This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

How-to guides

Users can create the service by entering the required information for the Config Inspection service and selecting detailed options through the Samsung Cloud Platform Console.

Create Certificate

To create and use the Config Inspection service in the Samsung Cloud Platform Console, you need to generate an authentication key in advance.

Authentication key creation can be done from My menu > My Info. > Authentication Key Management > Create Authentication Key. For more details, refer to Manage Authentication Keys.

Reference
  • The expiration period of the authentication key is up to 365 days.
  • To generate an authentication key with no expiration date, you must create it permanently.

Create Config Inspection

You can create and use the Config Inspection service in the Samsung Cloud Platform Console.

Reference
Users must belong to the AdministratorGroup user group in order to properly use the services provided by the Config Inspection service.

To create a Config Inspection, follow these steps.

  1. Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
  2. On the Service Home page, click the Create Config Inspection button. You will be taken to the Create Config Inspection page.
  3. Config Inspection Creation On the page, input what is required to create a service, and select detailed options.
    • Enter or select the required information in the Service Information Input area.
      Category
      Required status
      		Detailed description
      Diagnosis Type-Automatic configuration via Console
      CloudRequiredSelect cloud for diagnosis
      • SCP: Samsung Cloud Platform
      • AWS: Amazon Web Services
      • Azure: Microsoft Azure
      • Detailed input fields vary depending on the selected cloud type
      Diagnostic Target > Diagnosis NameRequiredName to distinguish the diagnostic target
      • Use the entered value as the resource name
      • Enter within 25 characters using English letters, numbers, and special characters (-, _)
      Diagnostic target > Diagnostic accountRequiredConsole information to be diagnosed
      • Select the Account ID to diagnose from the list
      • Selecting the same Account ID will result in duplicate requests and incur additional charges
      • If AWS is selected, enter the Account ID (12 digits) for the diagnostic account
      • If Azure is selected, enter the Subscription ID (36 characters, including letters, numbers, and special characters) for the diagnostic account
      Diagnosis Schedule > ChecklistRequiredAutomatically set when Use is selected for diagnostic schedule
      Diagnostic Schedule > Diagnostic CycleRequiredSelect Diagnosis Interval
      • The diagnosis runs on the selected date according to the specified interval.
      • If Monthly is selected, the diagnosis may not be performed on the selected date.
        • Example) Selecting the 31st of each month – February has no such date, so the diagnosis is not performed.
      Diagnostic Schedule > Start TimeRequiredSelect diagnostic start time
      • Set the hour and minute information for starting the diagnostic
      authentication keyRequiredSelect the authentication key to use for Open API calls
      • Select button, click to choose the appropriate authentication key from the list in the Authentication Key Selection popup
      • If no selectable authentication key is available, click Authentication Key Management to create a new authentication key
      Pricing planSelectSelect a plan to use
      • Standard: Charged based on the number of diagnoses
      • Monthly subscription: Charged a fixed amount each month regardless of the number of diagnoses (up to 30 diagnoses per month)
      • The plan cannot be changed after the service is requested
      Table. Config Inspection Service Information Input Items
    • In the Additional Information Input area, enter or select the required information.
      Category
      Required status
      		Detailed description
      tagSelectAdd Tag
      • Up to 50 per resource can be added
      • After clicking the Add Tag button, enter or select Key and Value values
      Table. Config Inspection additional information input fields
  4. Summary Check the detailed information and estimated billing amount generated in the panel, and click the Create button.
    • When creation is complete, check the created resources on the Config Inspection List page.

Check detailed information of Config Inspection

Config Inspection service allows you to view and edit the full resource list and detailed information. The Config Inspection Details page consists of Details, Tags, Activity History tabs.

To view detailed information of the Config Inspection service, follow these steps.

