Loading...

Setting Up Managed Identity Authentication for Azure Resource Manager

Managed Identity for Azure Resource Manager allows for a more secure method of authentication when accessing Azure cloud services. Using this method ensures that your Azure subscription is accessed only from authorized Managed Identity-enabled virtual machines. In addition, the process of creating an Azure client is more simplified; you will only need the Subscription ID, you will not need the Tenant ID, Application ID and Application Password to create a client.

Note: Existing clients created using the traditional method can be converted to Managed Identity-enabled clients.

Requirements

User: To execute this procedure, you must have Service Administrator role privileges.

Hardware: The VSA proxies for which you want to enable Managed Identity must be virtual machines in the Azure cloud. These virtual machines can be associated with different subscriptions; however, you (as the Admin) must have access to all of the subscriptions associated with these VSA proxies.

Operating System: Only Windows machines are supported as Azure proxies.

Before You Begin

Collect the following information for your Azure account:

  • Subscription ID for the Azure account
  • User credentials with Service Administrator capabilities, for logging in to your Azure account.

Procedure

  1. Access the Microsoft Azure portal (http://portal.azure.com).
  2. From the left-side navigation pane, click Virtual Machines.
  3. From the list of virtual machines, search for the virtual machine with the virtual server agent (VSA) installed.

    When you identify the virtual machine that you want to enable with Managed Identity, take note of the associated Subscription and Resource Group.

  4. Click on the virtual machine name.

    This will launch the virtual machine (VM) blade.

  5. Click Configuration tab.

    This will launch the Managed Identity pane.

  6. Click yes, to Register with Azure Active Directory.

    This will enable Managed Identity authentication for the selected VM.

  7. Optional. Repeat steps 2 - 6 to enable Managed Identity authentication for additional virtual machines.
  8. From the left-side navigation pane, click Subscriptions.
  9. From the list of subscriptions, click the subscription associated with the Managed Identity-enabled virtual machine(s).

    This will launch the Subscriptions blade.

    You might need to repeat this step if the virtual machines you have enabled with Managed Identity are not all associated with the same subscription.

  10. Click the Access Control(IAM) tab, and click Add.

    The will launch the Permissions pane.

  11. Complete the following:
    1. Role: Select Contributor or assign a customized role (CVBackupRole.json) to have restricted access.
    2. Assign access to: Select Virtual Machine.
    3. Subscription: Select the subscription associated with the Managed Identity-enabled virtual machines.
    4. Resource group: Select the resource group associated with the Managed Identity-enabled virtual machines. If you need to select more than one resource group, select the All resource groups option.

    You must set the Contributor role at the subscription level to ensure successful backup and restore operations. If the role is not set at the subscription level, backup and restore operations will fail when trying to access other resources.

  12. Ensure that all of the Managed Identity-enabled virtual machines are selected members of the subscription.
  13. Click Save.

    You will be prompted with a confirmation message indicating that the selected virtual machines have been assigned as Contributors or their customized role (if so configured).

What To Do Next

Refer to Add a Microsoft Azure Hypervisor.

Last modified: 2/6/2019 8:59:22 PM