This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

How-to guides

1: Check dashboard
2: Diagnostic Result Management
3: Preconfigure

Users can create the Config Inspection service by entering the required information and selecting detailed options through the Samsung Cloud Platform Console.

Create Certificate

To create and use the Config Inspection service in the Samsung Cloud Platform Console, you must first generate an authentication key.

Authentication key generation can be created in My menu > My Info. Authentication Key Management > Authentication Key Creation. For more details, refer to Manage Authentication Keys.

Reference

The expiration period of the authentication key is up to 365 days.
To create an authentication key without an expiration date, it must be generated permanently.

Create Config Inspection

You can create and use the Config Inspection service in the Samsung Cloud Platform Console.

Reference

Users must belong to the AdministratorGroup user group to use the services provided by the Config Inspection service properly.

To create a Config Inspection, follow these steps.

All Services > Security > Config Inspection Click the menu. 1. Navigate to the Service Home page of Config Inspection.
On the Service Home page, click the Create Config Inspection button. 2. Navigate to the Create Config Inspection page.

Create Config Inspection On the page, enter the inputs required to create the service, and select detailed options.

Enter or select the required information in the Service Information Input area.

Category	required status	Detailed description
Diagnostic Type	-	Automatic configuration via Console
Cloud	Required	Select cloud to diagnose SCP: Samsung Cloud Platform AWS: Amazon Web Services Azure: Microsoft Azure Detailed input fields vary depending on the selected cloud type
Diagnosis target > Diagnosis name	Required	Name to distinguish the diagnostic target Use the entered value as the resource name Enter within 25 characters using English letters, numbers, and special characters (`-`, `_`)
Diagnostic target > Diagnostic account	Required	Console information to be diagnosed Select the Account ID to diagnose from the list Selecting the same Account ID will result in duplicate requests and additional charges If AWS is selected, enter the Account ID (12 digits) for the diagnostic account If Azure is selected, enter the Subscription ID (36 characters, including letters, numbers, and special characters) for the diagnostic account
Diagnostic Schedule > Checklist	Required	Automatically configure when Use is selected for the diagnostic schedule
Diagnostic Schedule > Diagnostic Cycle	Required	Select diagnostic interval Diagnostics run on the selected date according to the specified interval Monthly selection may result in diagnostics not being performed on the selected date Example) Selecting the 31st of each month – February has no such date, so diagnostics are not performed
Diagnostic Schedule > Start Time	Required	Select diagnostic start time Set the hour and minute information for starting the diagnostic
authentication key	Required	Select authentication key to use for Open API calls Click the Select button and, in the Select Authentication Key popup, select the appropriate key from the authentication key list If no selectable authentication key is available, click Authentication Key Management to create a new authentication key For details about authentication keys, refer to 인증키 관리하기
Pricing plan	Selection	Select a plan Standard: Billing is based on the number of diagnoses Monthly subscription: Billing is a fixed amount each month regardless of the number of diagnoses (based on up to 30 diagnoses per month) The plan cannot be changed after the service is requested

Table. Config Inspection Service Information Input Items

Enter or select the required information in the Additional Information Input area.
Category
required status
Detailed description
tag Selection Add Tag
Up to 50 per resource can be added
After clicking the Add Tag button, input or select Key, Value values
Table. Config Inspection additional information input fields

Summary Check the detailed information and estimated charges generated in the panel, and click the Create button.
- When creation is complete, check the created resources on the Config Inspection List page.

Category	required status	Detailed description
tag	Selection	Add Tag Up to 50 per resource can be added After clicking the Add Tag button, input or select Key, Value values

View Config Inspection detailed information

The Config Inspection service allows you to view and edit the full list of resources and detailed information. The Config Inspection Details page consists of Detail Information, Tags, Operation History tabs.

To view detailed information of the Config Inspection service, follow these steps.

Click the All Services > Security > Config Inspection menu. 1. Navigate to the Service Home page of Config Inspection.
On the Service Home page, click the Config Inspection menu. 2. Go to the Config Inspection List page.

On the Config Inspection List page, click the resource to view detailed information. 3. Go to the Config Inspection Details page.

