- 9 minutes to read

How do I provide the access rights for Nodinite Logging and Monitoring agents to my Azure-related services?

In this user guide, you will learn how to add an Application (ClientId) to allow access to the Azure REST API using the Azure Management Portal for use with Nodinite Monitoring and Logging Agents.

The Nodinite Azure-related Logging Agents, and Monitor-AgentsMonitoring Agents execute queries and commands to the Azure Service Management REST API. You must register one or more Applications using the App Registrations page in the Azure portal with membership to some built-in roles. The specific roles are in a list in the Least Privileges section on this page.

The Service Management API is a REST API that provides programmatic access to much of the functionality available through the Azure Management Portal.

All API operations Nodinite performs uses SSL, and the authentication uses X.509 v3 certificates.

By design, Nodinite has access documented with least privileges.


To configure the Nodinite Log- and Monitor-Agents; use this guide to find the following set of required properties:

1. TenantId
2. SubscriptionId
3. ResourceGroup
4. ClientId and ClientSecret

Connection Properties

1. TenantId

The TenantId is the GUID uniquely identifying the Azure Active Directory instance.

From the Azure Portal; Enter tenant properties and navigate to Properties for the Azure Active Directory. The TenantId is available on the page.
TenantId

2. SubscriptionId

The Microsoft Azure subscription is the unique user account in Azure. All Azure Resources and services are available to the REST-based Service Management API.

When you create an Azure subscription, it is uniquely identified by a SubscriptionId. The subscription Id is part of the call to the Azure Service Management API.

  • The SubscriptionId is a GUID.

To acquire the SubscriptionId, enter Subscriptions in the search, and navigate to the Subscriptions page. Copy and use the GUID value:
SubscriptionId
Copy the SubscriptionId GUID to use.

3. Resource Group

For each Nodinite Log- and Monitor Agent; You must specify the Resource Groups to Monitor and Manage. There are different ways to manage these lists from within Nodinite depending on the type of agent.

One way to get the value is to use the Azure Portal; You can view the available Resource Groups.
Resource Group Name
Copy and use the Name of the Resource Group.

4. ClientId and ClientSecret

Important

Ensure you have at least one App Registration for each Subscription AND each Nodinite Monitoring Agent for Azure. This allows additional requests per timeframe is then allowed. You can read more about throttling here. If you have three Nodinite Monitoring Agents, you should have at least three App Registrations.

To retrieve the 'ClientId' and the 'ClientSecret' an Application must first exist/be created.

The following steps are required to create a new Application (Client Id):
CreateApplication

  1. Select Azure Active Directory
  2. From the Selected Active Directory instance, click on App registrations
  3. Click the New registration button

Register new Application

  • Enter the name of the Application
  • Select Accounts in this organizational directory only - least privileges
  • Select the Web option
  • Enter the URL to your user management website (can be changed later)

    Note

    The redirect URI can be any address like https://yournonexistinguserportal.nowhere.org

  1. Click the Register button to begin the creation process

This operation may take some time.

Create Permissions

Click the newly created Application to start creating permissions.

  • Click the Add a Permission button. Create Key

Request API Permissions

Next; select which API Permissions to assign for the Application. This may be different depending on which Nodinite Monitoring Agent to use.

  1. Click the APIs my organization uses tab
  2. Click the Windows Azure Service Management API Request API Permissions

Type of Permissions

Another modal is now displayed, and you need to specify the type of permissions required by the Application:

  1. Select Delegated permissions
  2. Check the user_impersonation checkbox
  3. Click the Add permissions button
    Type Of Permission
    Steps to perform when specifying the type of permissions granted for Application.

You can safely skip this step.
Consent

Create Client Secret

  1. Select the Certificates & secrets
  2. Click the New client secret button Create Client Secret

In the following dialogue, enter:

  1. A user-friendly name for the Client secret
  2. Select when the secret expire
  3. click the Add button

Add a Client Secret Modal

Next, the Client secret presents (once - this time only)
Copy Client Secret

Important

REMEMBER TO COPY THE KEY and store it securely and accessible for your colleagues! Since it will only be displayed upon first save!

Add permission to monitor and manage the Resource Group

You can fine-tune permission on individual levels.

  • Subscription (highest level)
  • Resource Group (recommended)
  • Object (lowest level)

Least Privileges

Our recommendation is to assign as in the section: Roles with least privileges.

To assign the role membership on the Resource Group level:

  1. Search and navigate to the list of Resource Groups.
  2. Select the Resource Group to add the permission to.
  3. Select Access Control (IAM).
  4. click the Add button.
  5. Select Add role assignment

Add IAM for Resource Group

  1. Select the built-in Contributor Role OR, use the table in the Roles with least privileges section on this page.
  2. Select Azure AD user, group. pr service principal.
  3. Select one or more members (Application Name from step 4 - ClientId and ClientSecret).

    To find the named Application(s), you need to type some characters to active the filter.

Add a Role Assignment

Note

Remember to click on the Save button

Save or Discard button
Click the Save button to persist the role assignment.

List of permissions

When finished, you will now see all User (Application) permissions in the list for the Resource Group(s) and/or Subscriptions. The User (Application) will be listed as part of the Contributor role.

List Of App Registration Security Levels

Least privileges

If you opt to allow the Client/Application the Contributor role on each Subscription to monitor and manage, then you do not have to fine tune the Role Assignments with one exception; the Nodinite Azure Monitoring Agent requires the Azure Event Hubs Data Sender role assigned in order to send messages to the Event Hub.

Below is a list of specific permissions required to use the following Nodinite Azure Logging and Monitoring Agents:

The Nodinite Pickup Service does not use the Azure REST API. Instead, it uses information from the Shared access policies.

Permission

Clone a role

Keep in mind that updating Azure role assignments may take up to five minutes to propagate. Then, you need to restart the necessary Nodinite agents.

Resource Role Agent Purpose
Subscription Reader Show Details and Match/Validate the Subscription Id with the current configuration.
NOTE: This right inherits to all other Resources in selected Subscription.
API Management Service API Management Service Contributor List resources, Create and delete EventHub Logger, Invoke APIs
App Registrations Microsoft.Graph - Application.Read.All List App Registration, SSO assignments, Branding info and evaluate Secrets
NOTE: The type must be Application, NOT delegated
App Registrations - Owners (Details page) Microsoft.Graph - User.Read.All List details about Owners
NOTE: The type must be Application, NOT delegated
App Services (Function App and Web App) Website Contributor List Web Sites
Get Web Site
List Web Jobs
Get Web Job

Web Jobs (the following features require the 'SCM Basic Auth Publishing Credentials' setting to be set to On)
  • Fetch publishing profile
  • View Web Jobs History
  • Run Triggered Web Job
  • Start/Stop Continous Web Job
Application Insights Reader (read the Component configuration) View all resources, but does not allow you to make any changes.
Application Insights API Key (required to get the statistics for Function App Monitoring, additional access rights are required, please review the Function App in this table) Not a role-assignment You must manually create an API Key (from the side bar menu 'API Access' in the Azure portal) for each Application Insights instance. API access is required for the Function App Monitoring. If the API key expires, you need to re-create it
Data Factory Data Factory Contributor List Data Factories and pipelines, Read Details, Read performance
Event Grid EventGrid EventSubscription Reader Lets you read Event Grid event subscriptions.
Event Hubs Azure Event Hubs Data Sender Send messages to the Event Hub entity
Function App
  • 1. Website Contributor
  • 2. Reader
  • 1. List resources
  • 2. View all resources, but does not allow you to make any changes
    Read configuration to explore Application Insights
Service Bus Namespace Azure Service Bus Data Owner List namespaces and Resources, Read and use Access Keys, Manage Queues and Topics
Key Vaults Key Vault Reader List Key vaults and reads meta data (does not read the actual secrets!)
NOTE: Azure role-based access control (recommended) must be set in the access configuration.
Logic App Logic App Operator Enable/Disable Logic App. This role is NOT allowed to Resubmit runs
Logic Apps Logic App Contributor Allow to Resubmit runs. If you assign membership with this role; The Client does not need to be a member of the Logic App Operator role
Storage Account Reader and Data Access
NOTE:If you add this role, you do not need all the other specific role assignments
Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.
Storage Account - Blob (Read) Storage Blob Data Reader Read and list Azure Storage containers and blobs
Storage Account - Blob (Read/Write/Delete) Storage Blob Data Contributor Read, write, and delete Azure Storage containers and blobs.
Storage Account - File (Read/Write) Storage File Data SMB Share Reader Allows for read access on files/directories in Azure file shares.
Storage Account - File (Delete) Storage File Data SMB Share Contributor Allows for read, write, and delete access on files/directories in Azure file shares.
Storage Account - Queue (Read) Storage Queue Data Reader Read and list Azure Storage queues and queue messages.
Storage Account - Queue (Send/Post) Storage Queue Data Message Sender Add messages to an Azure Storage queue.
Storage Account - Queue (Delete) Storage Queue Data Contributor Read, write, and delete Azure Storage queues and queue messages.

Note

In Azure Portal, You can either assign role memberships on each Resource, or you can set the role assignment on the Resource Group, or Subscription level.

Important

You must restart the agent after changing role assignments since the token is cached and needs to be updated. Otherwise, it may take up to one hour for changes to be in effect.


Next Step