How-to guides
The user can enter the required information for the Config Inspection service through the Samsung Cloud Platform Console, select detailed options, and create the service.
Create Certificate
To create and use the Config Inspection service on the Samsung Cloud Platform Console, a prior authentication key generation is required.
Authentication key creation can be done from My Menu > My Info. > Authentication Key Management > Create Authentication Key. For more details, refer to Authentication Key Management.
Reference
- The expiration period of the authentication key is up to 365 days.
- To create an authentication key without an expiration date, you must create it permanently.
Config Inspection Create
You can create and use the Config Inspection service in the Samsung Cloud Platform Console.
Reference
The user must belong to the AdministratorGroup user group in order to use the services provided by the Config Inspection service properly.
To create a Config Inspection, follow these steps.
- All Services > Security > Config Inspection Click the menu. Navigate to Config Inspection’s Service Home page.
- On the Service Home page, click the Create Config Inspection button. You will be taken to the Create Config Inspection page.
- Config Inspection creation On the page, enter the inputs required to create the service, and select detailed options.
- Service Information Input Enter or select the required information in the area.
| Category | Required or not | Detailed description |
|---|
| Diagnosis Type | - | Automatically set with Console |
| Cloud | Required | Select cloud to diagnose- SCP: Samsung Cloud Platform
- Detailed input fields vary depending on the selected cloud type
|
| Diagnosis Target > Diagnosis Name | Required | Name to distinguish the diagnosis target- Use the entered value as the resource name
- Enter within 25 characters using English letters, numbers, and special characters(
-, _)
|
| Diagnostic Target > Diagnostic Account | Required | Console information for the diagnostic target- Select the Account ID to diagnose from the list
- If the same Account ID is selected, duplicate application occurs and additional charges will be incurred
- If AWS is selected, enter the Account ID (12 digits) in the diagnostic account
- If Azure is selected, enter the Subscription ID (36 characters including letters, numbers, and special characters) in the diagnostic account
|
| Diagnosis Schedule > Checklist | Required | Automatically set when Use Diagnosis Schedule is selected |
| Diagnosis Schedule > Diagnosis Cycle | Required | Select Diagnosis Cycle- The diagnosis is executed on the selected date according to the specified cycle
- Monthly is selected, the diagnosis may not be performed on the selected date
- e.g., selecting the 31st of each month – February has no such date, so the diagnosis is not performed
|
| Diagnosis Schedule > Start Time | Required | Select Diagnosis Start Time- Set the hour and minute information to start the diagnosis
|
| Authentication Key | Required | Select authentication key to use for Open API calls |
- Click the **Select** button and choose the appropriate authentication key from the list in the **Select Authentication Key** popup.
- If there are no selectable authentication keys, click **Authentication Key Management** to create a new authentication key.
- For detailed information about authentication keys, refer to [Manage Authentication Keys](/userguide/management/iam/how_to_guides/myinfo.md/#인증키-관리하기).
| Plan | Select | Select the plan to use
- **Standard**: charge based on the number of diagnoses
- **Monthly flat-rate**: charge a fixed amount each month regardless of the number of diagnoses (based on up to 30 diagnoses per month)
- The plan cannot be changed after service application
|
Table. Config Inspection Service Information Input Items
- Additional Information Input area, enter or select the required information.
| Category | Required or not | Detailed description |
|---|
| Tag | Select | Add Tag- Up to 50 can be added per resource
- After clicking the Add Tag button, enter or select Key, Value values
|
Table. Config Inspection Additional Information Input Items
- Summary In the panel, check the detailed information and estimated billing amount you created, and click the Create button.
- When creation is complete, check the created resources on the Config Inspection List page.
Config Inspection service allows you to view and edit the full resource list and detailed information. Config Inspection detailed page consists of Details, Tags, Work History tabs.
To view detailed information of the Config Inspection service, follow the steps below.
- All Services > Security > Config Inspection Click the menu. Navigate to Config Inspection’s Service Home page.
- Click the Config Inspection menu on the Service Home page. You will be taken to the Config Inspection list page.
- On the Config Inspection List page, click the resource to view detailed information. You will be taken to the Config Inspection Details page.
