In order for ServiceBus360 to access entities in an Azure (like Logic Apps) in a secure and safe way, a Service Principal needs to be created and authorized correctly. Azure has “Role-Based Access Control (RBAC)”, and it allows to authorize a Service Principal to access certain resources from the Azure.
In order to associate an authorized Service Principal with ServiceBus360, the following values are required.
- Azure Subscription Id
- Azure Tenant Id
- Active Directory Application’s Client Id
- Active Directory Application’s Client Secret
- Authorize Service Principal
How to get Azure Subscription Id?
Here is a quick step by step on how to get your Subscription ID from the New Azure Portal.
- Browse to https://portal.azure.com and Sign into your account.
- In the portal, navigate to the ‘Subscriptions’ tab in the left side menu. If the tab is not visible, then click on the ‘More services’ tab to find it.
- In the Subscriptions blade, all the subscriptions will be listed and copy the ID from ‘Subscription ID’ column.
How to get Azure Tenant Id?
The tenant ID is tied to ActiveDirectory in Azure:
- Navigate to Dashboard in Azure portal
- In the portal, navigate to the ‘Azure Active Directory’ tab in the left side menu
- Click the Properties tab under the Manage section
- Click the Copy icon against the "Directory ID" to get the Azure Tenant ID
How to get the Client Id and Client Secret
In order for you to get the Client Id and Client Secret, you’ll first be required to create a Service Principal as explained below:
- Login to your Azure Account
- Select Azure Active Directory and click App registrations
- Click on the “New Application Registration” link – this will open up a new blade to enter service principal details
Enter a name for the Service Principal, keep the Application Type to default (Web App / API), in the “Sign-on Url” tab enter any URL - for example – http://localhost.
Once the Service Principal is created successfully, it will be listed in the App Registration grid
Click on the Service Principal > Copy the Application ID from Essentials window. This is your Client ID.
Click on Keys under API Access from the Settings Blade > create a key by entering a name for the key. Select when it should expire and click on “Save”.
Once it is saved, it will show you the Client Secret. This ID will be displayed only once, copy this value because you are not able to retrieve the key later.
Service Principals are service accounts in Azure. The Authorization hierarchy works top to bottom which means – if you’re authorizing someone to access a top-level resource, the authorization will be passed down to every resource under the top-level resource. For example – if you authorize a Service Principal to access a Resource Group – all the resources inside the Resource Group will be accessible.
How to Authorize Service Principal from Azure Portal
The first step is to authorize a Service Principal is to navigate to the resource you want the service principal to access. Let's take an example of authorizing the service principal to access a resource group.
- Navigate to the Resource Group > Click on “Access Control (IAM)”. As you click on Access Control – it will list all the service accounts which are authorized to access the selected Resource Group.
- Add new permission for the newly added Service Principal. Click on the “Add” button on the top left on this blade. It will ask you to select a role and user for new permission. Please refer to the image below. In the Role drop-down, you will find a lot of pre-defined roles scoped to specific resource types with different permissions- like Reader, Manager etc. Select “Contributor” from the list. On the next input- type the name of the service principal. It will list the service principals and users for the given name. You can select more than one Service Principal/User here. Select the desired Service Principal’s name and click “Save”.
- In few seconds the portal will notify you that the user has been added and can perform the operations with allowed permissions.