This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

How-to guides

The user can input the necessary information for the Config Inspection service and create the service by selecting detailed options through the Samsung Cloud Platform Console.

Create a certificate

To create and use the Config Inspection service in the Samsung Cloud Platform Console, authentication key creation is required in advance.

API key creation is available at My menu > My Info. > API key management > API key creation. For more information, please refer to API key management.

Note
  • The expiration period of the authentication key is up to 365 days.
  • To create an authentication key with no expiration date, it must be created as permanent.

Config Inspection creation

You can create and use the Config Inspection service in the Samsung Cloud Platform Console.

Reference
The user must be a member of the AdministratorGroup user group to use the services provided by Config Inspection service normally.

To create a Config Inspection, follow these steps.

  1. Click All Services > Security > Config Inspection menu. It moves to the Service Home page of Config Inspection.

  2. On the Service Home page, click the Config Inspection creation button. It moves to the Config Inspection creation page.

  3. Config Inspection Creation page where you enter the necessary inputs for service creation and select detailed options.

    • Enter Service Information area, enter or select the required information.
    Classification
    Necessity
    		Detailed Description
    Diagnosis TypeRequiredConsole
    CloudRequiredSelect cloud to diagnose
    • SCP: Samsung Cloud Platform
    • AWS: Amazon Web Service
    • Azure: Microsoft Azure
    • Detailed input items may vary depending on the selected cloud type
    Diagnosis target > Diagnosis nameRequiredName to distinguish diagnosis target
    • Use the entered value as the resource name
    • Use English, numbers, and special characters (-, _) within 25 characters
    Diagnosis target > Diagnosis accountRequiredDiagnosis target is Console information
    • Select the Account ID to be diagnosed from the list
    • If you select the same Account ID, it will be duplicated and an additional fee will be incurred
    • If you select AWS, enter the Account ID in the diagnosis account (12-digit number)
    • If you select Azure, enter the Subscription ID in the diagnosis account (36 characters including letters, numbers, and special characters)
    Diagnosis Schedule > Check ListMandatoryAutomatically set when Using Diagnosis Schedule is selected
    Diagnosis Schedule > Diagnosis CycleRequiredDiagnosis Cycle Selection
    • Diagnosis is executed on the selected date according to the specified cycle
    • Monthly is selected, diagnosis may not be performed on the selected date
      • Example) Monthly 31st selected - February does not have that date, so diagnosis is not performed
    Diagnosis Schedule > Start TimeMandatoryDiagnosis start time selection
    • Set the hour and minute information to start the diagnosis
    Authentication KeyMandatorySelect the authentication key to use for Open API calls
    • Select button to select the corresponding authentication key from the authentication key list in the Authentication Key Selection popup window
    • If there are no selectable authentication keys, create a new authentication key through the Authentication Key Management button
    Rate PlanSelectionSelect the rate plan to use
    • General: Charges are based on the number of diagnoses
    • Monthly Fee: Charges are based on a fixed monthly amount regardless of the number of diagnoses (up to 30 diagnoses per month)
    • The rate plan cannot be changed after applying for the service
    Table. Config Inspection service information input items
    • Enter Additional Information Please enter or select the required information in the area.
    Classification
    Necessity
    		Detailed Description
    TagSelectAdd Tag
    • Up to 50 can be added per resource
    • Click the Add Tag button and enter or select Key, Value
    Table. Additional Information Input Items for Config Inspection

  4. In the Summary panel, check the detailed information and estimated billing amount generated, and click the Create button.

    • Once creation is complete, check the created resource on the Config Inspection list page.

Config Inspection detailed information check

Config Inspection service can check and modify the entire resource list and detailed information. The Config Inspection details page consists of detailed information, tags, and work history tabs.

To check the detailed information of the Config Inspection service, follow the next procedure.