  1. Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
  2. On the Service Home page, click the Config Inspection menu. You will be taken to the Config Inspection list page.
  3. Config Inspection List page, click the resource to view detailed information. You will be taken to the Config Inspection Details page.
    • Config Inspection Details page displays status information and additional feature information, and is composed of Details, Tags, Work History tabs.
      CategoryDetailed description
      statusDisplays the status of Config Inspection
      • Ready: When there is no diagnostic request after the service is created (diagnostic request possible)
      • In Progress: When a diagnostic request is being executed (diagnostic request/service termination not allowed)
      • Error: When an error occurs in the diagnostic request (diagnostic request possible)
      • Completed: When the diagnostic request completes successfully (diagnostic request possible)
      Diagnostic requestButton to perform console diagnostics
      Service terminationButton to cancel the service
      Table. Config Inspection status information and additional features

Detailed Information

Config Inspection List page lets you view detailed information of the selected resource and modify the information if necessary.

CategoryDetailed description
ServiceService name
Resource TypeResource Type
SRNUnique resource ID in Samsung Cloud Platform
Resource nameResource Name
Resource IDUnique resource ID in the service
ConstructorUser who created the service
Creation date and timeService creation timestamp
EditorUser who edited the service information
Modification dateDate and time the service information was modified
Diagnosis TypeDiagnostic types offered by the service
CloudDiagnosis target types
diagnostic targetConsole information for the diagnostic target
  • Provides the diagnostic target’s diagnostic name and diagnostic account information
  • If the diagnostic target is AWS or Azure, you can click the Edit icon to modify the diagnostic account
Pricing planSelected plan type
Recent diagnosis date/timeTimestamp of the last executed diagnostic request
Recent diagnostic resultsResult of the most recent diagnostic request
  • COMPLETED: The diagnostic request completed successfully
  • ERROR: The diagnostic request did not complete successfully
    • UNAUTHORIZED: Key permissions used for the diagnostic request need to be verified
    • INVALID_INPUT_VALUE: Input values such as the diagnostic account need to be verified
    • CONNECTION_FAIL: Console access control settings need to be verified
    • ETC: Other errors such as diagnostic engine issues require contacting the service desk
※ Diagnostic results can be viewed in the Security > Config Insepction > Report menu
authentication keyThe authentication key of the user registered when creating the service
  • Access Key, user, status information provided
  • Access Key information and the edit icon are displayed only to the user who created the corresponding authentication key
    • Click the edit icon to modify the authentication key
  • If the authentication key is deleted, it is shown with a - status; if it is expired, it is shown as expired
  • Authentication key information (Access Key, status) for resources created by other users is displayed as -
Diagnostic ScheduleDisplay selected diagnostic schedule information
  • If the diagnostic target is SCP, you can click the Edit icon to change the diagnostic schedule
Table. Config Inspection Detailed Information Tab Items

tag

Config Inspection List page lets you view the tag information of the selected resource and add, modify, or delete it.

CategoryDetailed description
Tag listTag list
  • You can view the Key, Value information of the tag
  • Up to 50 tags can be added per resource
  • When entering a tag, you can search and select from the list of previously created Keys and Values
Table. Config Inspection tag tab items

Job History

On the Config Inspection List page, you can view the operation history of the selected resource.

CategoryDetailed description
Task History ListResource Change History
  • Operation Time, Resource ID, Resource Name, Operation Details, Event Topic, Operation Result, Check operator information
Table. Config Inspection work history tab items

Config Inspection Resource Management

If you need to view the status of a Config Inspection resource or request a diagnosis, you can perform the task on the Config Inspection List or Config Inspection Details page.

Modify authentication key

You can select the authentication key to use for diagnosis for each diagnostic target.

To modify the service’s authentication key, follow these steps.

  1. Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
  2. On the Service Home page, click the Config Inspection menu. You will be taken to the Config Inspection list page.
  3. On the Config Inspection List page, click the resource whose authentication key you want to edit. Then go to the Config Inspection Detail page.
  4. Check the authentication key and click the Edit icon. The Edit Authentication Key popup window opens.
  5. Edit Authentication Key Select the authentication key to use in the popup window and click the Confirm button.
    CategoryDetailed description
    authentication keyAuthentication Key Detailed Information
    Creation date and timeAuthentication key creation date
    Expiration date and timeAuthentication key expiration date
    statusAuthentication key status
    • Active: Usable
    • Expired: Usage period expired
    Table. Authentication key edit popup items
Reference
  • If the authentication key is deleted, it is displayed in the - state.
  • The authentication key information (authentication key, status) of resources created by other users is displayed as -.