Config Inspection Details page displays status information and additional feature information, and consists of Details, Tags, Activity History tabs.

Category	Detailed description
status	Indicates the status of Config Inspection Ready: When there is no diagnostic request after the service is created (diagnostic request possible) In Progress: When a diagnostic request is being executed (diagnostic request/service termination not allowed) Error: When an error occurs in the diagnostic request (diagnostic request possible) Completed: When the diagnostic request completes successfully (diagnostic request possible)
Diagnostic request	Button to perform console diagnostics
Service termination	Cancel service button

Detailed Information

Config Inspection List page lets you view detailed information of the selected resource and modify it if needed.

Category	Detailed description
service	Service Name
Resource Type	Resource Type
SRN	Unique resource ID in Samsung Cloud Platform
Resource name	Resource Name
Resource ID	Unique resource ID in the service
Constructor	User who created the service
Creation Date/Time	Service creation date and time
Editor	User who edited the service information
Modification date and time	Date and time the service information was modified
Diagnostic type	Diagnostic types offered by the service
Cloud	Diagnostic target types
Diagnostic Target	Console information for the diagnostic target Provides the diagnostic name and diagnostic account information of the diagnostic target If the diagnostic target is AWS or Azure, you can click the Edit icon to modify the diagnostic account
Pricing plan	Selected plan type
Recent diagnosis date and time	Timestamp of the last executed diagnostic request
Recent diagnostic results	Result of the most recent diagnostic request Completed: The diagnostic request has been completed successfully Error: The diagnostic request was not completed successfully UNAUTHORIZED: Key permissions used for the diagnostic request need to be verified INVALID_INPUT_VALUE: Check the diagnostic account and other input values CONNECTION_FAIL: Console access control settings need to be verified ETC: Other errors such as diagnostic engine issues require contacting the service desk ※ Diagnostic results can be viewed in the Security > Config Insepction > Report menu
authentication key	The authentication key of the user registered when creating the service Access Key, user, status information provided Access Key information and the edit icon are displayed only to the user who created the authentication key edit icon can be clicked to change the authentication key If the authentication key is deleted, it is shown as `-` status; if it is expired, it is shown as expired Authentication key information (Access Key, status) of resources created by other users is displayed as `-`
Diagnostic Schedule	Display selected diagnostic schedule information If the diagnostic target is SCP, you can click the Edit icon to change the diagnostic schedule

Table. Config Inspection detailed information tab items

Category	Detailed description
Tag list	Tag list You can view the Key, Value information of the tag Up to 50 tags can be added per resource When entering a tag, you can search and select from the list of previously created Keys and Values

Job History

On the Config Inspection List page, you can view the operation history of the selected resource.

Category	Detailed description
Task History List	Resource Change History Operation Date/Time, Resource ID, Resource Name, Operation Details, Event Topic, Operation Result, Check Operator Information

Table. Config Inspection job history tab items

Config Inspection Resource Management

If you need to view the status of a Config Inspection resource and request a diagnosis, you can perform the task on the Config Inspection List or Config Inspection Details page.

Modify authentication key

You can select the authentication key to use for each diagnostic target.

To modify the service’s authentication key, follow these steps.

All Services > Security > Config Inspection Click the menu. 1. Navigate to the Service Home page of Config Inspection.
On the Service Home page, click the Config Inspection menu. 2. Navigate to the Config Inspection List page.
Config Inspection List page, click the resource to modify the authentication key. 3. Navigate to the Config Inspection Details page.
Check the authentication key and click the Edit icon. 4. Edit Authentication Key The popup window opens.

Edit Authentication Key Select the authentication key to use in the popup window and click the Confirm button.

Category	Detailed description
authentication key	Authentication Key Details
Creation Date/Time	Authentication key creation date
Expiration date and time	Authentication key expiration date
status	Authentication key status Used: Available Expired: Usage period expired

Table. Authentication key edit popup items

Reference

When the authentication key is deleted, it is displayed as - status.
The authentication key information (key, status) of resources created by other users is displayed as -.