  1. Click on the menu of all services > Security > Config Inspection. It moves to the Service Home page of Config Inspection.
  2. On the Service Home page, click the Config Inspection menu. It moves to the Config Inspection list page.
  3. Config Inspection list page, click on the resource to check the detailed information. Move to the Config Inspection details page.
    • Config Inspection Details page displays status information and additional feature information, and consists of Details, Tags, Work History tabs.
      ClassificationDetailed Description
      StatusConfig Inspection status is displayed
      • Ready: after service creation, when there is no diagnosis request (diagnosis request possible)
      • In Progress: when a diagnosis request is being executed (diagnosis request/service cancellation not possible)
      • Error: when an error occurs in the diagnosis request (diagnosis request possible)
      • Completed: when the diagnosis request is completed normally (diagnosis request possible)
      Diagnostic RequestButton that can perform Console diagnosis
      Service CancellationButton to cancel the service
      Fig. Config Inspection status information and additional features

Detailed Information

On the Config Inspection List page, you can check the detailed information of the selected resource and modify the information if necessary.

DivisionDetailed Description
ServiceService Category
Resource TypeService Name
SRNUnique resource ID in Samsung Cloud Platform
Resource NameResource Title
Resource IDUnique resource ID in the service
CreatorService creator user
Creation TimeTime when the service was created
ModifierService information modified user
Modified TimeTime when service information was modified
Diagnosis TypeService-provided diagnosis type
CloudDiagnostic Target Type
Diagnosis TargetDiagnosis target is Console information
  • Provides diagnosis name and diagnosis account information of the diagnosis target
  • If the diagnosis target is AWS or Azure, you can modify the diagnosis account by clicking the Edit icon
Rate PlanSelected Rate Plan Type
Recently diagnosed timeLast executed diagnosis request time
Recent diagnosis resultLast executed diagnosis request result
  • Completed: The diagnosis request is completed normally
  • Error: The diagnosis request is not completed normally
    • UNAUTHORIZED: Need to check the key authority used for the diagnosis request
    • INVALID_INPUT_VALUE: Need to check the input values such as the diagnosis account
    • CONNECTION_FAIL: Need to check the console access control settings
    • ETC: Need to inquire through the service desk due to other errors such as the diagnosis engine
※ The diagnosis result can be checked in the Security > Config Inspection > Report menu
Authentication KeyRegistered user’s authentication key when the service is created
  • Access Key, User, Status information provided
  • Access Key information and edit icon are displayed only to the user who created the authentication key
    • Edit icon can be clicked to change the authentication key
  • If the authentication key is deleted, it is displayed as - status, and if it is expired, it is displayed as Expired
  • Authentication key information (Access Key, Status) of resources created by other users is displayed as -
Diagnosis ScheduleDisplays the selected diagnosis schedule information
  • If the diagnosis target is SCP, you can change the diagnosis schedule by clicking the Modify icon
Fig. Config Inspection detailed information tab items

Tag

On the Config Inspection 목록 page, you can check the tag information of the selected resource, and add, change, or delete it.

ClassificationDetailed Description
Tag ListTag List
  • Check Key, Value information of the tag
  • Up to 50 tags can be added per resource
  • When entering a tag, search and select from the existing list of created Key and Value
Fig. Config Inspection Tag Tab Items

Work History

Config Inspection 목록 page where you can check the operation history of the selected resource.

DivisionDetailed Description
Work history listResource change history
  • Check work time, resource ID, resource name, work details, event topic, work result, and worker information
Fig. Config Inspection job history tab detailed information items

Config Inspection Resource Management

Config Inspection resource status inquiry and diagnosis request are required in case of Config Inspection list or Config Inspection detail page where work can be performed.

Modifying the authentication key

You can select the authentication key to use for diagnosis by diagnosis target.

To modify the service authentication key, follow these steps.

  1. Click on the menu for all services > Security > Config Inspection. It moves to the Service Home page of Config Inspection.
  2. On the Service Home page, click the Config Inspection menu. It moves to the Config Inspection list page.
  3. Config Inspection list page, click the resource to modify the authentication key. Move to the Config Inspection details page.
  4. Check the authentication key and click the edit icon. The edit authentication key popup window appears.
  5. Modify Authentication Key popup window, select the registered authentication key and click the OK button.
    ClassificationDetailed Description
    Access KeyAccess Key information of the authentication key
    Creation DateAccess Key Creation Date
    Expiration DateAccess Key Expiration Date
    StatusAuthentication key status
    • In use: available status
    • Expired: expiration of usage period status
    Fig. Edit Authentication Key Popup Window Items
Reference
  • If the authentication key is deleted, it will be displayed as - state.
  • Authentication key information (Access Key, status) of resources created by other users will be displayed as -.