- Config Inspection Detailed page displays status information and additional feature information, and consists of Detailed Information, Tags, Work History tabs.
| Category | Detailed description |
|---|
| Status | Displays the status of Config Inspection- Ready: When there is no diagnostic request after service creation (diagnostic request possible)
- In Progress: When a diagnostic request is in progress (diagnostic request/service termination not possible)
- Error: When an error occurs in the diagnostic request (diagnostic request possible)
- Completed: When the diagnostic request is completed successfully (diagnostic request possible)
|
| Diagnosis Request | Button that can perform Console diagnosis |
| Service Cancellation | Button to cancel the service |
Table. Config Inspection status information and additional functions
Config Inspection List page allows you to view detailed information of the selected resource and, if necessary, edit the information.
| Category | Detailed description |
|---|
| Service | Service Name |
| Resource Type | Resource Type |
| SRN | Unique resource ID in Samsung Cloud Platform |
| Resource Name | Resource Name |
| Resource ID | Unique resource ID in the service |
| Creator | User who created the service |
| Creation date/time | Date/time the service was created |
| Editor | User who modified the service information |
| Modification Date/Time | Date/Time when service information was modified |
| Diagnosis Type | Diagnosis types provided by the service |
| Cloud | Diagnosis Target Types |
| Diagnosis Target | Console information of the diagnostic target- Provides the diagnostic name and diagnostic account information of the diagnostic target
- If the diagnostic target is AWS or Azure, you can click the Edit icon to modify the diagnostic account
|
| Plan | Selected plan type |
| Recent diagnosis date/time | Last executed diagnostic request date/time |
| Recent Diagnosis Result | Last executed diagnosis request result- Completed: The diagnosis request has been completed successfully
- Error: The diagnosis request was not completed successfully
- UNAUTHORIZED: Key permission used for the diagnosis request needs to be verified
- INVALID_INPUT_VALUE: Input values such as diagnosis account need to be verified
- CONNECTION_FAIL: Console access control settings need to be verified
- ETC: Other errors such as diagnosis engine require inquiry through the service desk
※ Diagnosis results can be viewed in the Security > Config Insepction > Report menu |
| Authentication Key | User’s authentication key registered at service creation- Access Key, user, status information provided
- Access Key information and edit icon are displayed only to the user who created the authentication key
- Click the Edit icon to change the authentication key
- If the authentication key is deleted, it is shown as
- status; if expired, shown as Expired
- Authentication key information (Access Key, status) of resources created by other users is displayed as
-
|
| Diagnosis Schedule | Display selected diagnosis schedule information- If the diagnosis target is SCP, you can click the Edit icon to change the diagnosis schedule.
|
Table. Config Inspection Detailed Information Tab Items
Tag
Config Inspection List page allows you to view the tag information of selected resources, and you can add, modify, or delete them.
| Category | Detailed description |
|---|
| Tag List | Tag List- You can view the Key, Value information of tags
- Up to 50 tags can be added per resource
- When entering tags, search and select from the previously created Key and Value list
|
Table. Config Inspection Tag Tab Items
Work History
On the Config Inspection List page, you can view the operation history of the selected resource.
| Category | Detailed description |
|---|
| Work History List | Resource Change History- Work date and time, Resource ID, Resource name, Work details, Event topic, Work result, Check worker information
|
Table. Config Inspection Work History Tab Items
Config Inspection Resource Management
If you need to view the status of Config Inspection resources and request a diagnosis, you can perform the task on the Config Inspection List or Config Inspection Details page.
Edit Authentication Key
You can select the authentication key to use for diagnosis for each diagnosis target.
To modify the service’s authentication key, follow the steps below.
- All Services > Security > Config Inspection Click the menu. Go to Config Inspection’s Service Home page.
- Click the Config Inspection menu on the Service Home page. You will be taken to the Config Inspection list page.
- Config Inspection List page, click the resource to edit the authentication key. You will be taken to the Config Inspection Details page.
- Check the authentication key and click the Edit icon. The Edit Authentication Key popup window opens.