Request Diagnosis

You can request a diagnosis from the Console based on the configured checklist.

To request a console diagnosis, follow these steps.

Click the All Services > Security > Config Inspection menu. 1. Navigate to the Service Home page of Config Inspection.
On the Service Home page, click the Config Inspection menu. 2. Go to the Config Inspection List page.
On the Config Inspection List page, click the resource you want to diagnose. 3. Navigate to the Config Inspection Details page.
Click the Diagnosis Request button on the Config Inspection Details page. 4. Diagnostic Request popup window opens.

Diagnosis Request In the popup window, enter the information required for the diagnosis and click the Confirm button.

Diagnostic Request popup window items vary depending on the selected Console.

Category	Detailed description
Console access method	Fix the authentication key method as the console access method.
Checklist	When selecting SCP, set it as the Best Practice.
authentication key	If you selected SCP, choose the pre‑generated authentication key.
Access Key	If AWS is selected, enter Access Key
Secret Key	If AWS is selected, enter Secret Key
Client ID	If Azure is selected, enter the Client ID
Client Secret	If Azure is selected, enter the Client Secret
Tenant ID	If Azure is selected, enter Tenant ID

Table. Diagnosis request popup items

On the Config Inspection List page, check the status value.
- When the diagnostic request is completed, the status value is displayed as Completed or Error.
- When the status is Completed, you can view the diagnosis request results in the diagnosis results menu. * For more details, refer to Report Management.

Reference

For detailed information on the prerequisite settings required to run diagnostics for each console, refer to Prerequisite Settings.

Terminate Config Inspection

You can cancel the Config Inspection service that you are not using. However, disabling Config Inspection will delete all stored diagnostic data.

Caution

If you terminate the resource, all diagnostic data will be deleted, and you will not be able to view the diagnostic results in the Report.
If the status of the Config Inspection service is In Progress, the service cannot be terminated.

To disable Config Inspection, follow these steps.

Click the All Services > Security > Config Inspection menu. 1. Navigate to the Service Home page of Config Inspection.
On the Service Home page, click the Config Inspection menu. 2. Go to the Config Inspection List page.
On the Config Inspection List page, click the resource to be terminated. 3. Go to the Config Inspection Details page.
On the Config Inspection Details page, click the Service Termination button.
When termination is complete, check on the Config Inspection List page whether the resource has been terminated.

1 - Check dashboard

Users can view the diagnostic results of the Config Inspection service at a glance on the dashboard through the Samsung Cloud Platform Console.

Check the dashboard

On the dashboard page, you can view the status of Config Inspection’s diagnostic targets, diagnostic history, and more.

To view the dashboard, follow these steps.

Click the All Services > Security > Config Inspection menu. 1. Navigate to the Service Home page of Config Inspection.
On the Service Home page, click the Dashboard menu. 2. Go to the Dashboard page.

View the diagnostic result summary on the Dashboard page.

Dashboard page at the top allows you to view dashboard information based on period or diagnosis name.
- Period: You can set a period within six months from the current month to view a summary of the diagnostic results.
- Diagnosis Name: If you select All, you can view a summary of the entire diagnostic results, and if you select a diagnostic account, you can view the detailed information of that diagnostic result.

When you click the Download button, you can download the information displayed on the dashboard page as a PDF file.

Category	Detailed description
Security level (overall)	Display the average of the latest diagnostic results for all subjects The recent diagnostic results are displayed in the list Diagnostic score calculation formula = Total – (Fail + Error + Check)) / Total x 100
Diagnosis status by period	Display diagnostic status by target during the search period Diagnosis Completed: Show recent completed diagnosis records Diagnosis Error: Show recent diagnosis error records, and when a diagnosis name is selected, navigate to the detailed diagnosis result page
Summary of diagnostic results by period (overall)	Display summary of diagnostic results (overall) for the search period Selecting a diagnosis name from the list navigates to the detailed diagnostic result page

Category	Detailed description
Security level	Display the last diagnostic result score of the selected diagnostic account Recent diagnostic results are displayed in the list
Summary of Diagnostic Results by Period	Display summary of the diagnostic results for the last diagnostic account within the search period
Vulnerability status by period	Display the vulnerability assessment results of the diagnostic account as a graph during the search period When a graph is selected, display detailed information of the vulnerable item in the assessment results

2 - Diagnostic Result Management

You can view the Config Inspection diagnostic request results on the diagnostic results page and modify the diagnostic results.

