Change Azure permissions from read to read and write
Learn how to change your Azure permissions without re-onboarding your tenant or subscription.
Note
Use Case: You onboarded an Azure tenant or subscription with read-only permissions. You have now decided that you want Illumio Segmentation for the Cloud to have both read and write permissions so that it can apply policies to your tenant or subscription.
Prerequisites
You will need the following information before proceeding:
clientId: To find and copy it, open Illumio Segmentation for the Cloud and browse to Cloud > Onboarding > <the onboarding that you want to upgrade from read to read and write>.
Tenant ID: Copy this from Azure if you are onboarding either a subscription or a tenant. The tenant ID is also known as the parent management group ID.
Subscription ID: Copy this from Azure if you are onboarding a subscription.
Service Account Key: Copy this from wizard in the following steps.
Service Account Secret (token): Copy this from wizard in the following steps.
Change to read and write - default method
Use this method if you have permissions to run the PowerShell script used to onboard Azure tenants and subscriptions.
Use the Azure tenant and/or subscription ID you copied to proceed through the Illumio Segmentation for the Cloud default Azure onboarding until you get to the wizard step that presents you with the onboarding PowerShell script. See Onboarding Azure.
If you do not have your original service account secret (token) readily available, create a new service account to get a secret. Enter the secret (token) to display the PowerShell script in the wizard.
Copy and save the PowerShell script so that you can modify it. Do not save the new integration (in other words, do not proceed further through the onboarding wizard).
Modify the PowerShell script by adding the following two parameters to the script:
clientId(you copied this value as described in Prerequisites)-nsg(this flag adds the read and write permission)
The PowerShell script to change a tenant to read and write should look something like this:
Invoke-WebRequest -Uri https://cloudsecure-onboarding-templates.s3.us-west-2.amazonaws.com/cloudsecure/illumio-init.ps1 -OutFile (Join-Path $PWD.Path "illumio-init.ps1"); ./illumio-init.ps1 -tid <azure-tenant-id> -serviceAccountKey <illumio-service-account-key> -serviceAccountToken <illumio-service-account-secret> -csTenantId <CloudSecure-tenant-id> -url https://cloud.illum.io -nsg -clientId <client-id>
The PowerShell script to change a subscription to read and write should look something like this:
Invoke-WebRequest -Uri https://cloudsecure-onboarding-templates.s3.us-west-2.amazonaws.com/cloudsecure/illumio-init.ps1 -OutFile (Join-Path $PWD.Path "illumio-init.ps1"); ./illumio-init.ps1 -sid <subscription-id> -serviceAccountKey <illumii-service-account-key> -serviceAccountToken <illumio-service-account-token> -csTenantId <cloudsecure-tenant-id> -url https://cloud.illum.io -nsg -clientId <client-id>
Save your changes to the PowerShell script and run it in the Azure portal.
Create a support ticket for Illumio to enable the read and write mode from the Illumio Segmentation for the Cloud end.
Change to read and write - guided method
Use this method if you don't have permissions to run the PowerShell script used to onboard Azure tenants and subscriptions.
Manually enable the read and write permissions for the Azure Active Directory service principal created during onboarding. See Permissions for Onboarding Azure and Update Service Principals for Onboarded Azure Subscriptions and Tenants. Use the clientId you copied in the prerequisites section to search for the Azure application you need to update.
Create a support ticket for Illumio to enable the read and write mode from the Illumio end.