To complete the setup of the Azure Stack Hub virtualization client in the CommCell Console, you will need the following:
-
Application name
-
Application ID
-
Subscription ID
-
Tenant ID (Directory ID)
-
Application key.
Before You Begin
Your Azure Stack Hub environment has been deployed via Azure Active Directory (Azure AD) or Active Directory Federation Services (AD FS). To create your application (service principal), follow the steps that apply to your environment.
Procedure - Azure AD
Use the following steps to create the application and tenant.
-
Log on to the public Azure portal with service administrator credentials.
-
From the All Services menu, select the App registrations tab, and click on New Application Registration.
-
Enter the appropriate values for the following:
-
Name: Name of the application to be created on Azure Active Directory.
-
Application type: Select Web app/API or Native.
-
Sign-on URL: https://app_name (URL including the application name you specify). For example: MyWebApp and https://MyWebtApp.
-
-
Click Create.
Once created, the application will be listed on the App Registration tab. Note down the Application ID.
-
Go to the Settings blade, and select the newly created application.
-
On the Required Permission tab, perform the following actions to add required permissions:
-
Select an API (Windows Azure Service Management API).
-
Select the option to provide delegated permissions to Access Azure Service Management as organization users.
-
Click Done.
-
-
Select the newly created application, and click Settings.
-
Click on Keys. Provide the key description and expiration date. Click Save.
This will generate a unique secret key for the application.
IMPORTANT: Save the key value. The key value will be your application password. You will not be able to retrieve the key after you leave the Keys tab/blade.
-
Log on to the Azure Stack Hub portal.
-
Click the Subscriptions tab, and then select the subscription ID for which the virtualization client needs to be created.
Optional: Define a Custom Role
You can use the predefined Contributor role or define a custom role to specify more limited permissions that can be used for backup and restore operations, either for a specific resource group or for the subscription as a whole. At a minimum, include the permissions listed in the CVBackupRole.json file.
-
Download the CVBackupRole.json file, which contains minimal permissions needed for Azure backup and restore operations.
-
Use a JSON editor to modify the following entry and change #SubscriptionID# to your subscription ID:
"AssignableScopes" : ["/subscriptions/#SubscriptionID#"]
-
-
On the Access control (IAM) tab, click Add, and then select Add role assignment.
-
On the Role tab, select the Contributor role or the custom role that you created in the previous step.
-
On the Members tab, complete the following:
-
Assign access to: Select User, group, or service principal.
-
Click Select members.
-
In the Select members pane, enter the name of the application you previously created in the Select box.
-
-
On the Review + assign tab, complete the following:
-
Review your assignment.
-
Click Save.
-
-
You can obtain the Tenant ID from the public Azure cloud by selecting Azure Active Directory > Properties > Directory ID.
The Directory ID is also the Tenant ID.
Procedure - AD FS
-
Create a service principal for AD FS. Refer to: Create Service Principal for AD FS.
-
Assign role to the newly created service principal. Refer to: Assign role to service principal.
-
Log on to the Azure Stack Hub portal. Use the service principal with the following command:
Add-AzureRmAccount -EnvironmentName "<AzureStackEnvironmentName>" -ServicePrincipal -CertificateThumbprint $servicePrincipal.Thumbprint -ApplicationId $servicePrincipal.ApplicationId -TenantId $directoryTenantId
-
Optional: You can use the predefined Contributor role or define a custom role to specify more limited permissions that can be used for backup and restore operations, either for a specific resource group or for the subscription as a whole. At a minimum, include the permissions listed in the CVBackupRole.json file.
Download the CVBackupRole.json file, which contains minimal permissions needed for Azure backup and restore operations.
Use a JSON editor to modify the following entry and change #SubscriptionID# to your subscription ID:
"AssignableScopes" : ["/subscriptions/#SubscriptionID#"]
What to Do Next
Create the Azure Stack virtualization client using the Subscription ID, Tenant ID, Application ID, and Application Key.