Setting Up Azure in Turbot


To integrate your Azure tenant and subscriptions, you will need to create several resources in Azure and then set various policies in Turbot to provide Turbot the proper access. Turbot uses an application to manage your tenant, subscriptions, resource groups, and resources within these groups.

Application Configuration

Before integrating your Azure tenant and subscriptions, you will need to create an application in your tenant. This application requires access to the tenant and to each subscription as the Owner role to allow Turbot to manage various configurations and resources.

Creating the Application

Navigate to the Azure Active Directory service, choose App registrations, and then choose New application registration.

Turbot recommends including “Turbot” and the environment (if applicable) in the application name to help distinguish this application from others, e.g., “Turbot Dev Application”.

Application Key

After creating this application, you will need to generate a key, which can be generated by selecting the newly created application, choosing Settings and then Keys, and then creating a new item under Passwords.

This key will be set later as the client key.

Application Active Directory Permissions

The application will require the following Active Directory permissions, which can be granted in Required permissions:

  • Windows Azure Active Directory
    • Application Permissions
      • Read and write domains
      • Read and write directory data
      • Read and write devices
  • Microsoft Graph
    • Application Permissions
      • Read and write all groups
      • Read and write directory data
      • Read and write all users’ full profiles

Note: After granting the permissions above, please remember to click Grant permissions for each API to apply the permissions.

Application Subscription Permissions

In each subscription that Turbot will manage, grant the application the Owner role. You can set this by going to the specific subscription and then choosing Access control (IAM). You must grant the Owner role to the application you created above for each subscription inside the Azure tenant that you plan to import.

Adding an Azure Tenant to Turbot:

The following policies should be set at the cluster level or higher:

  • Azure > Tenant ID: Active Directory ID, e.g., 0fag7fbb-c46f-4204-9b13-a1260e9f48f8. This ID can be found by navigating to Azure Active Directory > Properties (under Manage) and then looking for Directory ID.
  • Azure > Client ID: Application ID (not the service principal object ID) that has been delegated access to the tenant, e.g., 6b3sc4b2-b6f6-cf42-0905-69c924jf8e38.
  • Azure > Client Key: Secret key generated in the application that has been delegated access to the tenant.

If these policies are set at the cluster level, then the tenant entry will be added under that cluster; however, if they are set at the Turbot level, then the tenant entry will be added under the Turbot level and all clusters will use these tenant settings through inheritance.

Adding an Azure Subscription to a Turbot Account

Once the cluster level policies are set, you can add an Azure subscription to a Turbot account by setting the following policy at the account level:

  • Azure > Subscription ID: Set to the Azure subscription ID.

An Azure subscription can be added to any Turbot account, even if that account already has an AWS account linked to it.

Before adding the Azure subscription to an account, if you do not want Turbot to make any changes to your subscription and only perform checks, then you can set Turbot > Environment > Maintenance Window to No changes. When creating a new blank Turbot account, if you select Check Mode, this policy is automatically set to No changes.

Enabling User Rights Management

To enable Turbot’s user rights management, the following policies should be set at the Azure subscription level or higher:

  • Azure > IAM > Enabled to “Enabled”.
  • Azure > IAM > Directory User Rights Management to “Enforce: Azure/* Rights”.

When Azure > IAM > Directory User Rights Management is set to Enforce, custom IAM roles will be created in the subscription and users will be associated to these custom roles according to their Rights in Turbot.

Adding an Azure account via Turbot API:

First, create a Turbot account via the Turbot API:

POST to https://{turbotURL}/api/v3/accounts

with the payload:

  clusterId: "test",
  id: "abz",
  title: "Turbot only test account",
  type: "blank"

where the clusterId would be the cluster you want the account to live in, id is the Turbot ID for the account, and title is what is displayed in the UI as the account name. The second step would be to create the policy Azure > Subscription ID at the new account level with the following request:

POST to https://{turbotURL}/api/v3/resources/{newAccountUrn}/policies/Azure:SubscriptionID?exception=true

with the payload:


Setting the policies at the cluster level would be similar. The three policies to set are Azure > Tenant ID, Azure > Client ID, and Azure > Client Key. This is done at the cluster level to streamline subscription import within the cluster - you will not have to set these three policies again if all subscription id's are within the same tenant id. 

For reference, the other three URL would be:

POST to https://{turbotURL}/api/v3/resources/{clusterURN}/policies/Azure:TenantID?exception=true
POST to https://{turbotURL}/api/v3/resources/{clusterURN}/policies/Azure:ClientID?exception=true
POST to https://{turbotURL}/api/v3/resources/{clusterURN}/policies/AzureClientKey?exception=true
Was this article helpful?
0 out of 0 found this helpful