Grant Root Management Group Permissions

note

This guide is to be performed once per Azure Tenant.
The guide assumes that you have already created an Azure App Registration in your Azure Tenant.
If you haven't created an App Registration yet, please follow the Create a New Azure App Registration guide.

info

This guide assumes that you have Azure Management Groups enabled in your Azure Tenant.
If you do not have Azure Management Groups enabled, you can follow the link to Learn about Azure Management Groups.

This guide will walk you through the process of assigning the App Registration permissions at the root management group level.
Assigning the permissions at the root management group level will cascade the permissions to all the Azure Subscriptions under the root management group, giving Chronom the ability to automatically discover and scan all the Azure Subscriptions under the root management group.

Prerequisites

In order to grant the App Registration permissions at the root management group level, you need to have:

• At least one Active Azure Subscription.
• An Azure App Registration with a client secret. Create a New Azure App Registration
• Azure Management Groups enabled in your Azure Tenant.
• The ability to create a custom role at the root management group level.
• The ability to assign the custom role to the App Registration.
  (In order to gain the ability to create custom roles, you need to elevate your Entra ID Permissions to the User Access Administrator role by following this guide)

Instructions

Create a Custom Role (Recommended)

If you want to grant Chronom the ability to perform a more in-depth scan of your Azure Subscriptions, you can create a custom role with the necessary permissions.

To create a custom role, follow these steps:

Azure Portal

1. Download the Chronom Custom Role JSON file by clicking here and saving it to your computer.

2. Open the Azure Portal Management Groups.

3. Select the Tenant Root Group from the list of management groups.
   (Alternatively, you can select any other management group that you want to assign the custom role to, but this guide assumes that you are assigning the custom role at the root management group level.)

   

4. Click on the Access control (IAM) tab.

   

5. Click on the + Add button and select Add custom role.

   

6. Fill in the following details:

   • Baseline Permissions: Start from JSON
   • Upload the JSON file you downloaded in step 1.
   • Click on the Next button.

   

7. Review the permissions and click on the Next button.
   If the permissions are too broad, you can remove the problematic permissions by clicking on the 🗑️ icon.
   (Any of the permissions can be removed except for the */read permissions.)
   In addition, you can exclude specific actions by clicking on the + Exclude permissions button.

8. Under Assignable scopes click Add assignable scopes, make sure the type is set to Management Group, and select the Tenant Root Group.
   Click on the Select button then click Next.

   

9. Review the role JSON and click on the Review + create button. If you prefer, you can modify the role permissions by clicking on the Edit button.
   (any of the permissions can be removed except for the */read permissions.)

10. Review the role details and click on the Create button once you are ready.

Azure CLI (bash)

note

All steps bellow should be executed in the same bash session.
It is recommended to copy and paste the commands one by one to avoid any mistakes.

The steps bellow assume you have Azure CLI installed and configured with the necessary permissions.
If you haven't installed Azure CLI yet, you can follow the instructions here.

1. If not already installed, install the curl and sed packages according to your specific OS.

2. Authenticate Azure CLI with the Tenant where your subscriptions are by running the following command:

   az login

3. Download the Chronom Custom Role JSON file by running the following command:

   tenantId=$(az account show --query tenantId -o tsv)
   rootGroupId=$(az account management-group show --name "$tenantId" --query id --output tsv)
   jsonFilePath="/tmp/chronom-custom-role-cli.json"
   curl -o $jsonFilePath "https://docs.chronom.ai/assets/files/chronom-custom-role-cli.json"
   sed -i "s|/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx|${rootGroupId}|g" "$jsonFilePath"

4. Create the custom role by running the following command:

   az role definition create --role-definition @$jsonFilePath

The complete bash script

# Login to Azure CLI
az login

# Set the Management Group ID Variables
tenantId=$(az account show --query tenantId -o tsv)
rootGroupId=$(az account management-group show --name "$tenantId" --query id --output tsv)

# Download the Chronom Custom Role JSON file
jsonFilePath="/tmp/chronom-custom-role-cli.json"
curl -o $jsonFilePath "https://docs.chronom.ai/assets/files/chronom-custom-role-cli.json"
sed -i "s|/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx|${rootGroupId}|g" "$jsonFilePath"

# Create the custom role
az role definition create --role-definition @$jsonFilePath

Azure CLI (PowerShell)

note

All steps bellow should be executed in the same PowerShell session.
It is recommended to copy and paste the commands one by one to avoid any mistakes.

The steps bellow assume you have Azure CLI installed and configured with the necessary permissions.
If you haven't installed Azure CLI yet, you can follow the instructions here.

1. Authenticate Azure CLI with the Tenant where your subscriptions are by running the following command:

   az login

2. Download the Chronom Custom Role JSON file by running the following command:

   $tenantId = az account show --query tenantId -o tsv
   $rootGroupId = az account management-group show --name "$tenantId" --query id --output tsv
   $jsonFilePath="$env:USERPROFILE\Downloads\chronom-custom-role-cli.json"
   Invoke-WebRequest -Uri "https://docs.chronom.ai/assets/files/chronom-custom-role-cli.json" -OutFile $jsonFilePath
   (Get-Content $jsonFilePath) -replace "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", $rootGroupId | Set-Content $jsonFilePath

3. Create the custom role by running the following command:

   az role definition create --role-definition @$jsonFilePath

The complete PowerShell script

# Login to Azure CLI
az login

# Set the Management Group ID Variables
$tenantId = az account show --query tenantId -o tsv
$rootGroupId = az account management-group show --name "$tenantId" --query id --output tsv