Request Diagnosis

You can request a diagnosis from the Console based on the configured checklist.

To request a console diagnosis, follow these steps.

  1. Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.

  2. On the Service Home page, click the Config Inspection menu. You will be taken to the Config Inspection list page.

  3. On the Config Inspection List page, click the resource you want to request a diagnosis for. You will be taken to the Config Inspection Details page.

  4. On the Config Inspection Details page, click the Diagnostic Request button. The Diagnostic Request popup opens.

  5. In the Diagnosis Request popup, enter the information required for the diagnosis and click the Confirm button.

    • Diagnostic Request The items in the popup window vary depending on the selected Console.
      CategoryDetailed description
      Console access methodFix the authentication key method as the console access method.
      ChecklistSet to Best Practice when selecting SCP
      authentication keyIf you select SCP, choose the pre-generated authentication key.
      Access KeyIf AWS is selected, enter the Access Key.
      Secret KeyIf AWS is selected, enter Secret Key
      Client IDEnter Client ID when Azure is selected
      Client SecretIf Azure is selected, enter Client Secret
      Tenant IDIf Azure is selected, enter Tenant ID
      Table. Diagnosis request popup items

  6. Check the status value on the Config Inspection list page.

    • When the diagnostic request is completed, the status value is displayed as Completed or Error.
    • In the case of Completed, you can view the diagnostic request results in the diagnostic results menu. For more details, refer to Report Management.
Reference
For detailed information on the prerequisite settings required to run diagnostics for each console, see Set up prerequisites.

Terminate Config Inspection

You can cancel the Config Inspection service you are not using. However, canceling Config Inspection will delete all stored diagnostic data.

Caution
  • If you terminate the resource, all diagnostic data will be deleted, and you will not be able to view diagnostic results in the Report.
  • If the status of the Config Inspection service is In Progress, the service cannot be terminated.

To disable Config Inspection, follow these steps.

  1. Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
  2. On the Service Home page, click the Config Inspection menu. You will be taken to the Config Inspection list page.
  3. On the Config Inspection List page, click the resource to be terminated. You will be taken to the Config Inspection Details page.
  4. Config Inspection Details on the page, click the Cancel Service button.
  5. After the termination is complete, check on the Config Inspection List page whether the resource has been terminated.

1 - Check Dashboard

Users can view the diagnostic results of the Config Inspection service at a glance on the dashboard through the Samsung Cloud Platform Console.

Check Dashboard

On the dashboard page, you can view the status of Config Inspection diagnostic targets, diagnostic history, and more.

To view the dashboard, follow these steps.

  1. Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
  2. On the Service Home page, click the Dashboard menu. You will be taken to the Dashboard page.
  3. Check the summary of diagnostic results on the Dashboard page.
    • Dashboard page at the top allows you to view dashboard information based on the period or diagnosis name.
      • Period: You can set a period within six months from the current month to view a summary of the diagnostic results.
      • Diagnosis Name: If you select All, you can view a summary of the entire diagnostic results, and if you select a diagnostic account, you can view the detailed information of that specific diagnostic result.
    • Click the Download button to download the information displayed on the dashboard page as a PDF file.
      CategoryDetailed description
      Security level (overall)Display the average of the latest diagnostic results for all subjects
      • Recent diagnostic results are displayed in the list
      • Diagnostic score calculation formula = Total – (Fail + Error + Check)) / Total x 100
      Diagnosis status by periodDisplay diagnostic status by target during the search period
      • Diagnosis Completed: Show recent completed diagnosis records
        • Diagnosis Error: Show recent diagnosis error records, navigate to the detailed diagnosis result page when a diagnosis name is selected
        Summary of diagnostic results by period (overall)Display summary of diagnostic results (overall) during the search period
        • Selecting a diagnosis name from the list navigates to the detailed diagnostic result page
        Table. Detailed dashboard item description for overall diagnostic results
        CategoryDetailed description
        Security levelDisplay the latest diagnostic result score for the selected diagnostic account
        • Recent diagnostic results are displayed in the list
        Summary of diagnostic results by periodDisplay summary of the diagnostic results for the last diagnostic account within the search period
        Vulnerability status by periodDisplay the vulnerability assessment results of the diagnostic account as a graph during the search period
        • When a graph is selected, display detailed information of the vulnerable items in the assessment results
        Table. Detailed dashboard item description for diagnostic results per diagnostic account

    2 - Manage Diagnosis Results

    Config Inspection You can view the diagnostic request results on the diagnostic results page and modify the diagnostic results.