- Edit Authentication Key Select the authentication key to use in the popup window and click the Confirm button.
| Category | Detailed description |
|---|
| Authentication Key | Authentication Key Details |
| Creation Date/Time | Authentication Key Creation Date |
| Expiration Date and Time | Authentication Key Expiration Date |
| Status | Status of the authentication key- Expired: Expired usage period state
|
Table. Authentication Key Edit Popup Items
Reference
- If the authentication key is deleted, it is displayed as
- status. - The authentication key information (authentication key, status) of resources created by other users is displayed as
-.
Request Diagnosis
You can request a console diagnosis based on the configured checklist.
To request a console diagnosis, follow the steps below.
All Services > Security > Config Inspection Click the menu. Go to Config Inspection’s Service Home page.
Click the Config Inspection menu on the Service Home page. You will be taken to the Config Inspection list page.
Config Inspection list page, click the resource to request a diagnosis. Config Inspection details page will be opened.
Click the Diagnostic Request button on the Config Inspection Details page. The Diagnostic Request popup will open.
Diagnosis Request Enter the information required for diagnosis in the popup window and click the Confirm button.
- Diagnosis Request The items in the popup window vary depending on the selected Console.
| Category | Detailed description |
|---|
| Console Access Method | Fixed to authentication key method as the way to access the Console |
| Checklist | Fix as Best Practice when selecting SCP |
| Authentication Key | If SCP is selected, choose the pre-generated authentication key |
| Access Key | Enter Access Key if AWS is selected |
| Secret Key | Enter Secret Key if AWS is selected |
| Client ID | Enter Client ID if Azure is selected |
| Client Secret | Enter Client Secret if Azure is selected |
| Tenant ID | Enter Tenant ID if Azure is selected |
Table. Diagnosis Request Popup Items
On the Config Inspection List page, check the Status value.
- When the diagnostic request is completed, the status value is displayed as Completed or Error.
- Completed: You can view the diagnosis request results in the diagnosis results menu. For more details, see Report Management.
Reference
For detailed information on the prerequisite settings required to run diagnostics per console, refer to
Set Up Prerequisites.
Config Inspection Cancel
You can cancel the unused Config Inspection service. However, if you cancel Config Inspection, all stored diagnostic data will be deleted.
Caution
- If you cancel the resource, all diagnostic data will be deleted, and you will not be able to view the diagnostic results in the Report.
- Config Inspection service cannot be terminated if its status is In Progress.
To cancel Config Inspection, follow the steps below.
- Click the All Services > Security > Config Inspection menu. Go to Config Inspection’s Service Home page.
- Click the Config Inspection menu on the Service Home page. Navigate to the Config Inspection List page.
- On the Config Inspection List page, click the resource to be terminated. Navigate to the Config Inspection Details page.
- Click the Service Termination button on the Config Inspection Details page.
- When termination is complete, check on the Config Inspection List page whether the resource has been terminated.
1 - Dashboard Check
Users can view the diagnostic results of the Config Inspection service at a glance on the dashboard through the Samsung Cloud Platform Console.
Check Dashboard
On the dashboard page, you can view the status of Config Inspection’s diagnostic targets and diagnostic history, etc.
To check the dashboard, follow the steps below.
- Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
- Click the Dashboard menu on the Service Home page. Navigate to the Dashboard page.
- Dashboard Check the summary of diagnostic results on the page.
- Dashboard You can view the dashboard information at the top of the page based on period or diagnosis name.
- Period: Based on the current month, you can set a period within 6 months to view summary information of the diagnosis results.
- Diagnosis Name: If you select All, you can view a summary of the entire diagnostic history results, and if you select a diagnostic account, you can view the detailed information of that diagnostic result.
