Setting REST Access Rights (Microsoft Azure SQL)

The following tasks must be completed to set up REST access rights for the Management Pack for Microsoft Azure SQL, as well as to obtain the IDs required when Creating a Credential (Microsoft Azure SQL) and Creating an Adapter Instance (Microsoft Azure SQL):

Find your Subscription and Tenant IDs
Create a custom RBAC role
Create an Active Directory Service Principal (and AD App)
Find your Client ID

Note: The following steps require the Azure CLI. Ensure you have it installed before continuing. To verify the Azure CLI has been installed, run the az help command. See: Microsoft Azure CLI Troubleshooting Guide for additional information.

Find your Subscription and Tenant IDs

To obtain your Subscription ID (id ) (required when Creating an Adapter Instance (Microsoft Azure SQL)) and Tenant ID (tenantId) (required when Creating a Credential (Microsoft Azure SQL)), execute the following command:

az account list

The output should look similar to the following:

            "cloudName": "AzureCloud",
"id": “<SUBSCRIPTION-ID>",
"isDefault": true,
"name": "Pay-As-You-Go",
"state": "Enabled",
"tenantId": “<TENANT-ID>",
"user": {
     "name": "[email protected]",  
     "type": "user"
}

Create a custom RBAC role

To create a custom RBAC role, first you must create a file called azure.json that contains the following configuration:

{
   "Name": "Microsoft Azure Monitoring in vROps",
   "Description": "Monitor Microsoft Azure Environment in vROps",
   "Actions": [
      "Microsoft.Compute/virtualMachines/*/read",
      "Microsoft.Sql/servers/*/read",
      "Microsoft.Storage/*/read",
      "Microsoft.Insights/metrics/*/read",
      "Microsoft.Authorization/*/read",
      "Microsoft.Resources/subscriptions/resourceGroups/read" 
   ],
   "AssignableScopes":   ["/subscriptions/<SUBSCRIPTION-ID>"]
}

NOTE:Subscription ID

Next, create your custom RBAC role by running the following command:

az role definition create --role-definition azure.json

Create an Active Directory Service Principal (and AD App)

To create an AD Service Principal and assign a role to it, run the following command:

az ad sp create-for-rbac -n vrops --password <SECRET> --role "Microsoft Azure Monitoring in vROps"
NOTE:
To check the role assignment, you can execute the following command:
NOTE: jq
az role assignment list | jq '.[].properties|{Name:.principalName,Definition:.roleDefinitionName}'
NOTE:Definition

Find your Client ID

After creating your AD Service Principal (and AD App), find your associated Client ID (appId) (required when Creating a Credential (Microsoft Azure SQL)) by running the following command:

az ad sp list --filter="displayName eq 'vrops'"

The output should look similar to the following:

[
  {
    "appId": "<CLIENT-ID>",
    "displayName": "Network Watcher",
    "objectId": "000af6c3-681a-4c76-982e-604a700d86d9",
    "objectType": "ServicePrincipal",
    "servicePrincipalNames": [
      "7c33bfcb-8d33-48d6-8e60-dc6404003489"
    ]

Note: The appId in the output above is the Client ID you need when Creating a Credential (Microsoft Azure SQL).

For additional guidance around creating an Azure Service Principal, see: Microsoft Azure's documentation on the topic.
Setting SQL Database User Privileges (Microsoft Azure SQL)