    Reference

    The diagnostic results are generated when a diagnostic request is made in the Config Inspection service, and they are deleted when the service is terminated.

    Check diagnosis results

    On the diagnosis results page, you can view the results of the diagnosis request.

    Check diagnostic result list

    To view the list of diagnostic results, follow these steps.

    1. Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
    2. On the Service Home page, click the Diagnosis Results menu. You will be taken to the Diagnosis Results List page.
    3. View the summary information of diagnostic results on the Diagnostic Results List page.
      CategoryDetailed description
      Diagnosis nameResource name
      diagnostic accountConsole information subject to diagnosis
      ChecklistCollection of diagnostic items that serve as the basis for diagnostic results
      PASSNumber of checklist items with a diagnosis result of PASS (normal)
      FAILNumber of checklist items with a diagnosis result of FAIL (vulnerable)
      CHECKNumber of items in the checklist with a diagnosis result of CHECK (verification required)
      ERRORNumber of items in the checklist whose diagnosis result is ERROR (diagnosis not possible)
      N/ANumber of items in the checklist where the diagnosis result is N/A (not applicable)
      AllTotal number of checklist items
      diagnostic resultDiagnosis request result
      • Completed: The diagnosis request has been successfully completed; clicking Completed navigates to the detail page
      • Error: The diagnosis request was not completed successfully; error items cannot view detailed information
      Diagnosis date and timeDiagnosis request date and time
      Table. Diagnosis result list items

    View detailed diagnostic result information

    To view detailed information of the diagnostic results, follow these steps.

    1. Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.

    2. On the Service Home page, click the Diagnosis Results menu. You will be taken to the Diagnosis Results List page.

      • On the Diagnosis Result List page, you can enter a diagnosis name in the search area or click the Detailed Search button to perform a search.

    3. Diagnostic Results List page, click the item whose diagnostic result is Completed. You will be taken to the diagnostic result detail page.

      • Items with a diagnostic result in error status do not display detailed information.

    4. On the Detailed Diagnosis Results page, view the detailed diagnosis results.

      CategoryDetailed description
      Excel downloadDownload the detailed diagnosis results list as an Excel file
      More > Diagnosis Result ManagementGo to the diagnostic results management page
      ChecklistCollection of diagnostic items that serve as the basis for diagnostic results
      AreaDiagnostic Scope (services of Samsung Cloud Platform)
      Diagnostic itemsRecommended security standards for each service configuration
      ResultDiagnostic Item Criteria Inspection Results
      Table. Detailed diagnosis result items

    5. Click the diagnostic item to view detailed information. Diagnostic Item Details popup will open.

      • Diagnostic Item Details In the popup window, you can view the following information.
        CategoryDetailed description
        AreaDiagnostic Scope (services of Samsung Cloud Platform)
        Diagnostic itemsRecommended security standards for each service configuration
        ResultDiagnostic Item Criteria Inspection Results
        Diagnostic criteriaResult Evaluation Criteria
        Diagnostic methodHow to check the current settings
        Action GuideConfiguration method that meets security standards
        Detailed resultsResource information and settings for the diagnostic item
        Change diagnosis resultButton to modify the diagnosis result
        • When the diagnosis result is modified, the Check Result button is displayed, and clicking the Delete button removes the modified result
        Table. Config Inspection diagnostic item details

    Manage Diagnostic Results

    On the diagnosis results page, you can modify the results of items whose diagnosis status is CHECK.

    Change Diagnosis Result

    To change the diagnostic result, follow the steps below.

    1. Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.

    2. On the Service Home page, click the Diagnosis Results menu. You will be taken to the Diagnosis Results List page.

    3. On the Diagnosis Result List page, click the item whose diagnosis result is Completed. You will be taken to the Diagnosis Result Details page.

      • Items with a diagnostic result in error status do not display detailed information.