Request Diagnosis

You can request a diagnosis from the Console based on the set checklist.

To request a console diagnosis, follow these steps.

  1. Click on the menu for all services > Security > Config Inspection. It moves to the Service Home page of Config Inspection.

  2. On the Service Home page, click the Config Inspection menu. It moves to the Config Inspection list page.

  3. Config Inspection list page, click the resource to request diagnosis. Move to the Config Inspection details page.

  4. Config Inspection details page, click the Diagnosis Request button. Diagnosis Request popup window appears.

  5. Diagnosis Request In the diagnosis request popup window, enter the necessary information for diagnosis and click the Confirm button.

    • Diagnostic Request The items in the popup window vary depending on the Console you select.
      ClassificationDetailed Description
      Console access methodThe method of accessing the Console, with the authentication key method fixed
      Check ListFixed as Best Practice when SCP is selected
      Authentication KeySelect the authentication key created in advance if SCP is selected
      Access KeyIf you selected AWS, enter the Access Key
      Secret KeyIf you choose AWS, enter the Secret Key
      Client IDEnter Client ID if Azure is selected
      Client SecretIf Azure is selected, enter Client Secret
      Tenant IDIf Azure is selected, enter the Tenant ID
      Fig. Diagnostic Request Popup Window Items

  6. Check the Status value on the Config Inspection List page.

    • When the diagnosis request is completed, the status value is displayed as Completed or Error.
    • Completed case, you can check the diagnosis result in the diagnosis result menu. For more information, please refer to Report management.
Reference
For details on the preliminary setup required for running diagnostics by console, see Preparation.

Config Inspection disable

You can cancel the unused Config Inspection service. However, if you cancel Config Inspection, all saved diagnostic data will be deleted.

Caution
  • If you cancel the resource, all diagnostic data will be deleted and you will not be able to view the diagnostic results in the Report.
  • If the status of the Config Inspection service is In Progress, the service cannot be cancelled.

To disable Config Inspection, follow the next procedure.

  1. Click All Services > Security > Config Inspection menu. It moves to the Service Home page of Config Inspection.
  2. On the Service Home page, click the Config Inspection menu. It moves to the Config Inspection list page.
  3. Config Inspection list page, click the resource to be canceled. Move to the Config Inspection details page.
  4. Config Inspection details page, click the service cancellation button.
  5. Once the cancellation is complete, please check if the resource has been cancelled on the Config Inspection list page.

1 - Dashboard Check

Users can check the diagnostic results of the Config Inspection service at a glance on the dashboard through the Samsung Cloud Platform Console.

Check Dashboard

On the dashboard page, you can check the diagnosis status and history of Config Inspection, etc.

To check the dashboard, follow the next procedure.

  1. 모든 서비스 > Security > Config Inspection menu is clicked. It moves to the Service Home page of Config Inspection.
  2. On the Service Home page, click the Dashboard menu. It moves to the Dashboard page.
  3. Dashboard page where you can check the summary information of the diagnosis result.
    • Dashboard page, you can check the dashboard information based on the period or diagnosis name at the top.

  • Period: You can check the summary information of the diagnosis results by setting a period within 6 months based on this month.

  • Diagnosis Name: If you select all, you can summarize the entire diagnosis result, and if you select a diagnosis account, you can check the detailed history of the diagnosis result.

    • Download button allows you to download the information displayed on the dashboard page as a PDF file.
    DivisionDetailed Description
    Security Level (Total)The average value of the latest diagnosis results of all diagnosis targets is displayed
    • The latest diagnosis results are listed
    • Diagnosis score calculation formula = Total - (Fail + Error + Check)) / Total x 100
    Diagnostic Status by PeriodDisplays diagnostic status by target during the search period
    • Diagnosis Completed: Displays recent diagnosis completion records
      • Diagnosis Error: Displays recent diagnosis error records, and moves to the detailed diagnosis result page when selecting a diagnosis name
      Summary of diagnostic results by period (all)Displays summary information of diagnostic results (all) during the search period
      • Selecting a diagnosis name from the list moves to the diagnostic result details page
      Table. Detailed description of dashboard items for overall diagnosis results
      ClassificationDetailed Description
      Security LevelThe last diagnosis result score of the selected diagnosis account is displayed
      • The latest diagnosis result is displayed in the list
      Periodic diagnosis result summaryDisplay a summary of the diagnosis results of the last diagnosis account during the search period
      Vulnerability Status by PeriodDisplays the vulnerability diagnosis results of the diagnosis account during the search period in a graph
      • Displays detailed information of vulnerable items in the diagnosis results when selecting a graph
      Fig. Detailed description of dashboard items for diagnostic results by diagnostic account

