When deploying an Azure Migrate Appliance to perform VMware environmental discovery, there are some steps that must be taken to prepare an Azure User Account with the necessary permissions. These steps are outlined in: Prepare an Azure user account.
Note
This article will not walk through all the steps of setting up Azure Migrate. Rather, this article will walk through the problems that will arise if the user setting up the Azure Migrate does not have the necessary permissions to create the Azure AD App. Therefore, certain steps of deploying Azure Migrate will be skipped.
One of these steps are to have “Permissions to register Azure Active Directory (Azure AD) apps.” This can be done a couple ways as outlined below:
- In the Azure Portal, go to Azure Active Directory > Users > User Settings. In User Settings, verify that Azure AD users can register applications (set to Yes by default).
- If your organization configures the “Users can register applications” setting above to No, the user deploying and configuring the Azure Migrate Appliance can instead be added into the “Application Developer” role which will allow the user to create Azure AD Applications even if the above “Users can register applications” settings is set to No.
Important
The goal of this article is to provide manual Pre-Creation of the Azure AD Application for Azure Migrate in a scenario where the “Users can register applications” is set to No and the Global Administrators are unwilling to add the user into the “Application Developer” role.
Deploying the Azure Migrate Appliance
There are two Azure AD Accounts that will be involved in this process as described below:
Account | Permissions | Purpose |
Azure Migrate | Subscription Contributor | This account will configure the Azure Migrate Appliance (prerequisite portion) and obtain the Azure AD Application Name Azure Migrate Needs. This account will then hand of this information to Elan account in order to create the Azure AD Application and prep permissions. |
Elan | Azure AD Global Administrator & Subscription Owner | This account will create the Azure AD Application and prep permissions in order for the Azure Migrate account to proceed with Azure Migrate prerequisites. |
With your Azure Migrate Project Created, we’ll be choosing that we’ll be performing a Discovery using an appliance and that we’ll be discovering via VMware vSphere. We’ll be naming our appliance, AzMigAppl. We’ll want want to download the OVA file which will be imported into VMware.
Be sure to click “Generate key” and save it for later once our appliance is installed. We’ll need this to register the Azure Migrate appliance against this Azure Migrate Project.
After the Azure Migrate Appliance is created, deploy the OVA into your VMware environment.
Important
Be sure to do the following 2 tasks:
1. Computer Rename on the Azure Migrate Appliance after you can get into Windows. For example, I did a Computer Rename to AZMigAppl.
2. Set Windows Time correctly.
Azure Migrate Appliance Prerequisites
After most prerequisites are completed, we’ll come to the step in which we will be logging in with our AzureMigrate Azure AD Account. This is where the problems will begin because this account does not have the ability to create Azure AD Apps because the Azure AD User Setting to allow users to create Azure AD Apps is disabled and because this account is not assigned the “Application Developer” role.
Once logging in, you will see that the appliance has initiated registration.
After some time, we will get an error message.
Clicking on “Error details” will show us the following.
As you can see, our account does not have the permissions to create the Azure AD App. With Azure Migrate, every time you try to re-run the pre-requisites, the same Azure AD Application Name will be used.
The Azure AD Application name in the error message is a combination of [Appliance name (provided in the web app)-4 character GUID-authandaccessaadapp] (without the hyphens)
This is now where we can go to our Global Administrators, provide them the Azure AD Application name, and follow the below steps for them to create the Azure AD Application and configure the necessary permissions/settings in order to allow the Azure Migrate Appliance to proceed.
Azure AD Application Creation
Now using my Global Administrator Account, elan, I will proceed with creation of the Azure AD Application and configuring the necessary permissions/settings in order to allow the Azure Migrate Appliance to get the Service Principal Name details and leverage it.
In Azure AD > App Registrations, click New Registration.
Specify the name of the Azure AD Application based on the information we gathered from the Azure Migrate Appliance Error Details. Click Register.
Within the Azure AD Application, click Branding & properties. Enter the URL from Azure Migrate as the Home Page URL. Click Save.
This URL is the URL you see in the Azure Migrate Appliance. For example:
On the Expose and API blade within the Azure AD Application, create a Scope with the following configuration. Note that Admins and users must be selected. Click Add Scope.
What you should see on the Expose an API blade is.
Finally, on the Owner blade, add the user account that is configuring the Azure Migrate Appliance. In our case, this account is the Azure Migrate user account.
After these steps, proceed with re-triggering the Azure Migrate Registration and the appliance will use this pre-created Azure AD Application.
Click Retry on the Azure Migrate Appliance.
You will now again see the Appliance again begins to initiate registration.
After a bit of patience, we now see our appliance has successfully been registered.
Leave a Reply