# Download the Chronom Custom Role JSON file
$jsonFilePath="$env:USERPROFILE\Downloads\chronom-custom-role-cli.json"
Invoke-WebRequest -Uri "https://docs.chronom.ai/assets/files/chronom-custom-role-cli.json" -OutFile $jsonFilePath
(Get-Content $jsonFilePath) -replace "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", $rootGroupId | Set-Content $jsonFilePath

# Create the custom role
az role definition create --role-definition @$jsonFilePath

Grant Permissions to the App Registration

To grant permissions to the App Registration, Follow these steps:

Azure Portal

1. Open the Azure Portal Management Groups.

2. Select the Tenant Root Group from the list of management groups.
   (Alternatively, you can select any other management group that you want to assign the custom role to, but this guide assumes that you are assigning the custom role at the root management group level.)

   

3. Click on the Access control (IAM) tab.

   

4. Click on the + Add button and select Add role assignment.

   

5. Search for the Role that will be assigned to the App Registration.
   If you created a custom role in the previous stage, search for the role name you created (Most likely Chronom Reader), otherwise, search for the Reader role.
   Select the role and click on the Next button.

   

6. Click on the + Select members and search for Chronom Read-Only App Registration (or the name you gave to the App Registration).
   Select the App Registration and click on the Select button then click Next.

   

7. Click on the Review + assign button.

8. Once the role assignment is created, you can go back to Chronom and click on the Save button to complete the process.

Azure CLI (bash)

note

All steps bellow should be executed in the same bash session.
It is recommended to copy and paste the commands one by one to avoid any mistakes.

The steps bellow assume you have Azure CLI installed and configured with the necessary permissions.
If you haven't installed Azure CLI yet, you can follow the instructions here.

1. Authenticate Azure CLI with the Tenant where your subscriptions are by running the following command:

   az login

2. Get the App Registration's SP ID by running the following commands:

   appName="Chronom Read-Only App Registration"
   spId=$(az ad sp list --display-name "$appName" --query "[0].id" -o tsv)

3. Confirm the App Registration's SP ID by running the following command: (Make sure the output contains the appDisplayName as Chronom Read-Only App Registration and the replyUrls as https://app.chronom.ai)

   echo $spId
   az ad sp show --id $spId

4. Assign the role to the App Registration by running the following command:
   ⚠️ Replace <role-name> with the name of the role you created in the previous step. (Most likely Chronom Reader) (If you opted to use the Reader role, replace <role-name> with Reader)

   roleName="<role-name>" # Replace with the role name you created / Reader
   tenantId=$(az account show --query tenantId -o tsv)
   rootGroupId=$(az account management-group show --name "$tenantId" --query id --output tsv)
   az role assignment create --role "$roleName" --assignee "$spId" --scope "$rootGroupId"

The complete bash script

# Login to Azure CLI
az login

# Set the variables
appName="Chronom Read-Only App Registration"
roleName="Chronom Reader"

# Get the App Registration's SP ID
spId=$(az ad sp list --display-name "$appName" --query "[0].id" -o tsv)

# Confirm the App Registration's SP ID
echo $spId
az ad sp show --id $spId

# Retrieve the Tenant Root Group ID
tenantId=$(az account show --query tenantId -o tsv)
rootGroupId=$(az account management-group show --name "$tenantId" --query id --output tsv)

# Assign the role to the App Registration
az role assignment create --role "$roleName" --assignee "$spId" --scope "$rootGroupId"

Azure CLI (PowerShell)

note

All steps bellow should be executed in the same PowerShell session.
It is recommended to copy and paste the commands one by one to avoid any mistakes.

The steps bellow assume you have Azure CLI installed and configured with the necessary permissions.
If you haven't installed Azure CLI yet, you can follow the instructions here.

1. Authenticate Azure CLI with the Tenant where your subscriptions are by running the following command:

   az login

2. Get the App Registration's SP ID by running the following commands:

   $appName="Chronom Read-Only App Registration"
   $spId=(az ad sp list --display-name "$appName" --query "[0].id" -o tsv)

3. Confirm the App Registration's SP ID by running the following command: (Make sure the output contains the appDisplayName as Chronom Read-Only App Registration and the replyUrls as https://app.chronom.ai)

   $spId
   az ad sp show --id $spId

4. Assign the role to the App Registration by running the following command: ⚠️ Replace <role-name> with the name of the role you created in the previous step. (Most likely Chronom Reader) (If you opted to use the Reader role, replace <role-name> with Reader)

   $roleName="<role-name>" # Replace with the role name you created / Reader
   $tenantId=(az account show --query tenantId -o tsv)
   $rootGroupId=(az account management-group show --name "$tenantId" --query id --output tsv)
   az role assignment create --role "$roleName" --assignee "$spId" --scope "$rootGroupId"

The complete PowerShell script

# Login to Azure CLI
az login

# Set the variables
$appName="Chronom Read-Only App Registration"
$roleName="Chronom Reader"

# Get the App Registration's SP ID
$spId=(az ad sp list --display-name "$appName" --query "[0].id" -o tsv)

# Confirm the App Registration's SP ID
$spId
az ad sp show --id $spId

# Retrieve the Tenant Root Group ID
$tenantId=(az account show --query tenantId -o tsv)
$rootGroupId=(az account management-group show --name "$tenantId" --query id --output tsv)

# Assign the role to the App Registration
az role assignment create --role "$roleName" --assignee "$spId" --scope "$rootGroupId"