    2 - Diagnosis Result Management

    You can check the Config Inspection diagnosis request results on the diagnosis result page and change the diagnosis results.

    Note

    Diagnosis results are created when a diagnosis request is made through the Config Inspection service, and the diagnosis results are deleted when the service is terminated.

    Checking Diagnosis Results

    On the diagnosis result page, you can check the results of the diagnosis request.

    Checking the Diagnosis Result List

    To check the diagnosis result list, follow these steps:

    1. Click All Services > Security > Config Inspection. You will be taken to the Service Home page of Config Inspection.
    2. On the Service Home page, click Diagnosis Result. You will be taken to the Diagnosis Result List page.
    3. On the Diagnosis Result List page, check the summary information of the diagnosis results.
      CategoryDetailed Description
      Diagnosis NameResource Name
      Diagnosis AccountConsole information that is the target of diagnosis
      ChecklistA collection of diagnosis items that serve as the basis for the diagnosis result
      PASSThe number of items in the checklist with a diagnosis result of PASS (normal)
      FAILThe number of items in the checklist with a diagnosis result of FAIL (vulnerable)
      CHECKThe number of items in the checklist with a diagnosis result of CHECK (requires verification)
      ERRORThe number of items in the checklist with a diagnosis result of ERROR (diagnosis not possible)
      N/AThe number of items in the checklist with a diagnosis result of N/A (not applicable)
      TotalThe total number of items in the checklist
      Diagnosis ResultThe result of the diagnosis request
      • Completed: The diagnosis request was completed normally
      • Error: The diagnosis request was not completed normally, and the error status items cannot be checked in detail
      Diagnosis TimeThe time the diagnosis request was made
      Table. Diagnosis Result List Items

    Checking Detailed Diagnosis Result Information

    To check the detailed information of the diagnosis result, follow these steps:

    1. Click All Services > Security > Config Inspection. You will be taken to the Service Home page of Config Inspection.

    2. On the Service Home page, click Diagnosis Result. You will be taken to the Diagnosis Result List page.

      • You can search for diagnosis results by entering the diagnosis name in the search area of the Diagnosis Result List page or by clicking the Detailed Search button.

    3. On the Diagnosis Result List page, click on an item with a diagnosis result of Completed. You will be taken to the detailed diagnosis result page.

      • Items with a diagnosis result of Error do not display detailed information.

    4. On the Detailed Diagnosis Result page, check the detailed diagnosis results.

      CategoryDetailed Description
      Excel DownloadDownload the detailed diagnosis result list as an Excel file
      More > Diagnosis Result ManagementMove to the diagnosis result management page
      ChecklistA collection of diagnosis items that serve as the basis for the diagnosis result
      AreaThe scope of diagnosis (Samsung Cloud Platform services)
      Diagnosis ItemSecurity standards recommended for service settings
      ResultThe result of checking the diagnosis item
      Table. Detailed Diagnosis Result Items

    5. Click on the diagnosis item you want to check in detail. The Diagnosis Item Details popup window will appear.

      • In the Diagnosis Item Details popup window, you can check the following information:
          | Category | Detailed Description |
  |---------|---------|
  | Area | The scope of diagnosis (Samsung Cloud Platform services) |
  | Diagnosis Item | Security standards recommended for service settings |
  | Result | The result of checking the diagnosis item |
  | Diagnosis Criteria | The criteria for determining the result |
  | Diagnosis Method | The method for checking the current settings |
  | Countermeasure Guide | The method for setting the security standards |
  | Detailed Result | Information about the resources and settings corresponding to the diagnosis item |
  | Change Diagnosis Result | A button to change the diagnosis result |
  <div class="figure-caption">
    Table. Config Inspection Diagnosis Item Details
  </div>

    Managing Diagnosis Results

    The diagnosis result page allows you to change the results of items with a CHECK status.

