Prerequisites for Azure Stack Cloud with Azure AD
Before adding an Azure Stack cloud with Azure AD in CCKM:
Register CCKM App on Azure Portal
Before adding an Azure cloud to CCKM, you must register the CCKM app and assign required permissions on the Azure portal. Then, depending on the type of app credential you plan to employ, either create a key (client secret) on the Azure portal or generate a certificate from CCKM, download it, and then upload it to Azure. This entire process generates the connection data needed to configure the Azure cloud.
To register the app:
Create an Azure Active Directory application on the Azure Portal:
On Azure Active Directory > App registrations > New registration, provide the following parameters:
Choose a Name for the app that CCKM will use to access Azure.
Select the account type under Supported account types. Select either of the following:
Accounts in this organizational directory only (azuredeveloperadminsafeneti (Default Directory) only - Single tenant)
Accounts in any organizational directory (Any Azure AD directory - Multitenant)
Click Register. The CCKM app creation starts. The app creation might take some time.
Access the new app under App registrations.
From App registrations > {App Name} > Overview, copy Application (client) ID and Directory (tenant) ID.
Navigate to App registrations > {App Name} > Manage > Certificates & secrets.
Create a new client secret or upload the certificate:
Secret (password)—The user will generate a secret key in Azure when registering the app, and then copy the secret key and provide it to the app.
Certificate (public key)—the user will create a private key and public key pair locally, create a certificate for the public key, and then provide the certificate to Azure when registering the app. For the private key, the app will create a client assertion and send it to Azure when making OAuth authentication calls.
Connect with Azure AD
Log on to your Azure AD VM.
Connect to Azure Stack Hub with PowerShell as a user. Refer to Connect to Azure Stack Hub with PowerShell as a user - Azure Stack Hub for details.
Run the following command in Windows PowerShell:
Get-AzureRmEnvironment -name AzureStackUser | Format-ListA sample output is shown below:
Name : AzureStackUser EnableAdfsAuthentication : False OnPremise : False ActiveDirectoryServiceEndpointResourceId : https://management.azurecckm.onmicrosoft.com/7f683eac-8000-2a43-3f9e-86d9117cc571 AdTenant : GalleryUrl : https://providers.azurestack.local:30016/ ManagementPortalUrl : ServiceManagementUrl : PublishSettingsFileUrl : ResourceManagerUrl : https://management.local.azurestack.external SqlDatabaseDnsSuffix : StorageEndpointSuffix : local.azurestack.external ActiveDirectoryAuthority : https://login.microsoftonline.com/ GraphUrl : https://graph.windows.net/ GraphEndpointResourceId : https://graph.windows.net/ TrafficManagerDnsSuffix : AzureKeyVaultDnsSuffix : vault.local.azurestack.external DataLakeEndpointResourceId : AzureDataLakeStoreFileSystemEndpointSuffix : AzureDataLakeAnalyticsCatalogAndJobEndpointSuffix : AzureKeyVaultServiceEndpointResourceId : https://vault.local.azurestack.external AzureOperationalInsightsEndpointResourceId : AzureOperationalInsightsEndpoint : AzureAnalysisServicesEndpointSuffix : VersionProfiles : {} ExtendedProperties : {} BatchEndpointResourceIdThe sample output above lists a number of links that are required while creating an Azure connection on the CipherTrust Manager. Use the actual links that are returned by the command on your setup. Refer to Add Azure Connection on CipherTrust Manager for details.
The fields in the sample output and on the Configure Azure Stack page of the Add Connection dialog box on the CipherTrust Manager differ slightly. Here is the mapping to help you configure the connection appropriately.
Sample Output Azure Connection Manager ActiveDirectoryServiceEndpointResourceId Management URL ResourceManagerUrl Resource Manager URL ActiveDirectoryAuthority Active Directory Endpoint AzureKeyVaultDnsSuffix Key Vault DNS Suffix AzureKeyVaultServiceEndpointResourceId Vault Resource URL Download the SSL certificate of the Azure Stack portal. Refer to online resources for details.
Subscribe CCKM App on Azure Stack Portal
Access Subscriptions > {Subscription name} > Access control (IAM).
Click Add > Add role assignment. The Add role assignment pane is displayed.
Select Reader from the Role drop-down list.
Select User, group, or service principal from the Assign access to drop-down list.
Under Select, enter the name of your CCKM app.
Click Save.
Assign CCKM App Permissions to Required Key Vault on Azure Stack Portal
Access Key vaults > {Key Vault Name} > Settings > Access policies.
On the right, click + Add Access Policy.
Add the following details:
Select Key management operations and Privileged Key operations from the Key permissions drop-down list.
Next to the Select principal label, click None selected, browse the CCKM app, and select it.
Click Add.
Add Azure Connection on CipherTrust Manager
Before you can add an Azure vault to the CCKM, an Azure connection must already exist on the CipherTrust Manager. A CipherTrust Manager administrator manages connections to external resources on the Access Management > Connections Management page of the CipherTrust Manager GUI. Refer to Connections Management for details.
Now, Azure vaults and Azure keys can be managed on the CipherTrust Manager.
