Managing Azure Connections

IT Asset Management (Cloud)
Tip: If you have configured your existing connection to Microsoft Azure using the original AzureRM module (downloaded from Microsoft), and you do not wish to import inventory from instances in Azure that might make use of the Azure Hybrid Benefit, and you do not want improved performance, then you do not need to make any changes to your existing configuration. (However, note that the AzureRM module will shortly stop receiving bug fixes, and that enhancements will be added that work only with the Microsoft Az module, and not the older module. Furthermore, there are considerable performance improvements, especially for large-scale implementations, with recent versions of the newer Az module. Therefore best practice is to follow at least the first two steps in the procedure below to uninstall the old module and replace it with the newer Az module.)
If you now want your Azure connector to import inventory that takes account of the Azure Hybrid Benefit, there are two slightly different processes depending on where you are starting from:
  • If you have previously used your Azure connector with the older Azure Resource Manager (AzureRM) module from Microsoft, you must first uninstall this older module. Thereafter, the configuration follows the same process shown below.
  • If you are making your first connection to Azure from an inventory beacon with the Azure connector, naturally skip the uninstall step, and then follow the remaining process.
A connection to your chosen Microsoft Azure environment requires three elements:
  • Installation of the newer Azure Resource Manager (Az) module, downloaded from Microsoft.
  • An Azure service principal identity that is required to have access to Microsoft.Compute/virtualMachines and Microsoft.SqlVirtualMachine/sqlVirtualMachines with read permissions, or you can use the built-in role Virtual machine contributor.
  • Configuration of the inventory beacon to make the connection to Azure. You must specify the connection details which can be obtained from Azure Active Directory (which, by default, does not have a schedule, so you may wish to add one).

Prerequisites

To complete this process, your chosen inventory beacon must meet the following requirements, some of which should have been fulfilled when the FlexNet Beacon software was installed:
  • PowerShell 5.1 or later is running on Windows Server 2008 R2 SP1 or later, or Windows 7 SP1 or later; with the PowerShell execution policy set to RemoteSigned.
  • Install .NET Framework 4.7.2 or later (installation instructions and downloads start from https://docs.microsoft.com/en-us/dotnet/framework/install/).
  • Ensure that the Windows Environment Variable PSModulePath includes the following path:
    %ProgramFiles%\WindowsPowerShell\Modules
  • The FlexNet Beacon software installed on the inventory beacon must be release 16.3.0 (shipped with IT Asset Management 2020 R2.3) or later.
  • A web browser is installed and enabled on the inventory beacon.
  • You must log onto the inventory beacon, and run FlexNet Beacon, using an account with administrator privileges.
  • Install the Microsoft Az module, version 6.1.0 or later. Instructions are included in the process below.
    Tip: Although the connector is compatible with the Microsoft Az module version 5.2.0 or later, version 6.1.0 or later is required for compatibility with the Azure Resource Graph module which provides the latest performance improvements.
  • Install Microsoft Azure Resource Graph module version 0.11 or later (remembering that this requires Microsoft Az for Windows PowerShell version 6.1.0 or later, as mentioned above). Instructions are included below. Flexera recommends that you install this as it optimizes performance, especially for large-scale implementations in Azure.
The connection to Azure supports optional use of a proxy.

To configure your connection to Microsoft Azure:

  1. If you have previously connected to Azure using the older Azure Resource Manager (AzureRM) module, first uninstall that module, as follows:
    1. On your inventory beacon, logged in as Administrator, run PowerShell.
    2. Uninstall the AzureRM module with the following command:
      uninstall-module AzureRM
  2. If you already have the Microsoft Az module installed in your environment, use the following commands in your PowerShell window (running as Administrator):
    1. To check your current installed version:
      Get-Installedmodule az
    2. To update to the latest Microsoft Az module:
      Update-Module -Name Az -Force
      Note: If you run into any issues while updating Az modules, please try uninstalling and reinstalling the Az modules, always while in a Windows PowerShell session run as administrator:
      • To uninstall:
        Get-InstalledModule -Name Az* | Uninstall-module
      • To reinstall:
        Install-Module -Name Az -AllowClobber
  3. If you have not previously installed the Microsoft Az module in your environment, configure version 6.1.0 or later, as follows:
    1. Download the module to your inventory beacon.
      Tip: New versions are available from https://www.powershellgallery.com/packages/Az/.
    2. If you do not already have a PowerShell window running, ensure that you are logged in as Administrator, and run PowerShell.
    3. Register the Microsoft Az module with the following command in PowerShell:
      Install-Module -Name Az -RequiredVersion x.x.x
      where the placeholder x.x.x is replaced with the version number you downloaded, for example:
      Install-Module -Name Az -RequiredVersion 6.1.0
  4. Install Microsoft Azure Resource Graph module version 0.11 or later (still in your PowerShell window running as Administrator):
    1. To install, execute the command:
      Install-Module -Name Az.ResourceGraph
    2. Validate your installation with the cmdlet:
      Get-InstalledModule -Name 'Az.ResourceGraph'
  5. A service principal identity for the Microsoft Azure adapter is required. This provides authentication for the Azure resources that can be accessed.
    Microsoft provides the following guides to assist with this task:

    The required service principal object is the built-in role Virtual machine contributor, or a custom object with read access for Microsoft.Compute/virtualMachines and Microsoft.SqlVirtualMachine/sqlVirtualMachines.