    Changing Diagnosis Results

    To change a diagnosis result, follow these steps:

    1. Click All Services > Security > Config Inspection menu. You will be directed to the Config Inspection Service Home page.

    2. Click the Diagnosis Result menu on the Service Home page. You will be directed to the Diagnosis Result List page.

    3. Click an item with a completed diagnosis result on the Diagnosis Result List page. You will be directed to the Diagnosis Result Detail page.

      • Items with an Error status will not display detailed information.

    4. Click the Diagnosis Result Management button at the top of the Diagnosis Result Detail page. You will be directed to the Diagnosis Result Management page.

    5. Click the Result Change button for the item you want to change the diagnosis result for** on the Diagnosis Result Management page. You will be directed to the Result Change popup window.

    6. Select or enter the required information for the result change in the Result Change popup window.

      CategoryRequiredDescription
      Register-Email of the person changing the diagnosis result
      Valid PeriodRequiredSet the valid period for the diagnosis result
      Result ChangeRequiredSelect the new diagnosis result (Pass, Check, Fail)
      Detailed ReasonRequiredEnter a detailed reason for changing the result
      AttachmentOptionalUpload a file required for result change confirmation
      • Click the File Attachment button to upload a file, up to 5 files can be registered
      Inspection Result-Display detailed inspection results
      Table. Detailed Items for Changing Diagnosis Results

    7. Confirm the entered information and click the Register button. Verify that the diagnosis result has been changed in the Diagnosis Result Management list.

    Deleting Diagnosis Result Change History

    To delete the diagnosis result change history, follow these steps:

    1. Click All Services > Security > Config Inspection menu. You will be directed to the Config Inspection Service Home page.
    2. Click the Diagnosis Result menu on the Service Home page. You will be directed to the Diagnosis Result List page.
    3. Click an item with a completed diagnosis result on the Diagnosis Result List page. You will be directed to the Diagnosis Result Detail page.
      • Items with an Error status will not display detailed information.
    4. Click the Diagnosis Result Management button at the top of the Diagnosis Result Detail page. You will be directed to the Diagnosis Result Management page.
    5. Click the Result Confirmation button for the item you want to delete the diagnosis result change history for** on the Diagnosis Result Management page. You will be directed to the Result Confirmation popup window.
    6. Click the Delete button in the Result Confirmation popup window.

    3 - Setting up the Cloud

    To use the Config Inspection service through the Samsung Cloud Platform Console, users must set up cloud prerequisites, such as generating authentication keys and adding access control IPs.

    Note
    The settings to be configured vary depending on the type of cloud to be used. Refer to the relevant chapter to set up the necessary items for each cloud.

    Setting up the Samsung Cloud Platform Console

    To diagnose the Samsung Cloud Platform and external clouds using the Config Inspection service, configure the following items.

    Checking policies connected to user groups

    Guide
    • Config Inspection can diagnose the Samsung Cloud Platform or external clouds. Depending on the diagnosis target, you can use the service by granting the necessary policy requirements to the user group.
      • Make sure that the user group policy that matches the desired diagnosis target is set up.
      • If policy creation is required, contact the Account administrator.

    To check the policies of the user group you belong to, follow these steps:

    1. Click All Services > Management > IAM. You will be taken to the Service Home page of IAM.
    2. On the Service Home page, click User Group. You will be taken to the User Group List page.
    3. On the User Group List page, click the user group you want to check. You will be taken to the User Group Details page.
    4. On the User Group Details page, click the Policy tab. You will be taken to the Policy tab page.
    5. On the Policy tab page, click the policy you want to check. You will be taken to the Policy Details page.
    6. On the Policy Details page, check the detailed information.

    Generating authentication keys

    You can check and generate authentication keys to be used for the Config Inspection service.

    Guide
    • You can create up to two authentication keys.
    • After creating a new authentication key, you must apply the changed API authentication key to the service you are using.

