azure Requirements.
  11. The script sends the Client ID and Client Secret to CloudSecure. CloudSecure accesses your Azure tenant so that you don't have to repeatedly provide your Azure credentials.
  12. Leave your Azure portal and return to CloudSecure. The Set up Access step in the onboarding wizard should still be displayed.
  13. Select the check box indicating that the “deployment” script has finished running in Azure.
    14. NOTE:

    The wizard UI obscures the pasted Client Secret. To view the secret and confirm you pasted the correct value, click the icon to the right of the field. You can only click this icon once. The secret remains obscured in all CloudSecure pages.

  14. The final step of the wizard appears. This step displays a summary of the subscription information you just specified for onboarding.
  15. Review the subscription information and if everything looks correct, click Save and Confirm. If you see issues you need to correct, click Back and return to that wizard step.
NOTE: CloudSecure can read flow logs from several NSGs going to the same storage account. With Azure, you can configure NSG flow logs in the same region, despite being from multiple VNets residing in different subscriptions, to be sent to a single storage account in the same region residing in a single subscription. By providing access to that specific storage account, CloudSecure can obtain and analyze flow logs for all the NSGs residing in different subscriptions. For more information on flow logs, see Grant Flow Log Access.

What's Next?

When finished, the Onboarding page opens and displays a new row for that tenant .

For the next steps after onboarding a tenant, see After Onboarding Cloud Accounts and What to Do Next.

Caveats

After tenant onboarding is complete, it will show a list of subscriptions. If a subscription belonging to a tenant is onboarded before the tenant onboarding, it will not show in the tenant's list of subscriptions. If you wish to see a subscription that you onboarded prior to the tenant onboarding, you need to delete the onboarded subscription. Upon tenant onboarding, it will automatically sync and onboard the subscription.