Azure Subscription - How To

How To Bring Your Own Azure AD App In Cerulean

Cerebrata Cerulean allows you to connect to and manage your Azure Subscriptions using an application created in your own Azure Active Directory (AD). This page describes the steps to create an application in your Azure AD and give permissions needed for Cerebrata Cerulean to work properly.

Why it is needed?

There are certain scenarios where it is required for you to create your own application and connect to manage your Azure Subscriptions in Cerebrata Cerulean using that application:

  • 3rd party applications not allowed: Often times an Azure AD administrator may define a policy which prohibits users of that Azure AD to grant access to 3rd party applications (like Cerebrata Cerulean) created in an outside Azure AD.
  • Connecting to sovereign cloud (Azure China, Azure Germany and Azure US Gov): Microsoft has rightfully put a lot of limitations on who can create an Azure Subscription in their sovereign regions. Because of these restrictions, unfortunately Cerebrata can’t have an Azure Subscription in these regions. In order to manage your Azure Subscriptions in these regions, you will need to create an application in an Azure AD in these regions.

Steps to create an Azure AD application

Following are the steps to create an Azure AD application and granting permissions required by Cerebrata Cerulean.
Step 1: Sign in into Azure Portal.

First you will need to sign in into Azure Portal. Here are the links for Azure Portal:

Step 2: Click on the Azure AD icon on the left-hand side menu bar or search for "Azure Active Directory".
Step 3: Click on "App Registrations" in the left menu bar and then "New application registration".
Step 4: Create a new application registration.

You will be asked to provide some information for application registration.

  1. Application Name: For application name, please provide a name that can distinctly identify the application. For example, we used "Azure AD App for Cerebrata Cerulean".
  2. Application Type: For application type, please select "Native".
  3. Redirect URI: For redirect URI, please specify "urn:ietf:wg:oauth:2.0:oob".

Once you have provided this information, click on "Create" button to create the application.

Step 5: Note down the "Application ID".

Once you have created the application, you will be shown the details of the application. Please note down the application id as this will be used in Cerebrata Cerulean.

Once application id is copied to the clipboard, click on "Settings" button. You will be shown the details of the application. Next, click on "Required permissions".

Step 6: Add required permissions.

Currently Cerebrata Cerulean needs two permissions to be granted:

  1. Sign-in and read user profile.
  2. Execute Windows Azure Service Management API.

When an application is created, by default the 1st permission is granted so we just need to add 2nd permission. To do so, first click on "Add" button.

Then click on "Select an API".

Select "Windows Azure Service Management API" and then click on "Select" button.

Next, we need to set the permission.

Select "Access Azure Service Management as organization user (preview) and then click on "Select" button.

Press "Done" button to add the permission to execute Azure Service Management API for managing Azure Subscription on behalf of signed in user.

Once the process completes, you should see two delegated permissions as shown below.

That’s it. Now you’re ready to use this application with Cerebrata Cerulean. Please make sure that you have copied the "Application ID".

Using your Azure AD application with Cerebrata Cerulean

Now that the application has been created in your Azure AD, the next step would be to use this application in Cerebrata Cerulean for connecting to and managing your Azure Subscriptions.
Step 1: Try to add a connection to an Azure Subscription. This will open up "Add Subscription Connection" popup.

Click on "Advanced Settings" button to launch a popup where you will specify the id of the application you just created. If you’re trying to connect to an Azure Subscription in any of the Azure Sovereign regions, clicking on the region radio button will automatically launch this popup.

Step 2: Enter the application id.

Simply enter the application id and click "OK" button to continue.

Step 3: Click on "Next" button.

That’s pretty much it! Now when you click on "Next" button, you will be asked to sign in. At this time, Cerebrata Cerulean will make use of the application you created in your Azure AD instead of the default application that Cerebrata has created.