Citrix DaaS requires access to the necessary resources in the Azure tenant to be able to create, delete, modify, and manage virtual machines. Why is the subscription scope so important? And why should a subscription be dedicated to Citrix Workers only? There are a couple of reasons: By default, when creating the Azure hosting connection automatically in Citrix Web Studio, the app registration is assigned the Contributor role on the subscription scope. Why it is important to use separate subscriptions for your Citrix workersĬitrix recommends using a separate and dedicated subscription (or even multiple subscriptions) for your Citrix workers. You can also see that both security principals are inherited from the scope subscription. Under the tab Role assignments, you can see two security principals, an app registration called citrix-xd-cde55 that is assigned the Contributor role, and my user Dennis Span that has the Owner role. In the screenshot below I am looking at the Access control (IAM) section of one of my virtual machines called CloudConnector1. Let's take a look at an example in my Azure tenant I use for testing and for writing this article. Access rights are inherited to lower-level scopes. You can assign roles at any of these levels of scope. Scopes are structured in a parent-child relationship. The screenshot below shows the Access control (IAM) section of the resource group Citrix.Ī scope is the set of resources that the access applies to. In Azure, you can specify a scope at four levels: Azure offers many built-in roles such as Owner, Contributor, Reader, and many more. A complete list of all available roles can be viewed on the Roles tab in the Access control (IAM) section of any scope or resource. It first needs to be assigned to a role and a scope.Ī role is a collection of permissions. This is what an automatically created app registration (using Citrix Web Studio) in Azure looks like:Īn app registration in itself still has no access to resources. This can for example be a user, but it can also be a service principal, such as an app registration.Ĭitrix DaaS requires an app registration (= service principal) in order to access resources. To grant access to resources in Azure you need the following:Ī security principal is an object that is requesting access to resources. Understanding Azure RBAC and app registrationsīefore creating a hosting connection in Citrix DaaS it is important to understand Azure RBAC and Azure app registrations.Īzure RBAC stands for role-based access control which, as defined by Microsoft, is an authorization system that provides fine-grained access management of Azure resources. Renew the application secret of an Azure app registration.Custom RBAC access rights (Narrow Scope Service Principal).Optimize performance of MCS operation times (optimized API calls).Manually create a hosting connection using an existing app registration.Collect the necessary information for Citrix Web Studio.Manually assign RBAC permissions to the app registration.Manually create the app registration in Azure.Additional information: what actually happens in Azure when creating a hosting connection?.Automatically create a hosting connection (including the app registration in Azure).Creating a hosting connection in Citrix Web Studio in Citrix DaaS.Install one or more Cloud Connectors in the resource location.Create a resource location in Citrix Cloud. Prerequisites for creating hosting connections in Citrix Web Studio.Why it is important to use separate subscriptions for your Citrix workers.Understanding Azure RBAC and app registrations.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |