PingOne Privilege

Onboarding Azure accounts

Onboarding an Azure subscription allows PingOne Privilege to automatically discover its resources and manage them for just-in-time access. The process involves creating a connector application in Azure, assigning it the necessary permissions, and then adding the account to PingOne Privilege.

Step 1: Create the Connector App in Azure

First, create an Azure App Registration to act as a service principal.

  1. In the Azure Portal, go to Azure Active Directory > App Registrations and select New registration.

  2. Name the application (e.g., ProcyonConnectorApp) and click Register.

  3. From the application’s Overview page, copy and save the Application (client) ID and the Directory (tenant) ID. You will need these later.

  4. Go to Certificates & secrets and select New client secret.

  5. Provide a description, set an expiration period, and click Add.

  6. Immediately copy and save the secret’s Value. This is the App Key you will need later.

    The client secret value is only displayed once. If you lose it, you must create a new one.

Step 2: Assign Required Roles

For each Azure subscription you intend to manage, you must assign the ProcyonConnectorApp several roles.

  1. In the Azure portal, navigate to the target Subscription and select Access control (IAM).

  2. Select Add > Add role assignment.

  3. On the Role tab, find and select the role. For privileged roles, you must first select the Privileged administrator roles tab.

  4. On the Members tab, click + Select members, search for your ProcyonConnectorApp, and select it.

  5. Click Review + assign to complete the assignment.

  6. Repeat this process to assign the following roles:

    • Reader

    • User Access Administrator (Privileged role)

    • Azure Kubernetes Service Cluster Admin Role

    • Azure Kubernetes Service RBAC Cluster Admin

Step 3: Grant API Permissions

Next, grant the ProcyonConnectorApp the necessary Microsoft Graph API permissions.

  1. In the Azure portal, go to Azure Active Directory > App Registrations and select your ProcyonConnectorApp.

  2. In the sidebar, select API permissions.

  3. Click + Add a permission, select Microsoft Graph, and then choose Application permissions.

  4. Search for and add the following permissions:

    Application.ReadWrite.OwnedBy
Directory.Read.All
Domain.ReadWrite.All
IdentityProvider.ReadWrite.All
RoleManagement.ReadWrite.Directory
User.ReadWrite.All

  5. After adding the permissions, click Grant admin consent for <Your Directory>.

  6. Verify that all permissions have a green checkmark in the Status column.

Step 4: Add the Azure Account to PingOne Privilege

Finally, use the credentials from the ProcyonConnectorApp to add the account to PingOne Privilege.

  1. In the PingOne Privilege admin console, go to Cloud > Clouds.

  2. Click Add Account Wizard and select the Azure icon.

  3. Enter a Name and Description for the account. Click Next.

  4. (Optional) Adjust the SAML and guest user settings if needed. Click Next.

  5. Enter the Tenant ID, App ID, and App Key that you recorded earlier. Click Next.

  6. Verify the details and click Verify & Add Account.

Validation

After adding the account, go to the Cloud > Clouds page in the PingOne Privilege admin console. Your new Azure account should be listed with a "Verified" status. You can click on the account to see the discovered resources.