Reference

The diagnostic results are generated when a diagnostic request is made in the Config Inspection service, and they are deleted when the service is terminated.

Please refer to Config Inspection Request Diagnosis and Config Inspection Termination.

Check diagnostic results

On the diagnosis results page, you can view the results of the diagnosis request.

Check diagnostic result list

To view the list of diagnostic results, follow these steps.

Click the All Services > Security > Config Inspection menu. 1. Go to the Service Home page of Config Inspection.
On the Service Home page, click the Diagnostic Results menu. 2. Go to the Diagnostic Results List page.

Diagnostic Results List page, check the summary information of the diagnostic results.

Category	Detailed description
Diagnosis Name	Resource name
diagnostic account	Console information to be diagnosed
Checklist	Collection of diagnostic items that serve as the basis for diagnostic results
PASS	Number of checklist items with a diagnosis result of PASS (normal)
FAIL	Number of checklist items with a diagnosis result of FAIL (vulnerable)
CHECK	Number of checklist items with a diagnosis result of CHECK (verification needed)
ERROR	Number of checklist items with a diagnosis result of ERROR (diagnosis unavailable)
N/A	Number of items in the checklist with a diagnosis result of N/A (not applicable)
All	Total number of checklist items
Diagnostic Result	Diagnosis request result Completed: The diagnosis request has been successfully completed, clicking Completed moves to the detail page Error: The diagnosis request was not completed successfully, error items cannot view detailed content
Diagnostic Date and Time	Diagnosis request date and time

Table. Diagnosis result list items

View detailed diagnostic result information

To view detailed information of the diagnostic results, follow the steps below.

Click the All Services > Security > Config Inspection menu. 1. Navigate to the Service Home page of Config Inspection.
On the Service Home page, click the Diagnostic Results menu. 2. Go to the Diagnostic Results List page.
- You can search by entering a diagnosis name in the search area of the Diagnosis Result List page, or by clicking the Detailed Search button.
On the Diagnosis Result List page, click the item whose diagnosis result is Completed. 3. Go to the detailed diagnosis result page.
- Items with a diagnostic result in error status do not display detailed information.

On the Detailed Diagnosis Result page, view the detailed diagnosis results.

Category	Detailed description
Excel download	Download the detailed diagnosis results list as an Excel file
More > Diagnosis Result Management	Go to the diagnostic results management page
Checklist	Set of diagnostic items that serve as the basis for diagnostic results
Area	Scope of Diagnosis (services of Samsung Cloud Platform)
Diagnostic Items	Recommended security standards for each service configuration
Result	Diagnostic Item Standard Inspection Results

Table. Detailed diagnostic result items

Click the diagnostic item to view detailed information. 5. Diagnosis Item Details The popup window opens.

Diagnosis Item Details In the popup window, you can view the following information.

Category	Detailed description
area	Diagnostic scope (services of Samsung Cloud Platform)
Diagnostic Items	Recommended security standards for service-specific configurations
Result	Diagnostic Item Standard Inspection Results
Diagnostic criteria	Result evaluation criteria
Diagnostic method	How to check the current settings
Remediation Guide	Configuration method that complies with security standards
Detailed results	Resource information and settings for the diagnostic items
Change diagnostic result	Button to modify the diagnosis result When the diagnosis result is modified, the Check Result button is displayed, and you can delete the modified result by clicking the Delete button

Table. Config Inspection diagnostic item details

Manage Diagnostic Results

On the diagnosis results page, you can modify the results of items whose diagnosis result is in the CHECK state.

Change diagnostic result

To change the diagnostic result, follow the steps below.

