Add a Microsoft Azure account to VMware Tanzu Hub

As a Tanzu Hub organization owner or administrator, you can run the Microsoft Azure account workflow to create the roles and connections required for this account

Before you begin

  • To configure the account and collect data:
    • Verify that you have the subscription ID for your Azure service.
    • Verify the account by accessing it using your Azure console.
    • If you are associating account with a Tanzu Hub project, verify that you created the project. For instructions, see Add projects.
  • To configure the event monitoring:

    • Verify that you have the Azure Cloud Shell or install Azure CLI. See the instructions in the Microsoft Azure documentation for Cloud Shell and for Azure CLI.
    • To run the commands from the Azure CLI, verify that you have privileges to create resource groups. See the instructions in the Microsoft Azure documentation.
    • Create a VMware Cloud Services token.

      1. Open your User/Organization settings menu, in the top-right with your name and organization name, and click My Account.
      2. Click the API Tokens tab and click Generate a New API Token.
      3. Enter the Name, for example, Tanzu Hub.
      4. Set the Token TTL to never expires.
      5. In the Define Scope section, select the following roles.

        You must have the following roles assigned to you in your organization before you can configure the token.

        • Navigate to Organization Roles > All Organization Roles and select the Organization Owner role.
        • Search for Tanzu Hub and select the Tanzu Hub Admin role.
        • Search for Secure State and select the Secure State Admin role.
      6. Click Generate.
      7. Copy and save the token for use as you configure the account.
  • To configure the elevated credentials:
    • Verify that you installed the Azure CLI and that you have permission to create roles.

Add a single Microsoft Azure account

Use this workflow to add a single account. If you are new to Tanzu Hub, it is useful way to explore how Tanzu Hub can help you manage your resources.

If you want to add multiple accounts, repeat the process for each account.

  1. In Tanzu Hub, select Administration > Set Up and Configure > Accounts and click New Account.
  2. Click Microsoft Azure, select Single Subscription, and click Continue.

    Select the Single subscription or Multiple subscription as the onboarding method.

  3. In the Account Information section, enter useful account information.

    The Account Information section requires a name, an Azure subscription ID, and an account type.

    1. In the Account Information section, enter a useful Name and your 36-digit Azure Subscription ID in the correct format.
    2. For the Account type, select Commercial.
    3. If you work with projects, select one or more the Tanzu Hub projects that you are associating with the Azure account.
    4. You can use Environment to add descriptive metadata to subscriptions that are used by some features in Tanzu Hub.

      For example, if you add and select environments such as prod, dev, and test, you can then apply governance policies to a particular environment. You can then search based on environment and even apply a policy to the resources in your production environment but not development or testing.

    5. Enter the owner name and email address.

    6. Click Next.
  4. Register VMware Tanzu Hub as an application in the Azure portal and add the Application ID and Shared secret key to this Create App form in Tanzu Hub.

    The steps that are provided in the UI are repeated in this procedure for you convenience.

    The Create App section provides guidance for create an application in Azure and capturing the application ID and shared secret key.

    1. Click Login to the Azure portal on the form.

      The Microsoft Azure portal opens in a new tab.

    2. In Microsoft Azure, open your Azure Active Directory.

    3. Click App registrations.
    4. Click New registration.
    5. On the Register an application page, enter Tanzu as the Name.
    6. For the Redirect URI, select Web as the platform type and enter the URL that you copied from the Redirect URI step in Tanzu Hub.
    7. Click Register.
    8. Copy the application ID and enter in the Application ID text box on the Tanzu Hub page.
    9. In Azure, click Certificates and secrets, click New client secret, provide a name, and copy the generated value.
    10. Enter the secret value in the Shared secret key text box in Tanzu Hub.
    11. Click Save Account and Continue.
  5. In Azure Active Directory, configure the reader role to use with Tanzu Hub and enter the tenant ID.

    The steps that are provided in the UI are repeated in this procedure for you convenience.

    The Assign Role section provides guidance for locating the tenant ID and creating and IAM role for Tanzu Hub.

    1. In Azure, on the application overview page, copy the Directory (tenant) ID.
    2. In Tanzu Hub, enter the copied value in the Tenant ID text box.
    3. In Azure, go to the top level page and click Subscriptions.
    4. Click the subscription name.
    5. On the subscription details page, click Access control (IAM).
    6. Click Add and then click the Add role assignments tab.
    7. On the Roles tab, search for and select the Reader role.
    8. Click the Members tab, click Select members, and add the TanzuHub user as a member.
    9. Click Review and assign.
    10. Return to Tanzu Hub and click Save Account and Continue.
  6. In the Account Onboarding section, enable event monitoring cost collection.

    To configure event monitoring, which provides updates about security findings for this cloud account, you must configure Microsoft Azure so that you can run a connection script. See the prerequisites at the beginning of this procedure.

    The steps that are provided in the UI are repeated in this procedure for you convenience.

    The Account Onboarding page provides the Azure configurations so that you can run the Connect Event Stream script.

    1. Use either the Azure Cloud Shell or Azure CLI to run the script provided in the following step in the event monitoring configuration UI.

      This procedure is based on Azure Cloud Shell.

