One of the joys of working for a startup is that you get to see ideas grow from a lightbulb moment, all the way to a delivered feature. When I joined Runecast, a little over a year ago they were still pretty heavily focussed in the VMware space. That functionality is still there, and continues to grow, but something I'm really happy to see happen is the broadening of the portfolio to include other tech. Sure, AWS functionality was launch in late 2019, but there's been a lot of growth there (for instance: Runecast Analyzer can now be deployed natively to AWS from the AWS Marketplace - showing our commitment to cloud tech).
The most recent release shipped yesterday, adding support for Microsoft's popular Azure cloud service. There's a whole bunch of stuff covered, including best practices and CIS benchmarks for the likes of Azure AD, Subscriptions, Azure Functions, Azure VMs, Storage Accounts and a ton more. Instead of reeling off the full set, I'd like to point you to the website where Jason Mashak (our head of MarComms, whatever that is ;)) runs the whole shebang past you. I then take things a little more in-depth in the deep dive post.
Anyhoo, the whole idea behind this post was to help folks who might have just gotten their hands on the 5.0 codebase to connect up to their Azure instance. Let's get moving!
The first things we need to do are to update Runecast Analyzer to at least version 5.0, and login to the Azure portal for our account. I figured you'd be good with both of those without needing instructions.
Next, we need to create an App in our Azure subscription. This is the object that identifies the account that will be used to connect from Analyzer to the Azure subscription (or subscriptions) in our account. Click App Registrations to kick off this process.
Click New Registration
Give the app a friendly name, then click Register
Copy the Application (client) ID and the Directory (tenant) ID - you'll need these later. At this point we've created the Azure object that will be used for the connection
Click Certificates & Secrets. From here we will create the secret that will be used by the App to authenticate
click New Client Secret, then complete a description and select the validity period for the secret. Click Add
Copy the value of the secret and store it somewhere safe, you'll again need this later
Click API permissions. Here's where we will grant the minimum required privileges (in line with security best practices) for our RunecastAnalyzerApp to connect in
Add a permission
Select Microsoft Graph API
Select Application Permissions
In the "Select Permissions" search box, type "Directory". Expand the Directory permissions, then check the box for Directory.Read.All. Click Add Permissions.
We see from here that admin consent is required for this
Let's grant admin consent. Highlight the Directory.Read.All permissions, then click the magic button!
Confirm that we want to grant consent
That's the API permissions setup. Next, we need to apply the privileges to a subscription (you could easily scope this account for multiple subscriptions, I have only one in this case). Back on the Azure portal dashboard, browse to Subscriptions. Click here
Click into the subscription in question, then click Access Control (IAM)
Click Add Role Assignments
Select the Reader role
Next, in the Select box, type the name of the App that we created back at the beginning
Click on the app name, then click Save. At this point, we've created the account, given it the relevant API access and applied this access to the subscription. Our next steps take place in the Runecast Analyzer interface
Click Settings, then browse down to Azure. Click Add Azure
Paste in the Tenant ID, Client ID and Client Secret that you created earlier, then hit Continue
Congratulations - you've connected Runecast Analyzer to your Azure subscription. Now get analyzing, and make stuff better!
If a video makes things easier... I got your back :) See below