1. In Configuration Manager, navigate to Environment > Cloud Accounts and click New.

2. In the New Cloud Account pane, enter a Name and Description to identify this account.

3. Select Azure as the account Type.

4. Open Azure Cloud Shell, or use a local bash shell with the Azure CLI installed.

5. Copy the command from the bottom of the New Cloud Account pane. This command creates an application registration (aka service principal) with the appropriate permissions

   Remove remediation from the command line if you don't want Configuration Manager to have permission to automatically resolve configuration issues.

6. Review the script if desired, and then paste and run it.

   Note:	If the script output includes an error about granting admin consent, you will need to visit the Azure portal after creating the account.

7. In Cloud Shell, select Upload/Download files > Download and download account.json. Save this file in a secure location.

   

8. Click Account File at the bottom of the pane to upload the account.json file and fill out the remaining fields.

9. Click Save to create the new Cloud Account.

10. If you were prompted for admin consent earlier, visit the Azure API permissions page and click Grant admin content for Tripwire, Inc.

    

    Note:

    If you run this script more than once (for example, to create different Cloud Accounts for different Subscriptions in the same tenant), the script will assign the same service account to each Subscription, but it will reset the account password each time it runs. To fix this issue, each time you run the script you need to copy the Client Secrets value for the new Cloud Account and update that value in all existing Azure Cloud Accounts. Alternately, follow manual configuration steps 6 and 7 to add roles for each Subscription before running the script. Then you can use the same account.json file to create each Cloud Account, but manually edit the Subscription ID each time.

First you need to configure an application registration (or service principal) with the appropriate permissions to access your account.

1. Log in to your Azure Portal with an account that has permissions to add application registrations and set roles. Expand the portal menu by clicking the menu icon in the upper left corner if needed.
2. Gather the Tenant ID:
   1. Select the tab for Azure Active Directory.
   2. Select Properties.
   3. Record the Tenant ID value, which will be used for your Azure Cloud Account.
3. Create the Application Registration and gather the Application ID:
   1. Select the tab for Azure Active Directory.
   2. Select App Registrations.
   3. Select New registration and enter a Name like "Tripwire.io". Record the name in case you need to refer to the App Registration name later.
   4. Select Register.
   5. Store the Application (client) ID. If returned to the application list, select your newly created application from the list of All Applications.
   6. Record the Application (client) ID value, which will be used for your Azure Cloud Account.
4. Next set a Password to use for the Application Registration.
   1. Select Certificates & Secrets for your new Application Registration.
   2. Select New client secret.
   3. In the Description section, enter a Description like "Tripwire.io".
   4. Select an Expires duration. The new client secret will be displayed under the Client secrets heading.

   Note:	A new client secret will need to be set for Tripwire.io to function upon secret expiration.

   5. Store the secret from the Value field.
   6. Record the value in the Value field, which will be used for your Azure Cloud Account.
5. Assign permissions to the Application Registration:
   1. Return to the application registration panel (Azure Active Directory > App Registrations).
   2. Select your new Application Registration.
   3. Select API permissions.
   4. Select Add a permission and then Microsoft Graph.
   5. Select Application permissions.
   6. Check Directory.Read.All and Policy.Read.All under the Directory category.
   7. Select Add permissions to save.
   8. Wait 10 seconds before selecting Grant admin consent for Default Directory and Yes to grant permissions.
6. Assign Application Registration Roles on Subscriptions:
   1. Within the Azure Home Portal, select Subscriptions.
   2. Record the Subscription ID of the Subscription you want to monitor. This will be used in the Subscription field of your Azure Cloud Account.
   3. Select the Subscription you want to monitor.
   4. Select Access Control (IAM).
   5. Select Add and then Add role assignment.
   6. From the Role drop-down, select Reader.
   7. In the Select field, select the Registered Application created earlier. You may need to begin entering the Registered Application name in order to select it.
   8. Select Save.
7. (Optional) To enable Configuration Manager to remediate configuration issues, you must assign the Network Contributor, Contributor, and Storage Account Key Operator Service Role roles:
   1. Select Add and then Add role assignment.
   2. From the Role drop-down, select Network Contributor.
   3. In the Select field, select your new app.
   4. Select Save.

Repeat these steps to add the Contributor and Storage Account Key Operator Service Role roles.

8. Repeat steps 6 and 7 for each Subscription you want Configuration Manager to monitor.

Now create the Cloud Account in Configuration Manager:

1. In Configuration Manager, navigate to Environment > Cloud Accounts and click New.

2. In the New Cloud Account pane, enter a Name and Description to identify this account.

3. Select Azure as the account Type.

4. Fill in the other fields using the information you collected.

5. Click Save to create the new Cloud Account.