    4. On the Diagnosis Result Details page, click the More > Diagnosis Result Management button at the top. You will be taken to the Diagnosis Result Management page.

    5. On the Diagnosis Result Management page, click the Change Result button for the item whose diagnosis result you want to modify. The Change Result popup window will open.

    6. Result Change In the popup window, select or enter the information required to change the result.

      CategoryRequiredDetailed description
      Registrant-Diagnostic result change registrant email
      Validity periodRequiredSet the diagnostic result validity period
      Result changeRequiredSelect the diagnostic result to change among Pass, Check, Fail
      Detailed reasonRequiredEnter the detailed reason for changing the result.
      Attached fileSelectUpload the files required to verify result changes
      • Click the Attach File button to upload files, up to 5 can be registered
      Inspection Result-Display detailed inspection results
      Table. Detailed items of diagnostic result changes

    7. Review the entered information and click the Register button. Verify whether the diagnostic results have changed in the Diagnostic Result Management list.

    Delete diagnostic result change history

    To delete the diagnostic result change log, follow these steps.

    1. Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
    2. On the Service Home page, click the Diagnosis Results menu. You will be taken to the Diagnosis Results List page.
    3. On the Diagnosis Result List page, click the item whose diagnosis result is Completed. You will be taken to the Diagnosis Result Details page.
      • Items with a diagnostic result in error status do not display detailed information.
    4. Diagnosis Result Details page, click the Diagnosis Result Management button at the top. You will be taken to the Diagnosis Result Management page.
    5. On the Diagnosis Result Management page, click the Check Result button for the item whose diagnosis result you want to change. The Check Result popup will open.
    6. Check Result in the popup window, click the Delete button.

    3 - Pre-configuration

    Users must perform pre‑cloud configuration such as generating authentication keys and adding access‑control IPs through the Samsung Cloud Platform Console to use the Config Inspection service.

    Reference
    The configuration items vary depending on the cloud type you use. Refer to the appropriate chapter and configure the required items for each cloud.

    Configuring Samsung Cloud Platform Console

    To diagnose Samsung Cloud Platform and external clouds in the Config Inspection service, set the items below.

    Check policies attached to user groups

    guide
    • Config Inspection can diagnose the Samsung Cloud Platform or external clouds. Depending on the diagnostic target, you can assign appropriate policy requirements to user groups for use.
      • Verify that a user group policy matching the desired diagnostic target is configured.
      • If policy creation is required, please contact the Account administrator.

    To check the policy of the user group to which the user belongs, follow the steps below.

    1. Click the All Services > Management > IAM menu. Go to the Service Home page of IAM.
    2. On the Service Home page, click the User Group menu. You will be taken to the User Group List page.
    3. On the User Group List page, click the user group you want to view. You will be taken to the User Group Details page.
    4. User Group Details page, click the Policy tab. You will be taken to the Policy tab page.
    5. Click the policy you want to view on the Policy tab page. You will be taken to the Policy Details page.
    6. Check the detailed information on the Policy Details page.
      • Verify that the policy information in the table below is configured. If necessary, contact the administrator to add the policy.
        ItemPolicy Requirement 1Policy Requirement 2
        actionList, ReadCreate, Delete, List, Read, Update
        Applied resourceAll resourcesIndividual Resource (Config Inspection)
        Authentication TypeAll authenticationTemporary key authentication, Console login
        Applied IPCustom IP
        • The IP for diagnostics is 123.37.11.42, and the IP for the user to access the console must be added separately
        		Custom IP
        Table. Detailed policy setting items for all cloud diagnostics

    Generate authentication key

    You can view and generate the authentication key used for the Config Inspection service.

    guide
    • You can create a maximum of two authentication keys.
    • After generating a new authentication key, you must apply the updated API authentication key to the services you are using.

    To create an authentication key in the Samsung Cloud Platform Console, follow these steps.

    1. Click the My menu > My info. menu in the Console. You will be taken to the My info. detail page.
    2. My info. Click the API Key Management tab on the detail page. Navigating to the API Key Management tab page.
    3. On the Key Management tab page, click the Create Key button. You will be taken to the Create Key page.
      • You can view the list of authentication keys on the authentication key management page.
    4. On the Create Authentication Key page, after entering the expiration period, click the Confirm button.
    5. Verify that the generated authentication key is displayed in the authentication key list.