All Services > Security > Config Inspection Click the menu. 1. Navigate to the Service Home page of Config Inspection.
On the Service Home page, click the Diagnostic Results menu. 2. Go to the Diagnosis Result List page.
On the Diagnosis Result List page, click the item whose diagnosis result is Completed. 3. Detailed Diagnosis Result page will be opened.
- Items with a diagnostic result in error status do not display detailed information.
On the Diagnosis Result Details page, click the top More > Diagnosis Result Management button. 4. Navigate to the Diagnosis Result Management page.
On the Diagnosis Result Management page, click the Change Result button for the item whose diagnosis result you want to modify. 5. Change Result A popup window opens.

Result Change Select or enter the information required for changing the result in the popup window.

Category	Required or not	Detailed description
Registrant	-	Diagnostic result change registrant email
Validity period	Required	Set the diagnostic result validity period
Result change	Essential	Select the diagnostic result to change among Pass, Check, Fail
Detailed reason	Required	Enter a detailed reason for changing the result.
attached file	Selection	Upload the files required to verify result changes Attach File button to click to upload files, up to 5 can be registered
Inspection result	-	Display detailed inspection results

Table. Detailed items of diagnostic result changes

Review the entered information and click the Register button. 7. In the Diagnostic Result Management list, verify whether the diagnostic results have been changed.

Delete diagnostic result change history

To delete the diagnostic result change history, follow the steps below.

Click the All Services > Security > Config Inspection menu. 1. Go to the Service Home page of Config Inspection.
On the Service Home page, click the Diagnostic Results menu. 2. Navigate to the Diagnostic Result List page.
On the Diagnosis Result List page, click the item whose diagnosis result is Completed. 3. Go to the Diagnosis Result Details page.
- Items with a diagnostic result in error status do not display detailed information.
On the Diagnosis Result Details page, click the Diagnosis Result Management button at the top. 4. Go to the Diagnosis Result Management page.
On the Diagnosis Result Management page, click the Result Check button for the item whose diagnosis result you want to change. 5. Check Result A popup window opens.
Check Result popup window, click the Delete button.

3 - Preconfigure

Users must perform pre‑cloud configuration, such as creating authentication keys and adding access‑control IPs, through the Samsung Cloud Platform Console to use the Config Inspection service.

Reference

The configuration items differ depending on the type of cloud you use. Refer to the relevant chapter and configure the required items for each cloud.

Setting up Samsung Cloud Platform Console

To diagnose Samsung Cloud Platform and external clouds in the Config Inspection service, configure the items below.

Check policies attached to the user group

information

In Config Inspection, you can diagnose the Samsung Cloud Platform or external clouds. * You can assign appropriate policy requirements to user groups based on the diagnostic target and use them.
- Verify that a user group policy appropriate for the desired diagnostic target is configured.
- If policy creation is required, please contact the Account administrator.

To check the policy of the user group to which the user belongs, follow the steps below.

All Services > Management > IAM Click the menu. 1. Navigate to the Service Home page of IAM.
On the Service Home page, click the User Group menu. 2. Navigate to the User Group List page.
On the User Group List page, click the user group you want to view. 3. Navigate to the User Group Details page.
On the User Group Details page, click the Policy tab. 4. Navigate to the Policy tab page.
Policy tab page, click the policy you want to view. 5. Navigate to the Policy Details page.

Policy Details page, view detailed information.

Verify that the policy information in the table below is set. * If necessary, contact the administrator to add a policy.

Item	Policy Requirement 1	Policy Requirement 2
action	List, Read	Create, Delete, List, Read, Update
Applied resource	All resources	Individual Resource (Config Inspection)
Authentication Type	All authentication	Temporary key authentication, Console login
Applied IP	123.37.11.42, custom IP the IP 123.37.11.42 for diagnostics, and the IP for the user to access the console must each be added	Custom IP

Table: Detailed policy setting items for all cloud diagnostics

Authentication key generation

You can view and generate the authentication key for the Config Inspection service.

Information

You can create up to two authentication keys.
After generating a new authentication key, you must apply the updated API authentication key to the service you are using.

To generate an authentication key in the Samsung Cloud Platform Console, follow these steps.

