The following tasks must be completed to set up REST access rights for the Management Pack for Microsoft Azure SQL, as well as to obtain the IDs required when Creating a Credential (Microsoft Azure SQL) and Creating an Adapter Instance (Microsoft Azure SQL):

  • Find your Subscription and Tenant IDs
  • Create a custom RBAC role
  • Create an Active Directory Service Principal (and AD App)
  • Find your Client ID
Note: The following steps require the Azure CLI. Ensure you have it installed before continuing. To verify the Azure CLI has been installed, run the az help command. See: Microsoft Azure CLI Troubleshooting Guide for additional information.

Find your Subscription and Tenant IDs

To obtain your Subscription ID (id ) (required when Creating an Adapter Instance (Microsoft Azure SQL)) and Tenant ID (tenantId) (required when Creating a Credential (Microsoft Azure SQL)), execute the following command:

az account list

The output should look similar to the following:

            "cloudName": "AzureCloud",
"id": “<SUBSCRIPTION-ID>",
"isDefault": true,
"name": "Pay-As-You-Go",
"state": "Enabled",
"tenantId": “<TENANT-ID>",
"user": {
     "name": "service.azure@bluemedora.com",  
     "type": "user"
}

Create a custom RBAC role

  1. To create a custom RBAC role, first you must create a file called azure.json that contains the following configuration:

    {
       "Name": "Microsoft Azure Monitoring in vROps",
       "Description": "Monitor Microsoft Azure Environment in vROps",
       "Actions": [
          "Microsoft.Compute/virtualMachines/*/read",
          "Microsoft.Sql/servers/*/read",
          "Microsoft.Storage/*/read",
          "Microsoft.Insights/metrics/*/read",
          "Microsoft.Authorization/*/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read" 
       ],
       "AssignableScopes":   ["/subscriptions/<SUBSCRIPTION-ID>"]
    }
    NOTE:Subscription ID
  2. Next, create your custom RBAC role by running the following command:

    az role definition create --role-definition azure.json

Create an Active Directory Service Principal (and AD App)

  1. To create an AD Service Principal and assign a role to it, run the following command:

    az ad sp create-for-rbac -n vrops --password <SECRET> --role "Microsoft Azure Monitoring in vROps"

    NOTE:
  2. To check the role assignment, you can execute the following command:

    NOTE: jq

    az role assignment list | jq '.[].properties|{Name:.principalName,Definition:.roleDefinitionName}'

    NOTE:Definition

Find your Client ID

After creating your AD Service Principal (and AD App), find your associated Client ID (appId) (required when Creating a Credential (Microsoft Azure SQL)) by running the following command:

az ad sp list --filter="displayName eq 'vrops'"

The output should look similar to the following:

[
  {
    "appId": "<CLIENT-ID>",
    "displayName": "Network Watcher",
    "objectId": "000af6c3-681a-4c76-982e-604a700d86d9",
    "objectType": "ServicePrincipal",
    "servicePrincipalNames": [
      "7c33bfcb-8d33-48d6-8e60-dc6404003489"
    ]
Note: The appId in the output above is the Client ID you need when Creating a Credential (Microsoft Azure SQL).