    2. To download the script, click Connect Event Stream.

    3. In Cloud Shell, run export CSP_REFRESH_TOKEN={CSP token} to set the token variable.

      The {CSP token} is the VMware Cloud Services token that you created as part of the prerequisites for this procedure.

    4. Copy and paste the bash command from Tanzu Hub into Cloud Shell and run it.

  7. To allow cost collection, log in to your Azure console.
    1. Open the Cost Management + Billing service.
    2. Click Billing scopes and select your account.
    3. In the Settings section, click Policies and activate the Account owners can view charges policy.
  8. In Tanzu Hub, click Next.
  9. Create a custom role with elevated access in Microsoft Azure.

    The command creates an Azure Write Privileges role and defines the minimum elevated permissions that allow you to make changes to the Azure account resources from Tanzu Hub. For example, when you respond to a governance finding to get a resource back into compliance with a policy.

    The steps that are provided in the UI are repeated in this procedure for you convenience.

    Download the JSON file and run the provided command in the Azure CLI.

    1. Install the Azure command line interface.
    2. Download the JSON file with the role definition to an accessible location.
    3. Copy the provided command, replace {path-to-role-defining-json} with the path to the downloaded JSON file, and run the command using the Azure CLI.
    4. Click Next.
  10. Register the Tanzu Hub elevated access as an application in the Azure portal and add the created Application ID and Shared secret key to the form.

    The procedure is similar to the one you used to create the collection reader application. Follow the onscreen steps and refer to the information provided in the previous Create App step if you need assistance.

    Create an Azure application to manage the elevated access. Provide the Application ID and the Shared secret key.

  11. In the Azure Active Directory, configure the Azure Write Privileges role to use with Tanzu Hub and enter the tenant ID. You can use the information in the previous Assign Role step for additional details.

    Enter the Directory (tenant) ID and configure the IAM role for Azure Write Privileges.

    1. Enter the Active Directory Tenant ID.
    2. Locate and select the subscriptions to connect to this account.
    3. Select and add Access control (IAM).
    4. Select the custom role with Azure Write privileges.
    5. Click the Members tab, click Select members, and add the application used in the Create App section.
    6. Click Review and Assign.
    7. Add one ore more projects to associate with this elevated access.
  12. Click Finish.
  13. On the Accounts page, verify that the data source is added, the Status is OK, and the Event Monitoring state is Connected.

Add multiple Microsoft Azure accounts

If you have multiple Microsoft Azure accounts to add, you can add them using the Multiple Subscriptions options rather than adding then one at a time.

You can onboard subscriptions in groups of 100 accounts at a time.

When using the following procedure, you can refer to the images and details in the single subscription procedure.

Be sure the use the scripts on the pages in this procedure. They are customized each time you onboard the resources. Do not reuse a script from previous onboarding actions.

  1. In Tanzu Hub, select Administration > Set Up and Configure > Accounts.
  2. Click Microsoft Azure, select Multiple subscriptions, and click Continue.

    To add multiple subscriptions, start by adding the subscriptions and then configure the member accounts.

  3. To add subscriptions, click Start in the Add Subscriptions step.

    1. On the General Information page, select the Account Type.

      The other values are optional. Click Next.

    2. On the Create App page, register Tanzu Hub as an application in the Azure portal and add the Application ID and Shared secret key to this Create App form in Tanzu Hub, and then click Next.

      Details about this process are available in the single account instructions.

    3. On the Assign Role page, configure the reader role to use with Tanzu Hub and enter the tenant ID, and then click Next.

      Details about this process are available in the single account section.

    4. On the Select Subscriptions page, select the subscriptions that you want to add to Tanzu Hub by click Add Subscriptions.

      You can only onboard 100 subscription per process. To add additional subscriptions, you can repeat this workflow.

      When the curated list is ready, click Next.

    5. On the Edit Properties page, modify the properties for various subscriptions as needed.

      The subscriptions inherit the values that you defined on General Information page. If you want to change the properties for various subscriptions, select them and then click Edit Settings.

      When the settings are defined to you satisfaction, click Next.

    6. On the Onboard Accounts page, click Onboard Accounts.

      When the subscriptions are onboarded, click Close.

  4. In the Configure Event Monitoring step, activate event monitoring cost collection.

    1. On the Select Subscriptions page, select the subscriptions that you want to onboard and click Continue.
    2. On the Configure Event Monitoring page, follow the on-screen instructions.

      Details about this process are available in the single account section.

    3. Click Finish.

  5. In the Elevated Access pages, add elevated credentials to the selected accounts.

    Review the elevated credentials steps in the single account section for additional details. The process is the same.

    1. Select the subscriptions.
    2. Create the custom role.
    3. Create the app for elevated credentials.
    4. Assign the role for elevated access, including one or more projects.
  6. Click Save and Finish.
  7. On the Accounts page, verify that the subscriptions that you added are included in the table as individual entries.

What to do next

  • The collection might take up to thirty minutes before you see data. To monitor the process, select Explore > Search and click the Inventory tab. See Reviewing your discovered inventory.
  • If you need to make changes to an Azure account, select Administration > Set Up and Configure > Accounts, expand the details for the target account, and edit the individual account properties.

Parent topic:Setting up data connections in VMware Tanzu Hub

check-circle-line exclamation-circle-line close-line
Scroll to top icon