    To generate an authentication key in the Samsung Cloud Platform Console, follow these steps:

    1. Click My Menu > My Info. You will be taken to the My Info. details page.
    2. On the My Info. details page, click the Authentication Key Management tab. You will be taken to the Authentication Key Management tab page.
    3. On the Authentication Key Management tab page, click the Create Authentication Key button. You will be taken to the Create Authentication Key page.
      • On the authentication key management page, you can check the list of authentication keys.
    4. On the Create Authentication Key page, enter the expiration period and click the Confirm button.
    5. Check if the created authentication key is displayed in the authentication key list.

    Adding Allowed Access IP

    You can add an allowed access IP in the Samsung Cloud Platform Console.

    To add an allowed access IP in the Console, follow these steps:

    1. Click the My menu > My info. menu in the Console. You will be moved to the My info. detail page.
    2. Click the Authentication key management tab on the My info. detail page. You will be moved to the Authentication key management tab page.
    3. On the Authentication key management tab page, click the Modify icon in the Security settings section. The Modify authentication key security settings popup window will open.
    4. In the Modify authentication key security settings popup window, enter the authentication method and allowed access IP.
      • Select Authentication key as the authentication method.
      • Set the allowed access IP to Use and enter the IP address, then click the Add button.
    5. Once the allowed access IP is added, click the Confirm button. Verify that the information entered in the Security settings section has been modified.

    Setting up AWS

    To diagnose the AWS (Amazon Web Services) cloud in the Config Inspection service, set up the following items.

    Adding Permission Policy

    You can add a permission policy for a user or user group in the AWS Console.

    Adding User Permissions

    To add a user access permission policy in the AWS Console, follow these steps:

    1. Click IAM > Users in the AWS Console.
    2. Select the diagnostic user name from the user list.
    3. Click the Permissions tab on the user information page.
    4. Select Add permissions in the permission policy.
      • When adding permissions, select ReadOnlyAccess, ViewOnlyAccess.

    Adding User Group Permissions

    To add a user group access permission policy in the AWS Console, follow these steps:

    1. Click IAM > User groups in the AWS Console.
    2. Select the user group that the user belongs to from the user group list.
    3. Click the Permissions tab on the user group page.
    4. Select Add permissions in the permission policy.
      • When adding permissions, select ReadOnlyAccess, ViewOnlyAccess.

    Adding Access Control IP

    If you are using an IP access control policy, you must add an exception IP to the policy.

    Adding IP Access Control for Users

    To add IP access control for users in the AWS Console, follow these steps:

    1. Click IAM > Users in the AWS Console.
    2. Select the diagnostic user name from the user list.
    3. Click the Permissions tab on the user information page.
    4. Click Edit on the IP Access Control Policy in the permissions policy item.
      • Add 123.37.24.82 to the exception IP for blocking.

    Adding IP Access Control for User Groups

    To add IP access control for user groups in the AWS Console, follow these steps:

    1. Click IAM > User Groups in the AWS Console.
    2. Select the user group that the user belongs to from the user group list.
    3. Click the Permissions tab on the user group page.
    4. Click Edit on the IP Access Control Policy in the permissions policy item.
      • Add 123.37.24.82 to the exception IP for blocking.

    Creating Access Keys

    To create access keys in the AWS Console, follow these steps:

    1. Click IAM > Users in the AWS Console.
    2. Select the diagnostic user name from the user list.
    3. Click the Security Credentials tab on the user information page.
    4. Click Access Keys on the Security Credentials page.
    5. Create an access key for third-party services on the Create Access Key page.
      • Be sure to save the created access key information.
    Note

    Secret Key can only be downloaded as a CSV file or recorded separately.

    • Secret key information can only be checked during access key creation and cannot be recovered later.

    Setting up Azure

    To diagnose Azure cloud in the Config Inspection service, set up the following items.

    Registering Entra ID Application

    To register Entra ID Application in the Azure Console, follow these steps:

    1. Click Microsoft Entra ID > App Registration in the Azure Console.
    2. Click New Registration on the App Registration page.
    3. Register the application (client) ID.
    4. After completing the app registration, check the App Name, Application (Client) ID, Directory (Tenant) ID on the overview page.

    Adding API Permissions

    Reference
    To use the Config Inspection service, you must pre-set it with an account that has the Global Administrator role in Azure AD.

