Configuring the eG Agent to Monitor Microsoft Azure Active Directory

To enable the eG agent to monitor Azure AD, you need to perform the following broad steps:

• Register an Application with an Azure AD Tenant;

• Determine the Tenant ID, the Application (Client) ID and Secret Key value associated with the registered Application;

• Assign API permissions to the registered Application;

• Assign the Application to a Subscription and grant 'monitoring' rights to it

The sub-sections below discuss each of these steps in detail.

Registering an Application with Azure Active Directory (AD)

An Azure AD Application is a digital identity and some associated configuration, which informs Azure AD about how to treat software which uses that digital identity.

The eG agent can pull performance metrics related to an Azure tenant, its services, and its resources, only if it communicates with an Azure AD tenant as an 'Application' with 'monitoring rights'.

If such an Application pre-exists with the target tenant, then you can configure the eG agent with the access credentials of that application. However, if no such application pre-exists, then first register a new Application with Azure AD and obtain the access tokens that Azure AD issues for that application.

To achieve this, do the following:

1. Login to Microsoft Azure portal using https://portal.azure.com with valid credentials.

2. Click on the Azure Active Directory indicated by Figure 241.

   

   Figure 241 : Selecting the Azure Active Directory option

3. When Figure 242 appears, click on the App Registrations option in its left pane.

   

   Figure 242 : Clicking on the App Registrations option

4. Figure 243 will then appear.

   

   Figure 243 : Registering new application

5. To register a new application, click the New registration option indicated by Figure 243. The Register an application page will then appear as shown by Figure 244.

   

   Figure 244 : Specifying the details of the new application

6. In Figure 244, specify the following:

   • The name of the application in the Name text box,

   • Select the type of the account from the Supported account types section.

     Supported account types	Description
     Accounts in this organizational directory only	Select this option if you want all user and guest accounts in your directory to use the application or API. Use this option if your target audience is internal to your organization.
     Accounts in any organizational directory	Select this option if you want all users with a work or school account from Microsoft to use this application or API. This includes schools and businesses that use Office 365. Use this option if your target audience is business or educational customers and to enable multitenancy.
     Accounts in any organizational directory and personal Microsoft accounts	Select this option if you want all users with a work or school, or personal Microsoft account to use your application or API. It includes schools and businesses that use Office 365 as well as personal accounts that are used to sign in to services like Xbox and Skype. Use this option to target the widest set of Microsoft identities and to enable multitenancy.
     Personal Microsoft Accounts only	Select this option if you want the application or API to be used by only those users with personal accounts that are used to sign in to services like Xbox and Skype.

   • Then, enter the redirect URl (or reply URL) for your application in the Redirect URl text box. Typically, you need to provide the base URL of your app. For example, http://localhost:31544 might be the URL for a web app running on your local machine. Users would use this URL to sign in to a web client application. For public client applications, provide the URL used by Azure AD to return token responses. Enter a value specific to your application, such as https://DocApp.com//auth.

7. Clicking the Register button in Figure 244 will create the Application. Then, Figure 245 will appear displaying the Essentials related to the new Application.

   

   Figure 245 : The successfully created application

8. From the Essentials, you can obtain the Application ID and Directory ID (see Figure 245). Copy the Application ID and the Directory ID and paste them against the Client ID and TENANT ID text boxes while configuring eG tests for the target Azure component.

Obtaining the Client Secret

For the eG agent to obtain metrics from the target Microsoft Azure component, it is necessary to provide the client secret associated with the registered Application. For this, click on the Certificates & secrets option in the left pane of Figure 245. This will invoke Figure 246.

Figure 246 : Creating New Client Secret

Clicking on the New client secret button in the right panel of Figure 246 will invoke Figure 247. Specify the description of the client secret in the Description text box and choose an expiry period from the Expires section as shown in Figure 247.

Figure 247 : Adding the client secret

Clicking the Add button in Figure 247 will display a client secret value in the Value column of Figure 248.

