Prerequisites for Azure Stack Cloud with Azure ADFS

Before adding an Azure Stack cloud with Azure ADFS in CCKM:

1. Create Service Principal for Azure Stack Cloud with ADFS

2. Connect with Azure AD

3. Assign CCKM App Permissions to Required Key Vault on Azure Stack Portal

4. Add Azure Connection on CipherTrust Manager

Create Service Principal for Azure Stack Cloud with ADFS

A service principal for CCKM in ADFS is needed if you are using ADFS as the identity provider. Refer to the Azure Stack documentation for details.

Connect with Azure AD

1. Log on to your Azure AD VM.

2. Connect to Azure Stack Hub with PowerShell as a user. Refer to Connect to Azure Stack Hub with PowerShell as a user - Azure Stack Hub for details.

3. Run the following command in Windows PowerShell:

   
   Get-AzureRmEnvironment -name AzureStackUser | Format-List
   

   A sample output is shown below:

   
   Name                                              : AzureStackUser
   EnableAdfsAuthentication                          : False
   OnPremise                                         : False
   ActiveDirectoryServiceEndpointResourceId          : https://management.azurecckm.onmicrosoft.com/7f683eac-8000-2a43-3f9e-86d9117cc571
   AdTenant                                          :
   GalleryUrl                                        : https://providers.azurestack.local:30016/
   ManagementPortalUrl                               :
   ServiceManagementUrl                              :
   PublishSettingsFileUrl                            :
   ResourceManagerUrl                                : https://management.local.azurestack.external
   SqlDatabaseDnsSuffix                              :
   StorageEndpointSuffix                             : local.azurestack.external
   ActiveDirectoryAuthority                          : https://login.microsoftonline.com/
   GraphUrl                                          : https://graph.windows.net/
   GraphEndpointResourceId                           : https://graph.windows.net/
   TrafficManagerDnsSuffix                           :
   AzureKeyVaultDnsSuffix                            : vault.local.azurestack.external
   DataLakeEndpointResourceId                        :
   AzureDataLakeStoreFileSystemEndpointSuffix        :
   AzureDataLakeAnalyticsCatalogAndJobEndpointSuffix :
   AzureKeyVaultServiceEndpointResourceId            : https://vault.local.azurestack.external
   AzureOperationalInsightsEndpointResourceId        :
   AzureOperationalInsightsEndpoint                  :
   AzureAnalysisServicesEndpointSuffix               :
   VersionProfiles                                   : {}
   ExtendedProperties                                : {}
   BatchEndpointResourceId
   

   The sample output above lists a number of links that are required while creating an Azure connection on the CipherTrust Manager. Use the actual links that are returned by the command on your setup. Refer to Add Azure Connection on CipherTrust Manager for details.

   The fields in the sample output and on the Configure Azure Stack page of the Add Connection dialog box on the CipherTrust Manager differ slightly. Here is the mapping to help you configure the connection appropriately.

   Sample Output	Azure Connection Manager
   ActiveDirectoryServiceEndpointResourceId	Management URL
   ResourceManagerUrl	Resource Manager URL
   ActiveDirectoryAuthority	Active Directory Endpoint
   AzureKeyVaultDnsSuffix	Key Vault DNS Suffix
   AzureKeyVaultServiceEndpointResourceId	Vault Resource URL

4. Download the SSL certificate of the Azure Stack portal. Refer to online resources for details.

Assign CCKM App Permissions to Required Key Vault on Azure Stack Portal

Azure supports two types of permission models, vault access policy and azure role-based access control. Steps to assign CCKM app permissions to your key vaults on Azure portal vary based on the permission model of the vault, as described below.

Vault Access Policy

1. Access Key vaults > {Key Vault Name} > Settings > Access policies.

2. On the right, click + Add Access Policy.

3. Add the following details:

   • From the Key permissions list, select Key Management Operations and Privileged Key Operations.

   • From the Secret permissions list, select Secret Management Operations and Privileged Secret Operations.

   • From the Certificate permissions list, select Certificate Management Operations and Privileged Certificate Operations.

   • Next to the Select principal label, click None selected, browse the CCKM app, and select it.

4. Click Add.

Azure Role-based Access Control

1. Access Key vaults > {Key Vault Name} > Access control (IAM). The right pane provides options to view your existing level of access, assign a role, and view access to the vault.

2. Under Grant access to this resource, click Add role assignment.

3. On the Roles tab of the Add role assignment page, select Key Vault Administrator. Use the search field to search for the role.

4. Click Next.

5. On the Members tab, make sure that Assign access to is set to User, group, or service principal.

6. Click + Select members.

7. On the right, in the Select members pane, select the desired CCKM app. Use the search field to search for your CCKM app. The Selected members section shows the selected app.

8. In the right pane, click Select.

9. (Optional) Provide a basic Description of the member.

10. Click Next.

11. Review the details. If the details are incorrect or you want to modify them, click Previous and update the details.

12. Click Review + assign. The selected role with desired permissions is assigned to the CCKM app.

Add Azure Connection on CipherTrust Manager

Before you can add an Azure vault to the CCKM, an Azure connection must already exist on the CipherTrust Manager. A CipherTrust Manager administrator manages connections to external resources on the Access Management > Connections Management page of the CipherTrust Manager GUI. Refer to Connections Management for details.

Now, Azure vaults and Azure keys can be managed on the CipherTrust Manager.