- Download button can be clicked to download the information displayed on the dashboard page as a PDF file.
| Category | Detailed description |
|---|
| Security Level (Overall) | Display average of latest diagnostic results for all diagnostic targets- Recent diagnostic results are displayed in the list
- Diagnostic score calculation formula = Total – (Fail + Error + Check)) / Total x 100
|
| Periodic Diagnosis Status | Display diagnosis status by target during search period- Diagnosis Completed: Show recent completed diagnosis details
- Diagnosis Error: Show recent diagnosis error details, when selecting diagnosis name go to detailed result page
|
| Summary of Diagnosis Results by Period (All) | Display summary of diagnosis results (All) during the search period- If you select a diagnosis name from the list, you will be taken to the detailed diagnosis result page
|
Table. Detailed dashboard item description for overall diagnosis results
| Category | Detailed description |
|---|
| Security Level | Display the last diagnostic result score of the selected diagnostic account- Recent diagnostic results are displayed in the list
|
| Period-wise diagnostic result summary | Show summary of diagnostic results for the last diagnostic account within the search period |
| Vulnerability Status by Period | Display the vulnerability diagnosis results of the diagnostic account during the search period as a graph- When a graph is selected, display detailed information of the vulnerable items in the diagnosis results
|
Table. Detailed dashboard item description for diagnostic results by diagnostic account
2 - Diagnostic Result Management
You can view the Config Inspection diagnostic request results on the diagnostic results page and change the diagnostic results.
Reference
The diagnostic result is generated when a diagnostic request is made in the Config Inspection service, and it is deleted when the service is terminated.
Check diagnosis results
On the diagnosis results page, you can view the diagnosis request results.
Check diagnosis result list
To view the list of diagnostic results, follow the steps below.
- All Services > Security > Config Inspection Click the menu. Navigate to the Service Home page of Config Inspection.
- Click the Diagnostic Results menu on the Service Home page. You will be taken to the Diagnostic Results List page.
- Diagnostic Result List Check the summary information of diagnostic results on the page.
| Category | Detailed description |
|---|
| Diagnosis name | Resource name |
| Diagnostic Account | Console information to be diagnosed |
| Checklist | Collection of diagnostic items that serve as the basis for diagnostic results |
| PASS | Number of items in the checklist with diagnosis result PASS (normal) |
| FAIL | Number of items in the checklist with diagnosis result FAIL (vulnerable) |
| CHECK | Number of items in the checklist whose diagnosis result is CHECK (verification needed) |
| ERROR | Number of items in the checklist whose diagnosis result is ERROR (diagnosis not possible) |
| N/A | Number of items in the checklist where the diagnosis result is N/A (not applicable) |
| All | Total number of checklist items |
| Diagnosis Result | Diagnosis Request Result- Completed: The diagnosis request has been successfully completed, clicking Completed moves to the detail page
- Error: The diagnosis request was not successfully completed, error status items cannot view detailed content
|
| Diagnosis time | Diagnosis request time |
Table. Diagnosis Result List Items
To view detailed information of the diagnosis results, follow the steps below.
- Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
- Click the Diagnostic Results menu on the Service Home page. It navigates to the Diagnostic Results List page.
- You can search by entering the diagnosis name in the search area of the Diagnosis Result List page or by clicking the Detailed Search button.
Click on an item with a Completed diagnosis result on the Diagnosis Result List page. You will be taken to the diagnosis result detail page.
- Items whose diagnostic result is in error state do not display detailed information.
Detailed Diagnosis Results page, check the detailed diagnosis results.
| Category | Detailed description |
|---|
| Excel Download | Download detailed list of diagnosis results as an Excel file |
| More > Diagnosis Result Management | Go to Diagnosis Result Management page |
| Checklist | Collection of diagnostic items that serve as the basis for diagnostic results |
| Area | Diagnosis scope (services of Samsung Cloud Platform) |
| Diagnostic Items | Security standards recommended for service-specific settings |
| Result | Result of diagnostic item criteria check |
Table. Detailed Diagnosis Result Items
Click the diagnostic item to view detailed information. Diagnostic Item Details popup window opens.
- Diagnosis Item Details In the popup window, you can view the following information.
| Category | Detailed description |
|---|
| Area | Diagnosis Scope (Samsung Cloud Platform’s services) |
| Diagnostic Items | Security standards recommended for service-specific settings |
| Result | Diagnosis item criteria check result |
| Diagnosis Criteria | Result Judgment Criteria |
| Diagnostic Method | Current Settings Check Method |
| Action Guide | Configuration method that meets security standards |
| Detailed Result | Resource information and settings corresponding to the diagnostic item |
| Diagnosis Result Change | Button to change diagnosis result- If the diagnosis result is changed, the Check Result button is displayed, and clicking the Delete button allows deletion of the changed result
|
Table. Config Inspection Diagnosis Item Details
Manage Diagnosis Results
On the diagnosis result page, you can change the results of items whose diagnosis result is in CHECK status.
