Getting started with NubOps

This tutorial focuses on the four main steps on how to start using NubOps. These steps are:

  1. Sign up and login to NubOps
  2. Access the built-in Demo environment in NubOps
  3. Create an App Registration which can be used to authenticate to your Azure tenant
  4. Use the App Registration to retrieve data from your Azure subscription(s)

By following this tutorial you’ll be able to create an App Registration and assign the necessary permissions to it. While adhering to the information security principle called “least privilege”.

You can also watch our video on YouTube.

Signing up and logging in

There are two options for signing up. The first option is to use an email address. The second is to sign up using a Microsoft Work account (social account). The social account option utilizes Microsofts native authentication mechanism which is the same as is used when authenticating to any Microsoft service, such as the Azure portal or Office 365. This means that if you’re already logged in to a Microsoft service then you’ll be a able to seamlessly log in to NubOps. Just select the Microsoft Work account that you want to log in with from the list that appears once you click on the “Microsoft Work or School Account” button.

Once you’ve signed up using either one of the two options you will need to keep logging in using that same option. Otherwise you will sign up again and create a second account in NubOps which would create confusion as you won’t have access to your existing NubOps subscription then.

Login

Accessing the Demo environment

Once you have logged in you won’t see any information at first since NubOps needs to read data from a Azure tenant. Because of this we’ve created a Demo environment so that it’s possible to try NubOps without having to use it on your own environment. The Demo environment contains a number of Azure resources, of which many have configuration issues so that you can see how the audit feature works. To have a look at the Demo environment you first need to load the cloud data for the Demo environment. Follow these steps to access it:

  1. Log in to NubOps and click on “No project” in the top right corner
  2. Click on “Set current” to enable the NubOps Demo project
  3. Select “Retrieve cloud data”
  4. The Demo environment data should take less than 1 minute to load. Click “Close” once it’s done
  5. Close all the dialog windows and you should now see information in the Overview feature similar to the image below


Overview


The Demo environment is accessible for everyone who has signed up. Regardless if you have paid for a subcription to NubOps or not. The environment contains resources that have been properly configured according to best practises. This means that it’s also possible to have a look at the diagrams in the Architect feature, without having any prior knowledge about Azure, to learn about how Azure works and what different types of solutions actually looks like.

Providing access to your subscription(s)

To use NubOps with your own environment you need to provide information in NubOps so that it’s possible for NubOps to authenticate to your Azure tenant and read the required data. You need to enter three values in the “Enter credentials” window in NubOps in order to retrieve your cloud data. The values in question are:

  • A "Tenant ID"
  • A "Client ID"
  • A "Client secret"

The App Registration can then be assigned permissions to read data from Azure AD itself if you want NubOps to do so. However, it’s only necessary to give the App Registration access to at least one specific Azure subscription that you want NubOps to analyse.

The basic steps on how to set up everything are:

  1. Find your “Tenant ID”
  2. Create an App Registration in your Azure AD tenant to get the “Client ID” and “Client Secret” values
  3. Assign API permissions to the App Registration if you want to analyse Azure AD related information
  4. Assign the “Reader” role to the App Registration in Azure IAM for the subscription(s) that you want to analyse
  5. Enter the App Registration information into NubOps and retrieve your cloud data
Step 1. Find your Tenant ID

The first value is the tenant ID and this value is shown in the Azure AD service in the Azure portal.

TenantId

Step 2. Creating an App Registration in Azure AD

Follow these steps to create an App Registration in Azure AD and get the “Client ID” and “Client secret” values:

  1. Select “App Registrations” in the Azure AD service and click on “+ New registration”.AppRegistration
  2. Enter a name for the App Registration
  3. Make sure the “Accounts in this organizational directory only” option is selected and click on the “Register” buttonNewAppRegistration
  4. Take note of the “Application (client) ID” value once the app registration is registered. This is the “Client ID” that you must use in NubOps.AppRegistrationCreated
  5. Select the “Certificates & secrets” blade
  6. Click on “+ New client secret”, give the secret a name and then add it.
  7. Click on the “Copy to clipboard” icon before you leave the “Certificates & secrets” blade. This is the only opportunity you have to save the actual value of the “Client secret”. Only store this value in a secured location as it needs at least the same level of protection as your personal passwords.SecretCreated
  8. You should now have the three necessary values, i.e. the “Tenant ID”, the “Client ID” and the “Client secret”.
Step 3. Assigning permissions to the App Registration

If you want NubOps to be able to retrieve and analyse information from your Azure AD tenant then you need to assign the necessary permissions to the App Registration and grant admin consent. These permissions are not necessary for most features (all features besides the Asset Manager feature) in NubOps to work, so only add these permissions if you want to use the Asset Manager feature or to see directory related information in the tenant object in the Architect feature.

This API permission is required for viewing directory data in the tenant object in the Architect feature:

  • Organization.Read.All

These API permissions are required for using the Asset Manager feature:

  • Organization.Read.All
  • Application.Read.All
  • User.Read.All

These permissions require “Admin Consent” which can only be done by a privileged user.

Follow these steps to assign an API permission:

  1. Select the App Registration that you created in Azure AD
  2. Select the “API Permissions” blade
  3. Remove the Microsoft Graph “User.Read” permission if present
  4. Click on “+ Add a permission”
  5. Select “Microsoft Graph” from Microsoft APIs
  6. Click on “Application permissions”
  7. Expand the Organization permissions set
  8. Select the “Organization.Read.All” permission checkboxSecretCreated
  9. Click on the “Add permission” button
  10. Click on “Grant admin consent for…”
  11. Check that the status column shows a green checkmark
Step 4. Assigning a role to the App Registration in Azure IAM

Once the App Registration has been created it’s necessary to assign read access to one or more Azure subscriptions.

We recommend that you start using NubOps with a sandbox subscription or a subscription that is used for non-production purposes only.

Follow these steps to assign a role:

  1. Log in to the Azure portal
  2. Select “Subscriptions” and choose the subscription that you want to give NubOps access to
  3. Select the “Access control (IAM)” bladeSecretCreated
  4. Click on “Role assignments”
  5. Click on “+ Add” and select “Add role assignments”
  6. Select the “Reader” role and click on “Next”
  7. Click on “+ Select members”
  8. Search for the App Registration that you created previously and click on “Select”SecretCreated
  9. Click on “Review + assign” and assign the role. You should now see that the role has been assignedSecretCreated
Step 5. Retrieving cloud data

The last step is to use the App Registration information in NubOps.

Follow these steps:

  1. Click on the current project at the top right in NubOps and select “All projects”
  2. Click on “Create a new project” and give the project a name
  3. Click on “Set current” in the “Action” column for the new project
  4. Click on “Click to retrieve” in the “Cloud data” column
  5. Click on “Retrieve cloud data”
  6. Fill in the Tenant ID, Client ID and Client secret and press “Connect”
  7. If everything is working as it should then you should see the progress and percentage increase
  8. The progress bar should turn green, and also have a green checkmark to the right of it, if everything went well
  9. Click on “Close”, close any additional windows and then you’re ready to start using NubOps

Depending on how many subscriptions you want to analyse, and the number of resources in each subscription, it will take longer time to retrieve all data. If it takes too long you can remove the app registration from one or more subscriptions until it takes an acceptable amount of time according to your personal preferences on how long you want to have to wait.

If there is any issue with the tenant ID, client ID or client secret then you will get an error message. That error message is what NubOps gets from Azure when trying to verify that the information is correct and can be used for authentication purposes.

Additional information regarding App Registrations is available on Microsofts web site here: Use the portal to create an Azure AD application and service principal that can access resources