Azure Autodiscovery
It’s important to have a complete inventory of all your IT assets, including on-prem and cloud-based resources. Device42 can provide insights into your Azure resources and services by using an application service principal in accordance with Microsoft’s security recommendations.
This page will walk through the process of creating an application service principal with limited permissions, enabling a quick and easy inventory of Azure resources using Device42.
Getting Started with Azure
Before you begin discovering in Device42, you will need to prepare your Azure environment. Ensure you've followed the two preparatory steps in your Azure account before you attempt discovery.
Application Preparation
We’ll first log in to Azure via https://portal.azure.com, then navigate to Azure Active Directory > Enterprise Applications > New Application > Create Your Own Application. Name your application and select the Integrate any other application you don’t find in the gallery (Non-gallery) option.
Once your application has been created, navigate back to the top-level directory you created the app in and choose App Registrations. Select your newly created app and make note of the Application (client) ID and the Directory (tenant) ID as these will both be used for Device42 discovery.
Select Certificates & Secrets, then New Client Secret. Give your secret an optional description, an expiration date, and then select Add. Make note of the string in the Value column, this will be used as the Client Secret ID for Device42 discovery and it will not be visible again after signing out of the Azure portal.
Role Preparation
Device42 allows you to discover by Tenant or Subscription level. Using the Tenant discovery is best suited for customers with large numbers of Azure Subscriptions, whereas if you only have a few Subscriptions, you may find that preferable.
Please note that the assignable scope in the policy below assumes you are performing subscription level discovery.
If you are performing tenant level discovery, be sure to change the assignable scope to:
/providers/Microsoft.Management/managementGroups/root-management-group-id-goes-here