Get account information from Azure's portal

  • Log in to your Azure account
  • Search "Azure Active Directory" from the top search text box and select it
  • Copy the tenant id and keep it in a safe place. We will need it while adding information on InfraGuard
  • On the side menu of the same page click on "App registrations" and select "New registration"
  • Enter the name as Infraguard app
  • Make sure "Single Tenent" is selected in Supported Account types
  • In Redirect URI select "Web" from the list and enter https://app.infraguard.io in the text box next to it
  • Click on Register
  • Now your application is registered. Copy the "Application (Client) ID" and keep it in a safe place
  • Go to "Certificates and Secrets" from the left menu and click on the "New Client Secret" button
  • Enter description as Infraguard key and select "24 months" in the "EXPIRES" option radio button
  • Click on Add
  • This will generate a new client secret key. Copy the value column item and keep it in a safe place with the name Client Secret
  • Now search "Subscription" on the top search text box and go to your current subscription and copy the subscription id and put it in a safe place
  • Select "Access control(IAM)" from the menu of your subscription and click on "+Add" and select custom role
  • Enter your custom role name as "InfraGuard-role"
  • Select JSON click on edit and insert the following:  
{
    "properties": {
        "roleName": "InfraGuard-role",
        "description": "",
        "assignableScopes": [
            "/subscriptions/<INSERT YOUR SUBSCRIPTION ID>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Compute/snapshots/delete",
                    "Microsoft.Compute/snapshots/read",
                    "Microsoft.Compute/snapshots/write",
                    "Microsoft.Compute/virtualMachines/instanceView/read",
                    "Microsoft.Compute/virtualMachines/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Network/networkInterfaces/read",
                    "Microsoft.Network/publicIPAddresses/read",
                    "Microsoft.Compute/virtualMachines/start/action",
                    "Microsoft.Compute/virtualMachines/restart/action",
                    "Microsoft.Compute/virtualMachines/deallocate/action",
                    "Microsoft.Compute/virtualMachines/runCommands/write",
                    "Microsoft.Compute/virtualMachines/runCommands/read",
                    "Microsoft.Compute/virtualMachines/runCommand/action",
                    "Microsoft.Compute/virtualMachines/assessPatches/action",
                    "Microsoft.Compute/virtualMachines/installPatches/action"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}
  • Replace <INSERT YOUR SUBSCRIPTION ID> with your subscription id in the 6th line and click on Save
  • Then select "Review + Create" and then Create. The role is created. Click OK to return to the IAM role page
  •  Click on the "add a role assignment" button on the card "Grant access to this resource" on right
  • Now select the "Role" tab and search for "InfraGuard-role". Select this role and click Next
  • In the Member tab click on "+Select Member" and search for "Infraguard app" on the right side below Select Members
  • Select Infraguard app and click on select. Then click on "Review and Assign" 


Additional Steps if you want to use Azure Advanced Patch Management


  • After following the above steps, go to "Subscription"
  • Select "Access control(IAM)" from the menu of your subscription select Roles and search and edit "InfraGuard-role" 
  • Select JSON click on edit and insert the following permissions: 


"Microsoft.Compute/virtualMachines/write",
"Microsoft.Automation/automationAccounts/read",
"Microsoft.Automation/automationAccounts/write",
"Microsoft.Automation/automationAccounts/delete",
"Microsoft.Automation/automationAccounts/schedules/write",
"Microsoft.Automation/automationAccounts/schedules/read",
"Microsoft.Automation/automationAccounts/schedules/delete",
"Microsoft.Automation/automationAccounts/softwareUpdateConfigurations/write",
"Microsoft.Automation/automationAccounts/softwareUpdateConfigurations/read",
"Microsoft.Automation/automationAccounts/softwareUpdateConfigurations/delete",
"Microsoft.Automation/automationAccounts/softwareUpdateConfigurationRuns/read",
"Microsoft.Automation/automationAccounts/linkedWorkspace/read",
"Microsoft.OperationalInsights/workspaces/read",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/query/*/read"


  • Now click on "Review + update" then update
  • Now search for the Automation Accounts
  • Click on the "+Create"
  • Select the resource group
  • Enter the automation account name as "infraguard-automation"
  • Click on the "Review + Create" button then create
  • Click on the automation account(infraguard-automation)
  • Click on the Access Control(IAM)
  • Click on the "add a role assignment" button
  • Now select the "Role" tab and search for "InfraGuard-role". Select this role and click Next
  • In the Member tab click on "+Select Member" and search for "infraguard" on the right side below Select Members
  • Select Infraguard app and infraguard-automation and click on select. Then click on "Review and Assign"
  • Click on the Update management and select the "Create New Workspace" in the Log analytic workspace selection and click on Enable
  • Go back to Automation Accounts and select "infraguard-automation" and Click on the Update management
  • Click on the "+Add Azure VMs" and select VMs from the listing (Only selected machines is available for automation patching)
  • Search "Azure Active Directory" from the top search text box and select it
  • On the side menu of the same page click on "App registrations" and select the "infraguard app"
  • On the side menu of the same page click on "API Permissions" and click on the "+Add permission"
  • Select APIs my organization uses search for the "Log Analytics API"
  • Click on the Log Analytics API and select the Delegated permissions and check the Data.read permission
  • Click on the Add permission

Note: If you use Azure Advance Patch Management on servers that do not have the Log Analytics Agent installed, you will get the message "No updates found". Please only use Azure Advance Patch Management on servers that have the agent installed.


Onboard your servers to InfraGuard

  • Log onto app.infraguard.io Account
  • Select CLUSTER from side-menu
  • Click on “Create Azure cluster”
  • Add any relevant Name
  • Add Tenant ID, Subscription ID, Client ID, and Client Secret as created and copied in the previous section
  • Click ‘Sync’ to make your newly added server appear in the list of servers
  • Wait for some time before you click on ‘Servers’ to get your list of servers for that Role ARN