Figure 248 : Generating the client secret value for the application

Note that the Value will disappear once you leave this page, so make sure that you copy the new client secret value in the clipboard by clicking the icon. Otherwise, you may need to generate a new client secret value. The client secret value has to be specified against the Client password field in the test configuration page.

Assigning API Permissions to the Registered Application

As already mentioned, the eG agent connects to Azure AD as a registered Application, makes Java API calls, and collects metrics from it. Most commonly, the eG agent uses the Microsoft Graph API for metrics collection. To enable this API to pull metrics, you need to grant different 'read' permissions to that API. For granting these permissions to the Microsoft Graph API for the registered Application, do the following:

1. In Figure 248 above, click on the API Permissions option in the left pane. Figure 249 will then appear.

   

   Figure 249 : The API Permissions interface

2. As you can see, the registered Application has by default being assigned a Delegated permission; this is the User:Read permission for Microsoft Graph API. Since this permission is not required for monitoring purposes, let us proceed to remove it. For that, first, right-click on the permission listed in the right pane of Figure 249, and select the Remove permission option from the menu that pops out (see Figure 250).

   

   Figure 250 : Removing the default permission

3. A message box will then appear requesting you to confirm the deletion of the default permission. Click on the Yes, remove button in Figure 251 to delete the chosen permission.

   

   Figure 251 : Confirming the deletion of the default permission

4. Next, proceed to assign permissions that the Application needs for pulling metrics from Azure. For this, first click on the Add a permission button in the right pane of Figure 250. Figure 252 will then appear. Click on the Microsoft Graph option in Figure 252 to set permissions for the Microsoft Graph API.

   

   Figure 252 : Selecting Microsoft Graph

5. Figure 253 will then appear, where you will have to choose the type of permissions you want to add to the API. Click on the Application permissions option in Figure 253.

   

   Figure 253 : Choosing to assign Application permissions

6. Using Figure 254 that then appears, select the permission that you want to grant to the API. For this, type the text 'user' in the Search text box under Select permissions. Permission groups with names containing the typed text will then be listed hereunder. Keep scrolling down the list of permission groups until the User group becomes visible.

   

   Figure 254 : Searching for the permission groups with names containing the text 'user'

7. Once you find the User group, expand it by clicking on the 'arrow' prefixing it. The individual User permissions will be listed therein. Select the User.Read.All permission by clicking on the check box corresponding to it (see Figure 255). Then, click on the Add permission button in Figure 255 to assign that permission to the API.

   

   Figure 255 : Assigning the User.Read.All permission to the API

8. Figure 256 will then appear displaying the permission that you just assigned.

   

   Figure 256 : A page displaying the User.Read.All permission assigned to the Microsoft Graph API

9. Next, click on the Grant admin consent for Default Directory button in Figure 256. Figure 257 will appear. Click on the Yes button in Figure 17 to grant consent for the User.Read.All permission for all accounts in Default Directory.

   

   Figure 257 : Granting consent for the User.Read.All permission for all accounts in Default Directory

10. The User.Read.All permission listing will then change as depicted by Figure 258.

    

    Figure 258 : The User.Read.All permission listing after granting admin consent

11. Next, using step 4 - 10 above, add the following 'read' permissions as well to the Microsoft Graph API for the registered Application:

    • Group.Read.All

    • Directory.Read.All

    • AuditLog.Read.All

    • Device.Read.All

    • Application.Read.All

    Refer to Figure 259, Figure 260, Figure 261, Figure 262, and Figure 263 to more clearly understand how to assign each of the above permissions.

    

    Figure 259 : Assigning the Group.Read.All permission

    

    Figure 260 : Assigning the Directory.Read.All permission

    

    Figure 261 : Assigning the AuditLog.Read.All permission

    

    Figure 262 : Assigning the Device.Read.All permission

    

    Figure 263 : Assigning the Application.Read.All permission

    Also, note that after adding each permission, you have to click on the Grant admin consent for Default Directory button (like the one you see in Figure 256) to grant consent for that permission for all accounts in the Default Directory.