    Add allowed IP

    You can add allowed IP addresses in the Samsung Cloud Platform Console.

    To add an allowed IP for the Console, follow these steps.

    1. Click the My menu > My info. menu in the Console. Go to the My info. detail page.
    2. My info. Click the API Key Management tab on the detail page. You will be taken to the API Key Management tab page.
    3. Authentication Key Management tab page, click the Edit icon of the Security Settings item. Edit Authentication Key Security Settings popup opens.
    4. Edit Authentication Key Security Settings In the popup window, enter the authentication method and allowed IP address.
      • Select the authentication method authentication key.
      • Set the allowed access IP to Use, enter the IP address, and click the Add button.
    5. When the allowed IP addition is complete, click the Confirm button. Verify that the Security Settings item has been updated with the entered information.

    Configure AWS

    To diagnose the AWS (Amazone Web Services) cloud in the Config Inspection service, set the items below.

    Add permission policy

    You can add permission policies for users or user groups in the AWS Console.

    Add user permission

    To add a user access policy in the AWS Console, follow these steps.

    1. Click IAM > Users in the AWS Console.
    2. Select the diagnostic user name from the user list.
    3. Click the Permissions tab on the user information page.
    4. Select Add Permission in the permission policy.
      • When adding permissions, select ReadOnlyAccess, ViewOnlyAccess.

    Add user group permissions

    To add a user group access permission policy in the AWS Console, follow these steps.

    1. Click IAM > User Groups in the AWS Console.
    2. Select the group that the user belongs to from the user group list.
    3. Click the Permissions tab on the user group page.
    4. Select Add Permission in the permission policy.
      • When adding permissions, select ReadOnlyAccess, ViewOnlyAccess.

    Add access control IP

    If you are using an IP access control policy, you need to add an exception IP to the policy.

    Add user access control IP

    To add a user access control IP in the AWS Console, follow these steps.

    1. Click IAM > Users in the AWS Console.
    2. Select the diagnostic user name from the user list.
    3. Click the Permissions tab on the user information page.
    4. In the permission policy item, click Edit of the IP Access Control Policy.
      • Add 123.37.24.82 to the block exception IP list.

    Add IP to user group access control

    To add a user group access control IP in the AWS Console, follow these steps.

    1. Click IAM > User Groups in the AWS Console.
    2. Select the group that the user belongs to from the list of user groups.
    3. Click the Permissions tab on the user group page.
    4. In the permission policy item, click Edit of the IP Access Control Policy.
      • Add 123.37.24.82 to the block exception IP.

    Access Key creation

    To create an Access Key in the AWS Console, follow these steps.

    1. Click IAM > Users in the AWS Console.
    2. Select the diagnostic user name from the user list.
    3. Click the Security Credentials tab on the user information page.
    4. On the Security Credentials page, click Access Keys.
    5. Create Access Key page, generate an access key for third‑party services.
      • Be sure to save the generated access key information.
    Caution

    Secret Key can be downloaded as a CSV file or recorded separately.

    • Secret key information can only be viewed when creating the access key and cannot be recovered later.

    Configure Azure

    To diagnose Azure cloud in the Config Inspection service, set the items below.

    Entra ID Application registration

    To register an Entra ID Application in the Azure Console, follow these steps.

    1. Click Microsoft Entra ID > App registrations in the Azure Console.
    2. On the App Registration page, click New Registration.
    3. Register the application (client) ID.
    4. After the app registration is complete, check the app name, application (client) ID, directory (tenant) ID on the overview page.

    Add API permission

    Reference
    To use the Config Inspection service, you must preconfigure it from an account that has the Global Administrator role among Azure AD roles.

    To add API permissions in the Azure Console, follow these steps.

