Update Azure Credential - Manually Using Windows PowerShell

As ParkMyCloud and Microsoft Azure add new features, you may be occasionally required to update the permissions needed for ParkMyCloud to access your cloud resources.  This page tells you how to update the Azure permissions for an existing ParkMyCloud account.  For these instructions, we are assuming you have already completed the instructions for the original creation of your Azure Cloud Credential.  If not, please refer to the page:Create Azure Credential - Manually Using Windows PowerShell

1. Identify the Cloud Credential to be updated

Login to the ParkMyCloud Console and go to the Azure Credential that needs to be updated.  For example:

We will be using the Subscription ID, Tenant ID, and App ID from this page in a later step.

2. Install Azure Components in Windows Powershell

If you do not already have the Powershell components for Azure installed, please install them using the instructions on this page: https://docs.microsoft.com/en-us/powershell/azure/install-azurerm-ps 

If you get an error after running Step 3, "Import-Module AzureRM" saying the command "cannot be loaded because running scripts is disabled on this system", you will need to enable scripts for the current user. Execute the command:

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser

To set this in a more permanent fashion, follow the instructions from here: https://support.microsoft.com/en-us/help/2411920/you-can-t-run-scripts-in-azure-active-directory-module-for-windows-pow 

3. Login into Azure

Login to the Azure account associated with the Cloud Credential shown in Step 1.  Execute the following command:

Login-AzureRmAccount

This command will pop-up a graphical login screen that should look something like the following:

      

Log in using your Azure credentials.

4. Find the Service Principal Object ID for the Application

If you recorded the Service Principal Object ID for the ParkMyCloud application when you originally created it, you may skip this step.

Otherwise, please follow the instructions below:

  1. Log in to the Azure management console.
  2. Navigate to Azure Active Directory → Enterprise applications → All applications

  3. In the search box of the screen that appears on the right, enter the Application ID from Edit Credential screen from Step 1.  For example, in the example shown above, this was 39c898da-8582-4487-a0b1-7c730fe7e791
  4. Select the application that appears in the list.
  5. On the screen that comes up, select Properties
  6. On the right side of the screen, copy the text labeled Object ID.  This is the essential item we need for the next step. We recommend you record this number in case you need to update the Azure Custom Role at a later time.

5. Create a Custom Role with Limited Permissions

Reference: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles 

Get the latest Example Policy from the ParkMyCloud Console Edit Credential page or download it from https://s3.amazonaws.com/parkmycloud-public/PMCAzureRecommendedPolicy.json, and paste it into a new text file named something like PMCAzureRecommendedPolicy.json.

Important: Edit the file, and under the Assignable Scopes section, enter the Subscription ID from step 3.

{
    "Name": "ParkMyCloud Limited Access 2020-08-17",
    "Description": "ParkMyCloud limited access policy as of 2020-08-17",
    "IsCustom": "true",
    "Actions": [
        "Microsoft.Capacity/reservationOrders/*/read",
        "Microsoft.Commerce/*/read",
        "Microsoft.Compute/*/read",
        "Microsoft.Compute/virtualMachines/start/action",
        "Microsoft.Compute/virtualMachines/deallocate/action",
        "Microsoft.Compute/virtualMachines/write",
        "Microsoft.Compute/virtualMachineScaleSets/write",
        "Microsoft.Compute/virtualMachineScaleSets/start/action",
        "Microsoft.Compute/virtualMachineScaleSets/deallocate/action",
        "Microsoft.Consumption/*/read",
        "Microsoft.ContainerService/managedClusters/agentPools/read",
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.Insights/*/read",
        "Microsoft.Insights/AutoscaleSettings/Write",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Resources/subscriptions/*/read",
        "Microsoft.Sql/managedInstances/*/read",
        "Microsoft.Sql/managedInstances/write",
        "Microsoft.Sql/servers/databases/*/read",
        "Microsoft.Sql/servers/databases/pause/action",
        "Microsoft.Sql/servers/databases/resume/action",
        "Microsoft.Sql/servers/databases/write",
        "Microsoft.Sql/servers/read",
        "Microsoft.Sql/servers/elasticPools/*/read",
        "Microsoft.Sql/servers/elasticPools/write"  
    ],
    "NotActions": [],
    "AssignableScopes": [
        "/subscriptions/<Your_subscription_ID_here>"
    ]
}

Then execute the following command:

New-AzureRmRoleDefinition -InputFile PMCAzureRecommendedPolicy.json

This should result in output like the following:

Name             : ParkMyCloud Limited Access as of 2020-04-17
Id               : 6fda2b5e-088c-403e-8b2f-beec17ab9f94
IsCustom         : True
Description      : ParkMyCloud limited access as of 2020-04-17
Actions          : {Microsoft.Compute/virtualMachines/read, Microsoft.Compute/virtualMachines/*/read,
                   Microsoft.Compute/virtualMachines/start/action,
                   Microsoft.Compute/virtualMachines/deallocate/action...}
NotActions       : {}
AssignableScopes : {/subscriptions/7eb65902-61fe-4b18-9641-0b7825f66aaa}

Make note of the Id field above, which is the Role Definition ID.

Note: If you get an error that says something like:

      A role definition cannot be updated with a name that already exists.

Then you probably have multiple subscriptions associated with ParkMyCloud, and you will need to tailor the "Name" item on the second line of the policy sample above.  For example: "Name": "ParkMyCloud Limited Access-PMC-1"

6. Assign the Custom Role to the Service Principal

The final step will be to map this custom policy you have just created to the service principal:

New-AzureRmRoleAssignment -Scope /subscriptions/<Subscription ID> -ObjectId <My Service Principal Object Id> -RoleDefinitionId <My Role Definition Id>

Where: 

  • Scope is Subscription ID from Step 1
  • Service Principal Object Id is from Step 4
  • Role Definition Id is from Step 5

This should result in output like the following:

Output
RoleAssignmentId   : /subscriptions/7eb65902-61fe-4b18-9641-0b7825f66aaa/providers/Microsoft.Authorization/roleAssignments/7e76e563-ee34-4a06-a994-01855a301141
Scope              : /subscriptions/7eb65902-61fe-4b18-9641-0b7825f66aaa
DisplayName        : ParkMyCloudAzureApp
SignInName         :
RoleDefinitionName : ParkMyCloud Limited Access
RoleDefinitionId   : 6fda2b5e-088c-403e-8b2f-beec17ab9f94
ObjectId           : 118e4955-a4ee-48fd-9acd-60181b09e796
ObjectType         : ServicePrincipal


Once these steps are complete, it may take up to 24 hours for the changes to be reflected in the ParkMyCloud Console.