Change Diagnosis Result
To change the diagnosis result, follow the steps below.
All Services > Security > Config Inspection Click the menu. Navigate to the Service Home page of Config Inspection.
Click the Diagnostic Results menu on the Service Home page. It navigates to the Diagnostic Results List page.
Diagnosis Result List page, click the item whose diagnosis result is Completed. You will be taken to the Diagnosis Result Details page.
- Items with a diagnostic result in error state do not display detailed information.
Click the More > Diagnosis Result Management button at the top of the Diagnosis Result Details page. You will be taken to the Diagnosis Result Management page.
Click the Result Change button for the item whose diagnostic result you want to modify on the Diagnostic Result Management page. The Result Change popup window will open.
Result Change In the popup window, select or enter the information required to change the result.
| Category | Required? | Detailed description |
|---|
| Registrant | - | Diagnosis result change registrant email |
| Validity Period | Required | Set the validity period of the diagnostic result |
| Change Result | Required | Select the diagnostic result to change among Pass, Check, Fail |
| Detailed Reason | Required | Enter the detailed reason for changing the result |
| Attachment File | Select | Upload files required for confirming result changes- Attach File button to upload files, up to 5 can be registered
|
| Inspection Result | - | Detailed inspection result display |
Table. Detailed Items of Diagnosis Result Change
Check the entered information and click the Register button. Verify whether the diagnostic results have changed in the Diagnostic Result Management list.
Delete diagnosis result change history
To delete the diagnostic result change history, follow the steps below.
- All Services > Security > Config Inspection Click the menu. Navigate to Config Inspection’s Service Home page.
- Click the Diagnostic Results menu on the Service Home page. Navigate to the Diagnostic Results List page.
- Click an item with a completed diagnosis result on the Diagnosis Result List page. It moves to the Diagnosis Result Details page.
- Items whose diagnostic result is in error state do not display detailed information.
- Click the Diagnosis Result Details page’s top Diagnosis Result Management button. It navigates to the Diagnosis Result Management page.
- Diagnosis Result Management page, click the Check Result button for the item whose diagnosis result you want to change. The Check Result popup window opens.
- Check Results in the popup window, click the Delete button.
3 - Pre-configuration
Users must perform cloud pre-configuration such as authentication key creation and access control IP addition through the Samsung Cloud Platform Console to use the Config Inspection service.
Note
Items to set vary depending on the type of cloud you use. Refer to the corresponding chapter and set the required items for each cloud.
To diagnose Samsung Cloud Platform and external clouds in the Config Inspection service, set the following items.
Check Policies Linked to User Group
Notice
- Config Inspection can diagnose Samsung Cloud Platform or external clouds. You can use it by granting appropriate policy requirements to the user group according to the diagnosis target.
- Check if the user group policy matching your desired diagnosis target is set.
- If policy creation is required, contact the Account administrator.
To check the policy of the user group you belong to, follow the procedure below.
- Click All Services > Management > IAM menu. You will be redirected to the Service Home page of IAM.
- Click User Groups menu on the Service Home page. You will be redirected to the User Group List page.
- Click the user group you want to check on the User Group List page. You will be redirected to the User Group Details page.
- Click Policies tab on the User Group Details page. You will be redirected to the Policies tab page.
- Click the policy you want to check on the Policies tab page. You will be redirected to the Policy Details page.
- Check the detailed information on the Policy Details page.
