Setting Up Managed Identities for Azure Resources
Managed identities is a more secure authentication method for Azure cloud services that allows only authorized managed-identity-enabled virtual machines to access your Azure subscription. Also, the process of creating an Azure client is simpler because you need only the Subscription ID, not the Tenant ID, the Application ID, or the Application Password.
Note: You can convert clients that were created using the traditional method to managed-identity-enabled clients.
Before You Begin
Verify that your environment meets the following requirements:
- User: You must have Service Administrator role privileges.
- Hardware: The VSA proxies that you want to enable managed identities for must be virtual machines in the Azure cloud. You can associate These virtual machines with different subscriptions. However, you (as the Admin) must have access to all of the subscriptions for these VSA proxies.
- Operating system: You can use Windows and Linux machines as Azure proxies.
Collect the following information for your Azure account:
- The Subscription ID
- User credentials that have Service Administrator capabilities.
- Go to the Microsoft Azure portal (http://portal.azure.com).
- In the left navigation pane, click Virtual machines.
- From the list of virtual machines, search for the virtual machine that has the virtual server agent (VSA) installed.
- When you find the virtual machine that you want to enable with a managed identity, record the Subscription and Resource Group.
- Click the virtual machine name.
The Virtual machine blade appears.
- Click the Identity tab.
The Identity pane appears with the System assigned tab active.
- To register the virtual machine with Azure Active Directory, which enables managed identity authentication for the VM, click On, and then click Save.
- Optional: Repeat steps 2-7 to enable managed identity for additional virtual machines.
- In the left navigation pane, click Subscriptions.
- For each subscription, from the list of subscriptions, click the subscription for the managed identity-enabled virtual machines.
The Subscriptions blade appears.
- On the Access control (IAM) tab, click Add.
The Permissions pane appears.
- Complete the following:
- If you do not want to restrict access, select Contributor.
- If you do want to restrict access, assign a customized role (CVBackupRole.json).
- If you are configuring a Linux proxy, you must also select the Storage Blob Data Contributor role.
- Subscription: Select the subscription for the managed identity-enabled virtual machines.
- Select: Select the managed identity-enabled virtual machines that you want to assign the specified role.
- Verify that all the managed identity-enabled virtual machines are selected members of the subscription.
- Click Save.
A confirmation message appears, indicating that the selected virtual machines are assigned as Contributors or the customized role that you assigned.
What to Do Next
Last modified: 10/9/2019 6:51:45 PM