Azure Active Directory integration for Azure Red Hat OpenShift
Azure Red Hat OpenShift 3.11 will be retired 30 June 2022. Support for creation of new Azure Red Hat OpenShift 3.11 clusters continues through 30 November 2020. Following retirement, remaining Azure Red Hat OpenShift 3.11 clusters will be shut down to prevent security vulnerabilities.
If you haven't already created an Azure Active Directory (Azure AD) tenant, follow the directions in Create an Azure AD tenant for Azure Red Hat OpenShift before continuing with these instructions.
Microsoft Azure Red Hat OpenShift needs permissions to perform tasks on behalf of your cluster. If your organization doesn't already have an Azure AD user, Azure AD security group, or an Azure AD app registration to use as the service principal, follow these instructions to create them.
Create a new Azure Active Directory user
In the Azure portal, ensure that your tenant appears under your user name in the top right of the portal:
If the wrong tenant is displayed, click your user name in the top right, then click Switch Directory, and select the correct tenant from the All Directories list.
Create a new Azure Active Directory 'Owner' user to sign in to your Azure Red Hat OpenShift cluster.
- Go to the Users-All users blade.
- Click +New user to open the User pane.
- Enter a Name for this user.
- Create a User name based on the name of the tenant you created, with
.onmicrosoft.comappended at the end. For example,
yourUserName@yourTenantName.onmicrosoft.com. Write down this user name. You'll need it to sign in to your cluster.
- Click Directory role to open the directory role pane, and select Owner and then click Ok at the bottom of the pane.
- In the User pane, click Show Password and record the temporary password. After you sign in the first time, you'll be prompted to reset it.
- At the bottom of the pane, click Create to create the user.
Create an Azure AD security group
To grant cluster admin access, the memberships in an Azure AD security group are synced into the OpenShift group "osa-customer-admins". If not specified, no cluster admin access will be granted.
Open the Azure Active Directory groups blade.
Click +New Group.
Provide a group name and description.
Set Group type to Security.
Set Membership type to Assigned.
Add the Azure AD user that you created in the earlier step to this security group.
Click Members to open the Select members pane.
In the members list, select the Azure AD user that you created above.
At the bottom of the portal, click on Select and then Create to create the security group.
Write down the Group ID value.
When the group is created, you will see it in the list of all groups. Click on the new group.
On the page that appears, copy down the Object ID. We will refer to this value as
GROUPIDin the Create an Azure Red Hat OpenShift cluster tutorial.
To sync this group with the osa-customer-admins OpenShift group, create the cluster by using the Azure CLI. The Azure portal currently lacks a field to set this group.
Create an Azure AD app registration
You can automatically create an Azure Active Directory (Azure AD) app registration client as part of creating the cluster by omitting the
--aad-client-app-id flag to the
az openshift create command. This tutorial shows you how to create the Azure AD app registration for completeness.
If your organization doesn't already have an Azure Active Directory (Azure AD) app registration to use as a service principal, follow these instructions to create one.
- Open the App registrations blade and click +New registration.
- In the Register an application pane, enter a name for your application registration.
- Ensure that under Supported account types that Accounts in this organizational directory only is selected. This is the most secure choice.
- We will add a redirect URI later once we know the URI of the cluster. Click the Register button to create the Azure AD application registration.
- On the page that appears, copy down the Application (client) ID. We will refer to this value as
APPIDin the Create an Azure Red Hat OpenShift cluster tutorial.
Create a client secret
Generate a client secret for authenticating your app to Azure Active Directory.
- In the Manage section of the app registrations page, click Certificates & secrets.
- On the Certificates & secrets pane, click +New client secret. The Add a client secret pane appears.
- Provide a Description.
- Set Expires to the duration you prefer, for example In 2 Years.
- Click Add and the key value will appear in the Client secrets section of the page.
- Copy down the key value. We will refer to this value as
SECRETin the Create an Azure Red Hat OpenShift cluster tutorial.
For more information about Azure Application Objects, see Application and service principal objects in Azure Active Directory.
For details on creating a new Azure AD application, see Register an app with the Azure Active Directory v1.0 endpoint.
Add API permissions
- In the Manage section click API permissions
- Click Add permission and select Azure Active Directory Graph then Delegated permissions.
Make sure you selected the "Azure Active Directory Graph" and not the "Microsoft Graph" tile.
- Expand User on the list below and enable the User.Read permission. If User.Read is enabled by default, ensure that it is the Azure Active Directory Graph permission User.Read.
- Scroll up and select Application permissions.
- Expand Directory on the list below and enable Directory.ReadAll.
- Click Add permissions to accept the changes.
- The API permissions panel should now show both User.Read and Directory.ReadAll. Please note the warning in Admin consent required column next to Directory.ReadAll.
- If you are the Azure Subscription Administrator, click Grant admin consent for Subscription Name below. If you are not the Azure Subscription Administrator, request the consent from your administrator.
Synchronization of the cluster administrators group will work only after consent has been granted. You will see a green circle with a checkmark and a message "Granted for Subscription Name" in the Admin consent required column.
For details on managing administrators and other roles, see Add or change Azure subscription administrators.
- Applications and service principal objects in Azure Active Directory
- Quickstart: Register an app with the Azure Active Directory v1.0 endpoint
If you've met all the Azure Red Hat OpenShift prerequisites, you're ready to create your first cluster!
Try the tutorial: