Migration to Azure

Azure Pre-requisites

Generating the required Azure Credentials

NoteThe following instructions, are based on Microsoft's Azure documentation: The instructions contain some modifications relating to the type of Azure credentials required for Migration.

To generate the required Azure credentials to enable Migration, create an Azure Active Directory (AD) application which has permissions to access and modify resources on Azure. During creation of the Azure AD application and assignment of required permissions, you are provided with credentials needed to enter in the IBM Live Migration Service console. These credentials include:

The instructions below describe the steps to create an Azure AD application, to assign required permissions and obtain required Azure credentials. The steps include:

  1. Verify the existence of required permissions to create a new Azure AD application
  2. Create a new Azure AD application
  3. Assign new AD application to the required role in the Azure subscription
  4. Obtain the Application ID and Authenticating Key of the new Azure AD applications
  5. Obtain the Directory ID of the Azure Active Directory
  6. Obtain the Subscription ID of the Azure AD application
NoteEvery Azure tenant has a dedicated, trusted Azure AD directory. This contains tenant users, groups, and applications. The directory helps perform identity and access management functions for tenant resources. A unique Azure AD directory is provisioned to represent the organization when signing up for a Microsoft cloud service like Azure. At times, you notice terms like tenant, Azure AD, and Azure AD directory used interchangeably in Azure documentation.

In the subsequent instructions, the term Azure AD directory represents synonymous terms.

Verifying the existence of required permissions for creating a new Azure AD application

To generate required credentials, permissions are required to register an application with the Azure AD directory and assign the application to a role in the Azure subscription. The first step is to ensure that you have the right permissions to perform actions.

NoteRegistering an application with the Azure AD directory helps create an Azure AD application.

Checking Azure Active Directory Permissions

Check the current Azure AD directory user permissions, before creating a new Azure AD application. Verify if permissions to register AD apps are made available.

The permission check results in one of the following:

The steps to check Azure active permissions include:

  1. Sign in to the Azure account through the Azure portal.

    Azure-Azure portal navigation login page

  2. On the Azure (ARM) portal search for Azure Active Directory. Click on the Azure Active Directory search result.

    Azure-Azure Active Directory Filter search box

  3. In the Azure Active Directory navigation menu, select, User settings.

    Azure-Click User settings on Azure Active Directory navigation menu

  4. In the User settings, verify App registrations settings for your Azure AD directory.

    Azure-In the User settings verify App registrations

    • When set to Yes, non-admin users can register AD apps. Basically, any user in the Azure AD directory can register an app and create a new AD application.

    • When set to No, only admin users can register apps. Check whether your user account is an admin for the Azure AD directory or not.

      The steps to check if you are an admin or not include:

  5. Select Overview in the navigation menu.

    Azure-Select overview

  6. On the right-hand menu, search for a User under the Find menu by typing in the user account into the search box. Click on the account from the search results.

    Azure-From the Quick tasks menu, click find a user

  7. When user account details are displayed, select Directory role option from the navigation menu.Your assigned directory role will show to the right.

    Azure-Select directory role option from user account details

    • If the account is assigned the role of a user and App registration setting is not enabled for users, but is limited to only admin users, you cannot register apps.

      Here, you need to ask the admin to either assign an admin role or allow users to register apps in the Azure AD directory. This is done by enabling App registrations settings.

    • If your account is assigned an admin role, then you are authorized to register apps.

The next step is to check whether the Azure subscription facilitates assigning a role to AD apps. This check is required, as you must be able to assign a specific role to the new AD application for this app. This will enable the app to access resources in your subscription.

Checking Azure Subscription Permissions

Verify the user account has the permission to register AD apps. To confirm, check permissions for the Azure subscription.

To access resources in the subscription, assign new AD application to the Contributor role. The Azure account subscription, should have Microsoft. Authorization/*/Write access to assign an AD app to a role. The Write action is granted only by the Owner or User Access Administrator roles. If the account is assigned a different role in your subscription, adequate permissions will not be made available.

NoteFor more information about roles in Azure, check the role-based access documentation.

  1. Navigate to Azure Active Directory in the navigation menu. (More services-Azure Active Directory).

    Azure-Navigate to Azure Active Directory in the navigation menu

  2. Navigate to Overview in the navigation menu.

    Azure-Navigate to **overview** in the navigation menu

  3. Click, Find a user under Quick tasks menu.

    Azure-Find a user under Quick tasks menu

  4. Search for the user account in the search box and click, account.

  5. Navigate to Azure resources in the navigation menu.

    Azure-Navigate to Azure resources in the navigation menu

  6. Navigate to Azure resources on the internal left-hand navigational menu. View your assigned roles to determine if you have adequate permissions to assign an AD app to a role. Only the Owner and User Access Administrator roles can assign an AD app to a role. If you do not have the proper roles, ask your subscription administrator to add you to the User Access Administrator role. The following example shows users with the Contributor, User Access Administrator, and Owner roles assigned to them.

    The below example shows a user with the Owner role assigned to them:

    Azure-View assigned roles for permissions to assign an AD app to a role

After verifying all required permissions, the next step is to create a new Azure AD application. This has permissions to access and modify resources on Azure.

Creating an Azure Active Directory Application

After checking the user account and subscription permissions the next step is to create an Azure AD application and assign required permissions for it.

  1. Sign in to the Azure account through the Azure portal.

  2. Type Azure Active Directory in the Filter search box. Click on Azure Active Directory search result.

    Azure-Search filter search box in the Azure active directory

  3. In the Azure Active Directory, select, App registrations from the navigation menu.

    Azure-Select App registrations in the Azure Active Directory in the navigation menu

  4. On the App registrations pane, click New application registration button.

    Azure-Click new application registration button on the App registrations pane

  5. In the Create dialog box, set the following:

    • Name - provide a name and URL for the new application.
    • Application Type - select Web app / API as the application type.