12. Once all the permissions are assigned and the admin consent is granted for each permission, Figure 264 will appear.

    

    Figure 264 : A page displaying all the 'read' permissions assigned to the Microsoft Graph API for the registered Application

13. In Figure 264 above, click on the API Permissions option in the left panel. Figure 265 will then appear. Now, using Figure 265, proceed to assign permissions that the application needs for pulling metrics from Azure. For this, first click on the Add a permission button in the right panel of Figure 265.

    

    Figure 265 : Clicking on Add a permission button to add more API permissions to the application

14. Figure 266 will then appear. Click on the APIs my organization uses tab and type Log Analytics API in the Search text box. The API you are searching for will then be displayed in the result set (see Figure 266). Click on the Log Analytics API that is listed inFigure 266.

    

    Figure 266 : Searching for Log  Analytics API

15. Figure 267 will then appear. Click on Application permissions in Figure 267. Then, browse the Select permissions list in Figure 267 until you locate the Data permission. Click on the arrow pre-fixing the Data permission, so that you can view the sub-permissions within. From the list of Data permissions, select the Data.Read permission by clicking on the check box corresponding to it (see Figure 267). Then, click on the Add permissions button in Figure 267 to assign that permission to the API.

    

    Figure 267 : Assigning the Data.Read permission to the Log Reader Analytics API

16. Also, note that after adding each permission, you have to click on the Grant admin consent for Default Directory button (like the one you see in Figure 256) to grant consent for that permission for all accounts in the Default Directory.

Assigning the Application to a Subscription and Granting Monitoring Rights

Once the application is created, you need to grant that application monitoring access to all the resources contained with a specific subscription. To achieve this, do the following:

1. In the Azure console, click on the Subscriptions option indicated by Figure 268.

   

   Figure 268 : Clicking on the Subscriptions option

2. When Figure 269 appears, select the subscription that you want to access by clicking on it.

   

   Figure 269 : Selecting the subscription

3. Figure 270 will then appear. Click the Access Control (IAM) option in the left panel of Figure 270.

   

   Figure 270 : Clicking on the Access Control (IAM) option

4. The right panel will then change to display a Check Access section (see Figure 271). To grant monitoring rights for resources contained within a subscription, you need to create a new role. For that, click on the Add role assignment button in Figure 271.

   

   Figure 271 : Clicking on the Add role assignment button

5. Figure 272 will then appear. Now, keep scrolling down the list of roles in Figure 272 until you find the Monitoring Reader role (see Figure 273). Select that role by clicking on it, and then click the Next button in Figure 273.

   

   Figure 272 : Scrolling down the list of roles that pre-exist

   

   Figure 273 : Selecting the Monitoring Reader role

6. Figure 274 will then appear. Here, indicate which resource in the chosen subscription should be assigned the chosen role. For that, choose to Assign access to a User, group, or service principal, and then proceed to click on Select members.

   

   Figure 274 : Clicking on Select members

7. Figure 275 will then appear. Using the Select members dialog box depicted by Figure 275, you have to select the application to which you want to assign the Monitoring Reader role. This should be the new application you previously registered with Azure AD. To search for this application, in the Select text box of Figure 275, enter the name of the application. Once the application is found, its name will appear below the Select text box. To select that application, click on it and then click on the Select button in Figure 275.

   

   Figure 275 : Selecting the applicaton registered with Azure AD

8. Figure 276 will then appear, where your selection will be displayed. Click on the Next button in Figure 276 to continue.

   

   Figure 276 : A page indicating that the Monitoring Reader role has been assigned to the selected AD application

9. This will invoke Figure 277. Quickly review the role assignment using Figure 277, and then click the Review + assign button to complete the process.

   

   Figure 277 : Review and assign the role to the chosen application

10. Next, using steps 4 - 9 above, assign the following roles to the registered application (see Figure 278, Figure 279, and Figure 280):

    • Storage Account key Operator Service Role

    • Billing Reader

    • Log Analytic Reader

    

    Figure 278 : Assigning Storage Account Key Operator Service Role

    

    Figure 279 : Assigning Billing Reader Role

    

    Figure 280 : Assigning Log Analytics Reader Role