Click the My menu > My info. menu in the Console. 1. My info. Go to the detail page.
My info. Click the Authentication Key Management tab on the detail page. 2. Navigate to the Authentication Key Management tab page.
On the Authentication Key Management tab page, click the Create Authentication Key button. 3. Navigate to the Create Authentication Key page.
- You can view the list of authentication keys on the authentication key management page.
On the Create Auth Key page, after entering the expiration period, click the Confirm button.
Verify that the generated authentication key is displayed in the authentication key list.

Add allowed IP

You can add allowed IP addresses in the Samsung Cloud Platform Console.

To add an allowed IP for the Console, follow these steps.

Click the My menu > My info. menu in the Console. 1. My info. Go to the detail page.
My info. On the detail page, click the Authentication Key Management tab. 2. Navigate to the Authentication Key Management tab page.
On the Authentication Key Management tab page, click the Edit icon of the Security Settings item. 3. Edit Authentication Key Security Settings The popup window opens.
Edit Authentication Key Security Settings Enter the authentication method and allowed IP addresses in the popup window.
- Select the authentication method authentication key.
- Set the allowed access IP to Use, enter the IP address, and click the Add button.
When the allowed IP addition is complete, click the Confirm button. 5. Check that the Security Settings item has been updated with the entered information.

Configure AWS

To diagnose the AWS (Amazone Web Services) cloud in the Config Inspection service, set the items below.

Add permission policy

You can add permission policies for users or user groups in the AWS Console.

Add user permission

To add a user access policy in the AWS Console, follow these steps.

Click IAM > Users in the AWS Console.
Select the diagnostic user name from the user list.
On the user information page, click the Permissions tab.
Select Add Permission in the permission policy.
- When adding permissions, select ReadOnlyAccess, ViewOnlyAccess.

Add user group permission

To add a user group access permission policy in the AWS Console, follow these steps.

Click IAM > User Groups in the AWS Console.
Select the group that the user belongs to from the list of user groups.
On the user group page, click the Permissions tab.
Select Add Permission in the permission policy.
- When adding permissions, select ReadOnlyAccess, ViewOnlyAccess.

Add access control IP

When using an IP access control policy, you must add the exception IP for blocking to the policy.

Add user access control IP

To add a user access control IP in the AWS Console, follow these steps.

Click IAM > Users in the AWS Console.
Select the diagnostic user name from the user list.
On the user information page, click the Permissions tab.
Click Edit for the IP Access Control Policy in the permission policy section.
- Add 123.37.24.82 to the block exception IP.

Add user group access control IP

To add a user group access control IP in the AWS Console, follow these steps.

Click IAM > User Groups in the AWS Console.
Select the group that the user belongs to from the list of user groups.
On the user group page, click the Permissions tab.
In the permission policy item, click Edit of IP Access Control Policy.
- Add 123.37.24.82 to the block exception IP.

Create Access Key

To create an Access Key in the AWS Console, follow these steps.

Click IAM > Users in the AWS Console.
Select the diagnostic user name from the user list.
On the user information page, click the Security Credentials tab.
On the Security credentials page, click Access keys.
On the Create Access Key page, generate an access key for third‑party services.
- Be sure to save the generated access key information.

Caution

Secret Key can be downloaded as a CSV file or saved separately.

Secret key information can only be viewed when creating an access key and cannot be recovered later.

Configure Azure

To diagnose Azure cloud in the Config Inspection service, set the items below.

Entra ID Application registration

To register an Entra ID application in the Azure Console, follow these steps.

Click Microsoft Entra ID > App registrations in the Azure Console.
On the App Registration page, click New Registration.
Register the application (client) ID.
After the app registration is complete, check the app name, application (client) ID, directory (tenant) ID on the overview page.

Add API usage permission

Reference

To use the Config Inspection service, you must preconfigure it from an account that has the Global Administrator role among Azure AD roles.

To add API permissions in Azure Console, follow these steps.