    • Sign-in URL - enter any URL in this field. This text is ignored by the IBM Live Migration Service.

      Azure-In the create dialog box set parameters

  6. After setting values, to create the new AD application click Create button at the bottom-left of the page.

    Azure-After setting values click create button

The Azure AD application required for IBM Live Migration Service is created. Next, assign the required role to this application.

Assigning the required Role to the Application

To access resources in the subscription, assign the Contributor role to the newly created AD application.

  1. Type subscription in the Filter search box From the navigation menu. Click on Subscription search result.

    Azure-Navigate to more services from the navigation menu

  2. In the Subscriptions pane, select specific subscription-resource group or resource to which the application must be assigned.

    Azure-Select specific subscription resource group

    The selected subscription details are displayed:

  3. Select Access Control (IAM), from the navigation menu.

    Azure-Select Access Control (IAM)

  4. In the Access control (IAM) pane, click Add.

    Azure-In the Access control (IAM) pane click Add

  5. In the Add permissions dialog box, select Contributor role from the Role dropdown. Search for the new application created earlier and select from the list.

    Azure-Select contributor role from the role dropdown

  6. Click Save button to finish assigning the app to the role.

    Azure-Click save button to finish assigning the app to the role

The correct role is now assigned to the AD application. This gives permissions to perform the required actions to use the IBM Live Migration Service. The next step is to obtain the credentials needed to enter the IBM Live Migration Service User Console.

Obtaining Azure Credentials

After creating a new AD app and assigning the Contributor role, obtain credentials for this application and the Azure AD directory.
The credentials consist of:

Obtaining Application ID and Authentication Key

After creating a new Azure AD application, obtain the Application ID and Authentication Key. Remember to copy and save these values, since you will later need to enter them into IBM Live Migration Service user console as part of your Azure credentials

  1. Look for Azure Active Directory in the Filter search box. Click Azure Active Directory search result.

    Azure-Click Azure active directory search result

  2. In the Azure Active Directory, select App registrations from the navigation menu.

    Azure-Select App registrations from the navigation menu

  3. On the App registrations pane in the Azure Active Directory, select the application created.

    Azure-Select application created from the app registrations

    The details of the selected application are displayed.

  4. Copy the Application ID and save it in an accessible and secured location.

    Azure-Copy the application ID and save

  5. To generate an Authentication Key, select the Keys option from the Settings menu.

    NoteClick Settings to expand the menu.

    Azure-Click settings to expand the menu

  6. In the Keys pane, set the following:

    • DESCRIPTION - Provide a description

      • EXPIRES - Select a duration

        Azure-After saving the Key settings, the Authentication Key value is displayed

      The key turns blue once values have been added. Click Save.

  7. After saving the Key settings, the Authentication Key value is displayed. Save this value in an accessible and secured location.

    Azure-Save application ID and authentication key values

ImportantThe Authentication Key is required to run the IBM Live Migration Service solution. At this stage, copy and save it. Because on a later stage, it is irretrievable.

Obtaining the Directory ID

After obtaining and saving the Application ID and Authentication Key values, the next step is to obtain the Directory ID. Copy and save the value, which is a part of the required Azure credentials.

  1. Look for Azure Active Directory in the Filter search box. Click Azure Active Directory.

    Azure-Click Azure active directory

  2. In the Azure Active Directory, navigate to the Properties tab.Here, copy and save the Directory ID in an accessible and secure location.

    Azure-Copy and save Directory ID

Obtaining the Subscription ID

The final step is to obtain the Subscription ID. You need to copy and save this value, since it is a part of the required Azure credentials.

  1. Type subscription in the Filter search box From the navigation menu. Click on Subscription search result..

    Azure-Navigate to more services subscriptions

  2. In the Subscriptions pane, locate the specific subscription to which the AD application is assigned. Copy and save the Subscription ID in an accessible and secured location.

    Azure-Copy and save subscription ID

Now, you have completed generating and gathering the required Azure credentials. The next step to follow is entering the Application ID, Authentication Key, Directory ID, and Subscription ID into the migration console.

Using your Azure ARM Credentials

After generating the required Azure (ARM) credentials, enter the credentials into the IBM Live Migration Service User Console.

  1. Sign in to the IBM Live Migration Service user console.

  2. From the Projects dropdown menu, select the Azure (ARM) project to which the Azure (ARM) credentials should be assigned to.

    azuresample

  3. Click Setup & Info in the main navigational menu to the left. From the Setup & Info, click the ARM CREDENTIALS tab.

    The ARM CREDENTIALS page allows for setting up the replication Staging Area on Azure (ARM) and manage and monitor resources on your Azure (ARM)Target infrastructure.

  4. Enter your unique values, based on the required Azure (ARM) credentials you created for the IBM Live Migration Service solution, into the corresponding fields:

    • Application ID
    • Key (Authentication Key)
    • Directory ID

    • Subscription ID

      azuredrdemo

  5. After entering your values, click Save at the bottom right of the page.

    azuresavebutton

    After saving, your screen should look like this image:

    azurecredentials

    Your Azure (ARM) credentials are now saved in your IBM Live Migration Service Project.

    NoteIf the Azure (ARM) credentials you entered do not exist or is invalid in any way, or the if the IAM role of the AD application used for IBM Live Migration Service is NOT the Contributor, you get the following error message:

    azureerrormessage

In this event, you should attempt the following troubleshooting steps: