Skip to content

Service Principal Configuration and Access Control

Step 1 - Service Principal Configuration

This section provides details about the options that need to be configured to enable Single Sign-On (SSO) for the App Service. It also covers the permissions required for reading data from Log Analytics.

  1. Log in to Azure Portal and Open "Microsoft Entra ID".

    img.png

  2. Extend Manage section and Click on “App registrations” and select "New registration". img.png

  3. Enter the app name and register it. img.png

  4. Go to the registered app, click on "Certificates & secrets", select "Federated credentials", and then click "Add credential". img.png

  5. Select the "Other issuer" in the drop down. img.png

  6. Enter the required credentials. Get the required credentials from the cloudCADI azure onboarding page.

How to get the required credentials ?

From the onboarding UI, take the Issuer, Subject, and Audience values and fill them in on this credentials page and then create it.

  1. Issuer → Issuer

  2. Subject → Value

  3. Audience → Audience (after clicking the Edit button below)

img.png

img.png

Step 2 - Setting up Subscription level Reader Role

  1. Open "Subscription" from the 'azure portal' Select the "Access Control (IAM)" from the left side panel.

  2. Click on "+Add" at the top.

  3. Select "Add Role Assignment". image.png

    Role Assignment

    • Search and select "Reader".
    • Add "Log Analytics Contributor" and "Monitoring Contributor" role.
    • Also add "Storage Blob Data Reader" role for the subscription in which the cost is exported.

    image.png

  4. Select Assign access as "User, group, or service principal".

  5. Click "+ Select Members".

  6. Choose the Service principal that is created during the managed app creation process and click on "Next" image.png

  7. Click on the "Review + assign" button.

    image.png