    To add API permissions in the Azure Console, follow these steps:

    1. Click Microsoft Entra ID > App Registration (App registrations) > Entra ID Application Registration and select the created App Name > API Permissions (App permissions) > Add a permission.
    2. Select Microsoft Graph from the API Permissions list.
    3. Click Application Permissions on the API Permission Request page.
      • Select Application.Read.All, Device.Read.All, Group.Read.All, User.Read.All, DeviceManagementManagedDevices.Read.All, AuditLog.Read.All, Directory.Read.All, Domain.Read.All, GroupMember.Read.All, Policy.Read.All, Reports.Read.All from the permission list.
    4. Click Grant admin consent for account name after adding permissions on the App API Permission Registration page.
      • Check if the status has changed to Granted for account name.

    Creating Client Secret

    To create a client secret in the Azure Console, follow these steps:

    1. Click Microsoft Entra ID > App Registration (App registrations) > Entra ID Application Registration and select the created App Name > Certificates & Secrets.
    2. Click New Client Secret on the Certificates & Secrets list.
    3. Check the Value item of the client secret in the list after creating the client secret.
      • Be sure to save the client secret value.
    Note
    The client secret value (Value) can only be checked during creation. Be sure to record or save it separately.

    Adding Subscription Access Permissions in Azure Console

    Subscription access permissions in the Azure Console can be added to the tenant root group or individual subscriptions. Choose the desired method to add subscription access permissions.

    Adding Permissions to the Tenant Root Group

    To add Azure Console subscription access permissions to the Tenant Root Group, follow these steps:

    1. Click on Management groups > Overview in the Azure Console.
    2. Click on Tenant Root Group > IAM.
      • If you cannot access the Tenant Root Group menu, change the following settings:
        • Microsoft Entra ID > Properties > ‘Account name’ can manage access to all Azure subscriptions and management groups in this tenant. > Yes
      • After adding permissions, be sure to change it back to No.
    3. On the Access Control page, click on Add > Add role assignment.
    4. On the Add role assignment page, enter the details and click on Save (Review+assign).
      • When entering role assignment information, select the following information in the Role and Member tabs to add the App created in Entra ID Application registration. All three permissions below must be added.
          |  Category  |  Permission  |
  |---------|---------|
  |Reader|User, group, or service principal|
  |Key Vault Reader|User, group, or service principal|
  |Reader and Data Access|User, group, or service principal|
  <div class="figure-caption">
    Table. Additional permission items when entering role assignment information
  </div>

    Adding Permissions to an Individual Subscription

    To add Azure Console subscription access permissions to an individual subscription, follow these steps:

    1. Click on Subscription > Overview in the Azure Console.
      • Check the Subscription ID in the basic information on the overview page.
    2. Click on Subscription > IAM.
    3. On the Access Control page, click on Add > Add role assignment.
    4. On the Add role assignment page, enter the details and click on Save (Review+assign).
      • When entering role assignment information, select the following information in the Role and Member tabs to add the App created in Entra ID Application registration. All three permissions below must be added.
          |  Category  |  Permission  |
  |---------|---------|
  |Reader|User, group, or service principal|
  |Key Vault Reader|User, group, or service principal|
  |Reader and Data Access|User, group, or service principal|
  <div class="figure-caption">
    Table. Additional permission items when entering role assignment information
  </div>

    Adding Access Permissions using PowerShell

    To add Azure Console subscription access permissions using PowerShell, follow these steps:

    1. In the Azure Console, run the following command in Cloud shell > PowerShell:
      • New-AzRoleAssignment -ObjectId “Object ID of the App confirmed in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’ -ObjectType ‘ServicePrincipal’
      • If the command does not work, change the following settings:
        • Microsoft Entra ID > Properties > ‘Account name’ can manage access to all Azure subscriptions and management groups in this tenant. > Yes
        • After adding permissions, be sure to change it back to No.
    2. Run the following command to check if the settings are complete:
      • Get-AzRoleAssignment –ObjectId “Object ID of the App confirmed in Enterprise Application” –Scope “/providers/Microsoft.aadiam”
      • If you need to delete permissions, run the following command:
        • Remove-AzRoleAssignment -ObjectId “Object ID of the App confirmed in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’