    1. In the Azure Console’s Microsoft Entra ID > App registration (App registrations) > Entra ID Application registration, click App name > API permissions (App permissions) > Add permission (Add a permission).
    2. From the API permissions list, select Microsoft Graph to add permissions.
    3. On the API Permission Request page, click Application Permissions.
      • Select Application.Read.All, Device.Read.All, Group.Read.All, User.Read.All, DeviceManagementManagedDevices.Read.All, AuditLog.Read.All, Directory.Read.All, Domain.Read.All, GroupMember.Read.All, Policy.Read.All, Reports.Read.All from the permission list.
    4. After adding permissions in App API permission registration, click Grant admin consent (Grant admin consent for account name).
      • Check whether the status for the account name has been changed to Allowed (Granted for account name).

    Create Client Secret

    To create a Client Secret in the Azure Console, follow these steps.

    1. In the Azure Console, click App name > Certificates & secrets(Certificates & secrets) under Microsoft Entra ID > App registrations(App registrations) > Entra ID Application registration.
    2. Click New Client Password in the Certificates and Passwords list.
    3. When the client secret is generated, check the Client Secret in the Value(Value) field of the list.
      • Be sure to save the Client Secret value.
    Caution
    The Client Secret value can only be viewed at the time of creation. Be sure to record or store it separately.

    Add subscription access permission in Azure Console

    You can add subscription access permissions in the Azure Console from the tenant root group or an individual Subscription. Choose the method you prefer to add Subscription access permissions.

    Add permission in Tenant Root Group

    To add subscription access permissions in the Azure Console from the Tenant Root Group, follow the steps below.

    1. Click Management groups > Overview in the Azure Console.
    2. Click Tenant Root Group > Access Control (IAM).
      • If you cannot access the Tenant Root Group menu, change the settings below.
        • Microsoft Entra ID > Properties > ‘Account Name’ can manage access to all Azure subscriptions and management groups in this tenant. > Yes (yes) change to
      • After adding the permission, you must change it to No.
    3. On the Access Control page, click Add(Add) > Add role assignment(Add role assignment).
    4. On the Add Role Assignment page, after entering the details, click Save (Review+assign).
      • When entering role assignment information, select the information below in the Role and Member tabs to add the app created in Entra ID Application registration. You must add all three of the following permissions.
        CategoryPermission
        Reader(Reader)User, group, or service principal(Users, group, or service principal)
        Key Vault Reader (Key Vault Reader)User, group, or service principal(Users, group, or service principal)
        Reader and Data AccessUser, group, or service principal(Users, group, or service principal)
        Table. Additional permission items when entering role assignment information

    Add permission in individual Subscription

    To add subscription access permissions in the Azure Console for an individual subscription, follow these steps.

    1. Click Subscription(Subscription) > Overview(Overview) in the Azure Console.
      • Check the Subscription ID(Subscription ID) in the basic information on the Overview page.
    2. Click Subscription(Subscription) > Access Control(IAM).
    3. On the Access Control page, click Add(Add) > Add role assignment(Add role assignment).
    4. On the Add Role Assignment page, after entering the details, click Save (Review+assign).
      • When entering role assignment information, select the information below in the Role and Member tabs to add the app created in Entra ID Application registration. You must add all three of the following permissions.
        CategoryPermission
        Reader(Reader)User, group, or service principal(Users, group, or service principal)
        Key Vault Reader (Key Vault Reader)User, group, or service principal(Users, group, or service principal)
        Reader and Data AccessUser, group, or service principal(Users, group, or service principal)
        Table. Additional permission items when entering role assignment information

    Add access permissions via PowerShell

    To add subscription access permissions in the Azure Console using PowerShell, follow these steps.

    1. Run the following command in Cloud shell > PowerShell of the Azure Console.
      • New-AzRoleAssignment -ObjectId “the App’s Object ID as seen in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’ -ObjectType ‘ServicePrincipal’
      • If the command does not execute, change the settings below.
        • Microsoft Entra ID > Properties > ‘Account Name’ can manage access to all Azure subscriptions and management groups in this tenant. > yes change to
        • After adding the permission, you must change it to No (no).
    2. Run the command below to verify whether the configuration is complete.
      • Get-AzRoleAssignment –ObjectId "the App’s Object ID found in Enterprise Application" –Scope "/providers/Microsoft.aadiam"
      • If permission deletion is required, run the command below.
        • Remove-AzRoleAssignment -ObjectId “the App’s Object ID as seen in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’