  6. Configure the connection to Azure:
    1. In the FlexNet Beacon interface, select the Inventory systems tab.
    2. To create a new connection, click the down arrow on the right of the New... split button, and choose PowerShell.
      Tip: You can also edit a connection you have defined previously, by selecting it from the list of connections and clicking Edit....
    3. In the dialog that appears, complete (or modify) the following required fields with the values appropriate to your chosen Microsoft Azure environment:
      • Connection Name: The name you give this inventory connection is also used in the web interface of IT Asset Management to name the data import task.
      • Source Type: Select Microsoft Azure from this list.
      • Azure Tenant ID: This value is your Directory ID, available from the Properties page in Azure Active Directory.
      • Application ID: Once you have registered your application, this value displays next to your application's Display Name in the App registrations page of Azure Active Directory. The Application ID is specific to your chosen Azure environment, to be specified below.
      • Application Password: Copy your key's password when you save application key.
        Note: The Application Password can only be copied from Azure Active Directory after saving the application key. It cannot be retrieved later. This password is also specific to your chosen Azure environment.
      • Environment: Enter the name of one of the available Microsoft Azure environments (such as AzureChinaCloud, AzureCloud, AzureGermanCloud, AzureUSGovernment). If this field is left blank, the default connection is attempted to AzureCloud. Any value entered must be a (case-insensitive) match with one of the Microsoft Azure environments. If your value does not match one of the existing Microsoft Azure environments, the error message lists the current values to choose from. (The full list of available environments is also available through the PowerShell cmdlet Get-AzureRmEnvironment, delivered through the AzureRM Tools for Windows PowerShell.)
    4. If a proxy server is in use between the inventory beacon and Microsoft Azure, also select the Use Proxy check box, and complete the following additional details:
      • Proxy Server: Enter the address of the proxy server using HTTP, HTTPS, or an IP address. Use the format https://ProxyServerURL:PortNumber, http://ProxyServerURL:PortNumber, or IPAddress:PortNumber). If the protocol is omitted, it defaults to http:. If the port number is omitted, it defaults to :80 for http, or 443 for https.
      • Username and Password: If your enterprise is using an authenticated proxy, specify the credentials to access the proxy server you just identified.
    5. Click Test Connection to check that your current settings work in your specified Environment.
      • If the connection test fails, click OK to close the message, review and correct the connection details, and retest the connection. You cannot save the connection details if the connection test fails. If you cannot get the connection test to succeed, click Cancel to cancel the addition of these connection details, and seek further assistance.
      • If, instead, the inventory beacon can successfully access the Azure APIs using the details supplied, a Test connection succeeded message displays. Click OK to close the message. Click Save to add the connection to (or update it in) the list.
    6. By default, your new Azure connection will not be linked to any schedule, required to regularly import this Azure virtual machine inventory.
      • If there is not already a suitable schedule created for your Azure inventory import, click on Scheduling* from the Data collection group in the navigation bar. Click New... and create the new schedule (see Creating a Data Gathering Schedule).
      • When you have a suitable schedule already defined, click Schedule... to link to the timetable for repeated imports of data from Microsoft Azure (for details, see Scheduling a Connection).
As well as the instance (virtual machine) data previously collected from Azure, now when using the Microsoft Az module, the imported inventory includes:
  • Azure virtual machines and instances running SQL Server
  • Data for licensing Windows Server Datacenter Edition and Standard Edition for the 2008R2, 2012, 2012 R2, and 2016 releases
  • Data for licensing SQL Server virtual machines running either the Enterprise Edition or the Standard Edition.
To achieve this, the connector relies on Az Tools for Windows PowerShell, making use of the following PowerShell cmdlets:
  • Connect-AzAccount — To log into Microsoft Azure
  • Disconnect-AzAccount — To log out of Microsoft Azure
  • Get-AzEnvironment — To identify the environments currently available in Microsoft Azure (such as AzureChinaCloud, AzureCloud, AzureGermanCloud, AzureUSGovernment)
  • Get-AzLocation — To identify the available Azure geographic regions of the instance type (size in Microsoft term) where your instances may be running
  • Get-AzSqlVM — To return the list of the SQL virtual machines you own, and then collect the cloud license model
  • Get-AzVMSize — To return the list of the instances type based on location
  • Get-AzVM — To return the list of the instances (virtual machines) you own, and then collect summary inventory details on each one
  • Search-AzGraph — To return a list of instance for a batch of subscriptions.

IT Asset Management (Cloud)

Current