Onboarding Azure accounts

When an Azure subscription is added to PingOne Privilege, its resources are automatically discovered and can be managed for just-in-time developer access.

At a high level, onboarding Azure involves four major steps:

Creating a connector application in Azure
Assigning the required roles to the connector app
Granting API permission to the connector app
Adding the account to PingOne Privilege

Creating the PingOne Privilege connector app

First, create an Azure App Registration to act as a service principal, allowing PingOne Privilege to manage access.

In the Azure Portal, go to Azure Active Directory > App Registrations. Select New registration.
In the Name field, enter ProcyonConnectorApp and select Register.
Go to the application’s Overview page.
Copy and save the Application (client) ID and the Directory (tenant) ID.
In the Azure portal, go to Certificates & secrets and select New client secret.
Provide a description, set an expiration period, and select Add.
Copy and save the secret’s Value immediately. This is the App Key that you’ll need later.

The client secret value is only displayed once. You must record it at this step. If you lose it, you will need to create a new secret.

Assigning required roles to the connector app

For each Azure subscription you intend to manage, you must assign the ProcyonConnectorApp several roles to allow for resource discovery and access provisioning.

To assign a role:

In the Azure portal, go to Subscriptions and select the target subscription.
Select Access control (IAM).
Select Add > Add role assignment.
On the Role tab, search for and select the target role (for example, Reader).

For the User Access Administrator role, first select the Privileged administrator roles tab, then search for the role.
Select Next.
On the Members tab, select + Select members.
Search for the ProcyonConnectorApp by name and select it from the results. Select Select.
Select Review + assign to complete the role assignment.
Repeat the following procedure for each required role:
- Reader
- User Access Administrator (This is a privileged role and requires an extra step during selection)
- Azure Kubernetes Service Cluster Admin Role
- Azure Kubernetes Service RBAC Cluster Admin

Granting API permissions

Next, grant the ProcyonConnectorApp the necessary Microsoft Graph API permissions.

In the Azure portal, go to Azure Active Directory > Enterprise Applications and select the ProcyonConnectorApp.
In the sidebar, select Permissions, then select App registration.
Select + Add a permission, then select Microsoft Graph.
Select Application permissions.

Search for and add the following Application permissions:

Application.ReadWrite.OwnedBy
Directory.ReadWrite.All
Domain.ReadWrite.All
IdentityProvider.ReadWrite.All
RoleManagement.ReadWrite.Directory
User.ReadWrite.All

After adding the permissions, they require administrative approval. Select Grant admin consent for <Your Directory>.
Verify that all permissions have a green checkmark in the Status column.

Adding the Azure account to PingOne Privilege

Finally, use the credentials from the ProcyonConnectorApp to add the account to PingOne Privilege.

In the PingOne Privilege admin console, go to Cloud > Clouds
Click Add Account Wizard.
Select the Azure icon from the provider list at the bottom of the modal.
Enter a Name and Description for the account and click Next.
(Optional) De-select the Allow Procyon to Configure SAML ID or Allow Procyon to delete guest users options. Click Next.
Enter the Tenant ID, App ID, and App Key that you recorded during Azure setup. Click Next.
Select Verify & Add Account.
Confirm your settings are correct in the summary. Click Verify & Add.

All subscriptions and resources associated with the configured service principal are now visible in the PingOne Privilege platform.