- Check if the policy information in the table below is set. If necessary, contact the administrator to add the policy.
| Item | Policy Requirement 1 | Policy Requirement 2 |
|---|
| Action | List, Read | Create, Delete, List, Read, Update |
| Resource | All resources | Individual resource (Config Inspection) |
| Auth Type | All authentication | Temporary key authentication, Console login |
| Allowed IP | 123.37.11.42, User-defined IP- For diagnosis, you must add IP 123.37.11.42 and IP for user console access separately
| User-defined IP |
Table. Policy setting details for diagnosing all clouds
Create Authentication Key
You can check and create authentication keys to use in the Config Inspection service.
Notice
- You can create only up to 2 authentication keys.
- After creating a new authentication key, you must apply the changed API authentication key to the service you are using.
To create an authentication key in Samsung Cloud Platform Console, follow the procedure below.
- Click My Menu > My info. menu in the Console. You will be redirected to the My info. details page.
- Click Authentication Key Management tab on the My info. details page. You will be redirected to the Authentication Key Management tab page.
- Click Create Authentication Key button on the Authentication Key Management tab page. You will be redirected to the Create Authentication Key page.
- You can check the authentication key list on the authentication key management page.
- Enter the expiration period on the Create Authentication Key page and click OK button.
- Check if the created authentication key is displayed in the authentication key list.
Add Access Allowed IP
You can add access allowed IPs in Samsung Cloud Platform Console.
To add access allowed IPs in the Console, follow the procedure below.
- Click My Menu > My info. menu in the Console. You will be redirected to the My info. details page.
- Click Authentication Key Management tab on the My info. details page. You will be redirected to the Authentication Key Management tab page.
- Click Edit icon in Security Settings item on the Authentication Key Management tab page. The Edit Authentication Key Security Settings popup will open.
- Enter the authentication method and access allowed IP in the Edit Authentication Key Security Settings popup.
- Select Authentication Key for authentication method.
- Set access allowed IP to Enable, enter the IP address, and click Add button.
- When adding access allowed IP is complete, click OK button. Check if the information is modified to the entered information in the Security Settings item.
AWS Settings
To diagnose AWS (Amazon Web Services) cloud in the Config Inspection service, set the following items.
Add Permission Policy
You can add permission policies for users/user groups in AWS Console.
Add User Permission
To add user access permission policy in AWS Console, follow the procedure below.
- Click IAM > Users in AWS Console.
- Select the diagnostic user name from the user list.
- Click Permissions tab on the user information page.
- Select Add permissions in the permission policy.
- Select ReadOnlyAccess, ViewOnlyAccess when adding permissions.
Add User Group Permission
To add user group access permission policy in AWS Console, follow the procedure below.
- Click IAM > User groups in AWS Console.
- Select the group the user belongs to from the user group list.
- Click Permissions tab on the user group page.
- Select Add permissions in the permission policy.
- Select ReadOnlyAccess, ViewOnlyAccess when adding permissions.
Add Access Control IP
If using IP access control policy, you must add block exception IPs to that policy.
Add User Access Control IP
To add user access control IP in AWS Console, follow the procedure below.
- Click IAM > Users in AWS Console.
- Select the diagnostic user name from the user list.
- Click Permissions tab on the user information page.
- Click Edit in IP Access Control Policy in the permission policy item.
- Add 123.37.24.82 to block exception IP.
Add User Group Access Control IP
To add user group access control IP in AWS Console, follow the procedure below.
- Click IAM > User groups in AWS Console.
- Select the group the user belongs to from the user group list.
- Click Permissions tab on the user group page.
- Click Edit in IP Access Control Policy in the permission policy item.
- Add 123.37.24.82 to block exception IP.
Generate Access Key
To generate Access Key in AWS Console, follow the procedure below.
- Click IAM > Users in AWS Console.
- Select the diagnostic user name from the user list.
- Click Security credentials tab on the user information page.
- Click Access keys on the Security credentials page.
- Create access keys for third-party services on the Create access key page.
- Make sure to save the created access key information.
Caution
Download the Secret Key as a csv file or record it separately.
- Secret key information can only be checked when creating the access key and cannot be recovered later.
Azure Settings
To diagnose Azure cloud in the Config Inspection service, set the following items.
Register Entra ID Application
To register Entra ID Application in Azure Console, follow the procedure below.
- Click Microsoft Entra ID > App registrations in Azure Console.
- Click New registration on the App registrations page.
- Register application (client) ID.
- When app registration is complete, check App name, Application (client) ID, Directory (tenant) ID on the overview page.
Add API Permission
Note
To use Config Inspection service, you must pre-configure with an account granted the Global Administrator role among Azure AD roles.
To add API permission in Azure Console, follow the procedure below.
- Click Microsoft Entra ID > App registrations > Entra ID Application registration > created App name > API permissions > Add a permission in Azure Console.
- Select Microsoft Graph to add permissions from the API permissions list.
- Click Application permissions on the Request API permissions page.
- Select Application.Read.All, Device.Read.All, Group.Read.All, User.Read.All, DeviceManagementManagedDevices.Read.All, AuditLog.Read.All, Directory.Read.All, Domain.Read.All, GroupMember.Read.All, Policy.Read.All, Reports.Read.All from the permission list.
- After adding permissions in App API permission registration, click Grant admin consent for account name.
- Check if it changes to Granted for account name status for the account name.
Create Client Secret
To create Client Secret in Azure Console, follow the procedure below.
- Click Microsoft Entra ID > App registrations > Entra ID Application registration > created App name > Certificates & secrets in Azure Console.
- Click New client secret from the Certificates & secrets list.
- When client secret is created, check the Client Secret in the Value item from the list.
- Make sure to save the Client Secret value.
Caution
Client Secret value (Value) can only be checked at creation time. Make sure to record or save it separately.
Add Subscription Access Permission in Azure Console
You can add subscription access permissions in Azure Console from Tenant Root Group or individual Subscription. Choose your preferred method to add subscription access permissions.
Add Permission from Tenant Root Group
To add subscription access permission in Azure Console from Tenant Root Group, follow the procedure below.
- Click Management groups > Overview in Azure Console.
- Click Tenant Root Group > Access control (IAM).
- If you cannot enter the Tenant Root Group menu, change the setting below.
- Change Microsoft Entra ID > Properties > ‘Account name’ can manage access to all Azure subscriptions and management groups in this tenant. > Yes
- After adding permissions, you must change it to No.
- Click Add > Add role assignment on the Access control page.
- Enter detailed information on the Add role assignment page and click Review+assign.
- When entering role assignment information, select the information below from the Role and Member tabs to add the App created in Entra ID Application registration. You must add all three permissions below.
| Category | Permission |
|---|
| Reader | Users, group, or service principal |
| Key Vault Reader | Users, group, or service principal |
| Reader and Data Access | Users, group, or service principal |
Table. Additional permission items when entering role assignment information
Add Permission from Individual Subscription
To add subscription access permission in Azure Console from individual Subscription, follow the procedure below.
- Click Subscription > Overview in Azure Console.
- Check Subscription ID from the basic information on the overview page.
- Click Subscription > Access control (IAM).
- Click Add > Add role assignment on the Access control page.
- Enter detailed information on the Add role assignment page and click Review+assign.
- When entering role assignment information, select the information below from the Role and Member tabs to add the App created in Entra ID Application registration. You must add all three permissions below.
| Category | Permission |
|---|
| Reader | Users, group, or service principal |
| Key Vault Reader | Users, group, or service principal |
| Reader and Data Access | Users, group, or service principal |
Table. Additional permission items when entering role assignment information
Add Access Permission via PowerShell
To add subscription access permission in Azure Console using PowerShell, follow the procedure below.
- Run the following command in Cloud shell > PowerShell in Azure Console.
New-AzRoleAssignment -ObjectId “App’s Object ID confirmed in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’ -ObjectType ‘ServicePrincipal’- If the command does not run, change the setting below.
- Change Microsoft Entra ID > Properties > ‘Account name’ can manage access to all Azure subscriptions and management groups in this tenant. > Yes
- After adding permissions, you must change it to No
- Run the following command to check if the setting is complete.
Get-AzRoleAssignment –ObjectId "App’s Object ID confirmed in Enterprise Application" –Scope "/providers/Microsoft.aadiam"- If you need to delete permissions, run the following command.
Remove-AzRoleAssignment -ObjectId “App’s Object ID confirmed in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’