Connecting to Microsoft Azure

Owned by Phillip Hanegan
Last updated: Oct 29, 2020

EmpowerID Azure connector allows organizations to bring the instances in their Azure subscription to EmpowerID, where they can be managed as computer objects, giving authorized users the ability to start, stop and delete Azure instances from EmpowerID. To connect EmpowerID to Azure in this way involves doing the following procedures:

  • Creating a service management certificate for Azure

  • Uploading the service management certificate to Azure

  • Adding your Azure Certificate to the Personal Certificate Store on an EmpowerID Web server

  • Exporting the Azure Certificate from the Person Certificate Store to your EmpowerID Web server in Base-64 Encoded format

  • Adding the Azure certificate to the EmpowerID certificate store

  • Creating an EmpowerID Person as a service account for the Azure connection

  • Mapping the Azure certificate to the EmpowerID Person you create

  • Creating the Azure connection in EmpowerID

In order to connect EmpowerID to Azure, you need to have an Azure subscription with a management certificate and provide to EmpowerID the following information

  • Your Azure Subscription ID

  • The user name and password of an Azure administrator. EmpowerID securely stores these credentials in the EmpowerID Identity Warehouse.

  • The public key for the management certificate in Base-64 encoded format. This is needed for EmpowerID to access the Azure API on your behalf. The key will be mapped to a generic EmpowerID Person.

Create a service management certificate for Azure

For instructions on creating the management certificate for Azure, see Microsoft's article at https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-certs-create.

Upload the service management certificate to Azure

For instructions on uploading the management certificate for Azure, see Microsoft's article at https://docs.microsoft.com/en-us/azure/azure-api-management-certs.

Add your Azure certificate to the Personal certificate store

  1. On your EmpowerID Web server, open MMC.

  2. From MMC, add the Certificates snap-in for the local computer if needed.

  3. Expand the Certificates node, right-click Personal, point to All Tasks and click Import.

  4. In the Certificate Import Wizard that appears, click Next.

  5. Click Browse and locate your certificate.

  6. In the Open window that appears, select your certificate and click Open.

  7. Continue through the Certificate Import Wizard until completed.

Next, export the certificate to a location on your server in base64-encoding format as demonstrated below. You will need this when creating the Azure connection in EmpowerID.

Export the Azure Certificate using Base-64 Encoding

  1. From the Personal store, right-click the Azure certificate you just imported and select All Tasks > Export from the context menu.

  2. In the Certificate Export Wizard that appears, click Next.

  3. Select No, do not export the private key and click Next.

     

  4. Select Base-64 encoded X.509 (.CER) and click Next.

     

  5. Select an export location, naming the exported certificate accordingly and click Next.

  6. Click Finish to complete the export.

  7. Open the exported certificate in a text editor and remove the first and last lines (----BEGIN CERTIFICATE---- and ----END CERTIFICATE----).

     

  8. Save your changes.

Add the Azure certificate to the EmpowerID certificate store

  1. Open the EmpowerID Certificate Manager utility. In a default installation of EmpowerID, the path to the executable is location at: C:\Program Files\TheDotNetFactory\EmpowerID\Programs\EmpowerID.CertificateManager.exe

  2. From the Import tab of the EmpowerID Certificate Manager, select Upload from Certificate File. 

     

  3. Browse for and select the Azure certificate (.cer file type) for your environment.

  4. Click Import.

     

  5. Click OK to close the success message box that appears.

  6. Close the EmpowerID Certificate Manager.

Create an EmpowerID Person account for the Azure connection

  1. Log in to the EmpowerID Web application as an administrator.

  2. On the navbar, expand Identity Administration and click People.

  3. On the Find Person page that appears, click the Create Person Simple Mode action link.

  4. Enter a first name and a last name for the Person account in the First Name and Last Name fields, respectively. As this Person account serves as an identity for the Azure connection, you should name it accordingly. In our example, we are naming the Person "Azure Proxy."

     

  5. Underneath Primary Business Role and Location, click Select a Role and Location.

     

  6. In the Business Role pane of the Business Role and Location selector that appears, type Temporary Role, press ENTER and then click Temporary Role to select it.

  7. Click the Location tab to open the Location pane and then type Temporary Location, press ENTER and click Temporary Location to select it.

  8. Click Select to select the Business Role and Location for the Person account and close the Business Role and Location.

  9. Click Save to create the EmpowerID Person.

     

Next, map the Azure certificate to the Person you just created.

Create the Azure account store in EmpowerID

  1. On the navbar, expand Admin > Applications and Directories and then click Account Stores and Systems.

  2. On the Account Stores page, click Create Account Store.

  3. Under System Types, search for Azure Subscription.

  4. Click the record for Microsoft Azure Subscription to select it and then click Submit.

     

  5. In the Azure Settings page that appears, fill in the following information:

    • Name — Name for the connector

    • SubscriptionID — Your Azure Subscription ID

    • Client User ID — The user id of an Azure administrator. This account is the proxy account that EmpowerID uses to inventory the Azure instances.

    • Password — Password for the above Azure administrator

    • Certificate — The Base-64 encoded format of your Azure certificate

  6. Click Save.

     

  7. EmpowerID creates the account store and the associated resource system. The next step is to configure the attribute flow between the account store and EmpowerID.


Now that the attribute flow has been set, the next steps include configuring the account store and enabling EmpowerID to inventory it.

To configure account store settings

  1. On the Account Store and Resource System page, click the Account Store tab and then click the pencil icon to put the account store in edit mode.

    This opens the edit page for the Box account store. This page allows you to specify the account proxy used to connect EmpowerID to your Box account as well as how you want EmpowerID to handle the user information it discovers in Box during inventory. Settings that can be edited are described in the below table.



  2. Edit the account store as needed and then click Save to save your changes.

Next, enable the Account Inbox permanent workflow to allow the Account Inbox to provision or join the user accounts in Box to EmpowerID Persons as demonstrated below.