In the Azure Console, click Microsoft Entra ID > App registrations(App registrations) > Entra ID Application registration > App name > API permissions(App permissions) > Add a permission(Add a permission).
API permissions From the list, select the Microsoft Graph to which you want to add permissions.
On the API Permission Request page, click Application Permissions.
- Select Application.Read.All, Device.Read.All, Group.Read.All, User.Read.All, DeviceManagementManagedDevices.Read.All, AuditLog.Read.All, Directory.Read.All, Domain.Read.All, GroupMember.Read.All, Policy.Read.All, Reports.Read.All from the permission list.
In App API permission registration, after adding a permission, click Grant admin consent (Grant admin consent for account name).
- Check whether it has been changed to the Allowed (Granted for account name) status for the account name.

Create Client Secret

To create a Client Secret in the Azure Console, follow these steps.

Click the App name > Certificates & secrets that you created in the Azure Console’s Microsoft Entra ID > App registrations > Entra ID Application registration.
Click New client password in the Certificates and passwords list.
When the client secret is generated, check the Client Secret in the Value column of the list.
- Be sure to store the Client Secret value.

Caution

The Client Secret value (Value) can only be viewed at creation. Be sure to record or save it separately.

Add subscription access permission in Azure Console

Subscription access permissions in the Azure Console can be added from the tenant root group or an individual subscription. Select the desired method to add subscription access permissions.

Add permissions in Tenant Root Group

To add subscription access permissions in the Azure Console from the Tenant Root Group, follow these steps.

Click Management groups (Management groups) > Overview (Overview) in the Azure Console.
Tenant Root Group > Access Control (IAM) Click.
- If you cannot access the Tenant Root Group menu, change the settings below.
  - Microsoft Entra ID > Properties > ‘Account name’ can manage access to all Azure subscriptions and management groups in this tenant. * Change to yes(yes)**
- After adding the permission, you must change it to No.
On the Access Control page, click Add(Add) > Add role assignment(Add role assignment).

On the Add role assignment page, after entering the detailed information, click Save (Review+assign).

When entering role assignment information, select the information below in the Role and Member tabs to add the app created in Entra ID Application registration. * All three permissions below must be added.

Category	Permission
Reader(Reader)	User, group, or service principal(Users, group, or service principal)
Key Vault read permission (Key Vault Reader)	User, group, or service principal(Users, group, or service principal)
Reader and Data Access (Reader and Data Access)	User, group, or service principal(Users, group, or service principal)

Table. Additional permission items when entering role assignment information

Add permission in individual Subscription

To add subscription access permissions in the Azure Console for an individual subscription, follow these steps.

Click Subscription > Overview in the Azure Console.
- Check the Subscription ID (Subscription ID) in the basic information on the Overview page.
Click Subscription (Subscription) > Access Control (IAM).
On the Access Control page, click Add(Add) > Add role assignment(Add role assignment).

On the Add Role Assignment page, after entering the details, click Save (Review+assign).

When entering role assignment information, select the information below in the Role and Member tabs to add the App created in Entra ID Application registration. * All three permissions below must be added.

Category	Permission
Reader(Reader)	User, group, or service principal(Users, group, or service principal)
Key Vault Reader (Key Vault Reader)	User, group, or service principal(Users, group, or service principal)
Reader and Data Access (Reader and Data Access)	User, group, or service principal(Users, group, or service principal)

Table. Additional permission items when entering role assignment information

Adding access permissions via PowerShell

To add subscription access permissions in the Azure Console using PowerShell, follow these steps.

Run the following command in Cloud shell > PowerShell of Azure Console.
- New-AzRoleAssignment -ObjectId “App’s Object ID as seen in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’ -ObjectType ‘ServicePrincipal’
- If the command does not execute, change the settings below.
  - Microsoft Entra ID > Properties > ‘account name’ can manage access to all Azure subscriptions and management groups in this tenant. * > Change to yes
  - After adding the permission, you must change it to No (no).
Execute the following command to verify whether the configuration is complete.
- Get-AzRoleAssignment –ObjectId ＂App Object ID found in Enterprise Application＂ –Scope ＂/providers/Microsoft.aadiam＂
- If you need to delete permissions, run the command below.
  - Remove-AzRoleAssignment -ObjectId “App’s Object ID found in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’