Skip to main content
Skip table of contents

Generate Azure Credentials

Purpose

This document describes the configuration of Azure credentials on OUTSCAN and the steps to setup on Microsoft Azure account to perform a benchmark.

Configure an Azure Account on OUTSCAN

Prerequisite

A CIS Benchmark app should be defined on Azure account.

Procedure

  1. In the drop-down menu select Microsoft Azure.



  2. Add the Name of your Azure account.

  3. Add the Tenant ID.

  4. Add the Client ID.

  5. Add the Secret.


  1. Click the blue Add button.

To manage your credentials, refer to Scan Credentials.[1]

Steps to Set an App on Microsoft Azure Account to Perform a Benchmark

Follow the below steps to set a CIS benchmark application.

  1. Register an app and create credentials.

  2. Create a custom role.

  3. Assign app with that custom role.

If your Microsoft Azure account has more than one subscription, then you can widen the assignable scope of the custom role by adding a line for each subscription. 

Register an Application and Create Credentials - Service Account

Prerequisite

A Microsoft Azure account with access to Azure portal is required.

Procedure

  1. Login to Azure portal.

  2. Go to Azure Active Directory.

    register app-1.png

  3. On the left panel, click on App registrations.

    App registrations


  4. On the top panel, click on+ New registration.

    register app-3.png

  5. Fill the form by entering a name, then Register.

    register an app.png

  6. Select the newly registered app from  the app list. 

  7. On the right panel, copy Application (client) ID value, you will need it to create Azure credential on OUTSCAN.

  8. On the left panel, select Certificate & secrets.

  9. On the right panel, select + New client secret, which opens a panel on the right hand side.

  10. Fill the form by adding description and fix the duration followed by clicking Add.

  11. On the right panel, make a copy on the value of the newly created secret (it will not be displayed later), you will need it to create Azure credential on OUTSCAN.

Create the Custom Role to Run the Benchmark

Prerequisite

Install az,[2] azure command line interface tool.

Procedure

You may refer to the Microsoft Azure link about the custom role definition tutorial [3].

Get the custom role template and customize to fit your azure subscription context:

  1. Upload JSON file containing the custom role template: Azure_Foundations_1.1.1_benchmark_role.json. See Appendix A.

  2. Modify the last line in the JSON file by replacing '{subscription_id}' by the actual value of the Azure account.

  3. Also remove the Microsoft.Subscription/SubscriptionDefinitions/read line from the JSON file since it is no longer supported. See Appendix B.

If you prefer to have a view per subscription then you need to define custom roles and apps as much as subscriptions.

Your Subscription ID can be found in Microsoft Azure portal under Subscriptions as shown below.

Subscriptions

Then you run the following command:

  1. To create adhoc custom role:

    CODE
    az role definition create --role-definition "<path_to>/Azure_Foundations_1.1.1_benchmark_role.json"

  2. To list custom roles:

    CODE
    az role definition list --custom-role-only true

  3. To update existing custom role:

    CODE
    az role definition update --role-definition "<path_to>/Azure_Foundations_1.1.1_benchmark_role.json"

  4. To check that the custom role has been created the customer can run:

    CODE
    az role definition list --custom-role-only true --name "Azure Foundations 1.1.1 Benchmark Role"

Assign Application to the Custom Role

Prerequisite

Make sure that Azure Foundations 1.1.1 Benchmark Role are defined on your Azure account. See section How to Create the Custom Role to Run the Benchmark.

Procedure 

Once the custom role has been created, you need to login to the Azure portal to perform the application role assignment.

Go to subscriptions, 

  1. Select one subscription.

  2. Go to Access control (IAM).

  3. On the right panel select + Add > Add role assignment which opens a panel on the right.

  4. On the newly right panel fill the form.

  5. Select the custom role: Azure Foundations 1.1.1 Benchmark Role (Custom roles are listed at the end of the list, newly created custom roles may take a while to appear on the list).

  6. Assign access to User, group, or service principal:

    1. Select the application you created to run the benchmark.

    2. Go to application overview.

    3. Go to IAM.

    4. Add role assignment.

    5. Select the custom role: Azure Foundations 1.1.1 Benchmark Role.

    6. Click Save to save the changes and close the panel.

  7. Here is an example how this looks like in the Role Assignments table.

    Access Control - IAM

Repeat these steps for each subscription in custom role assignable scope. 

Example

The diagrams illustrate how a customer can define either one application that scopes all of the subscriptions or one application for each subscription.

Customers can also decide how many applications they wants to set and define the scope of each application. Diagrams illustrate two use cases only.

Usecase 1

Usecase 2

How to Find Azure Parameters in the Azure Console

Procedure

The Azure parameters can be found in the Azure console.

Tenant and Tenant ID: Tenant ID is the name of your entry in the Azure Active Directory in which the app is registered such as XXX.onmicrosoft.com or the ID of the directory.

ewp 12.png

Client ID and User Name: Client ID is the Application ID which is the application id created when you registered the app.

EWP workload18.png

Secret and Password: The password you chose while creating the keys of the application in the Active Directory.

EWP workload20.png

Which Specific Permission to Get 1.3 Running

1.3 check requires special ad hoc permissions. You need to grant Directory.Read.All (Application Type) to the application that runs the benchmark.

Prerequisite

Make sure that the application is registered in the Azure Account.

Procedure

  1. Log in to Azure Portal.

  2. Go to App registration.

  3. Select the Application registered to run the Benchmark.

  4. Select API permissions.

  5. Add permissions for:

    1. Azure Active Directory Graph.

    2. Select Application permissions (Active Directory permissions type in Microsoft Identity Platform).

    3. Select Directory.Read.All permission.

    4. Add Permission.

      Active Directory Permissions
  6. Click on Grant Admin Consent when it is displayed in bold.

Here is an example how this looks like in the API Permissions:

API Permissions

Which Specific Permission to Get 8.x Running

8.x checks require special ad hoc permissions. You need to grant list permission in the Access Policies of your Key vault to the application that runs the benchmark.

Prerequisite

Make sure that the application is registered in the Azure Account.

Procedure

  1. Log in to Azure Portal.

  2. Go to Key Vaults.

  3. Select a specific key vault.

  4. Select Access policies.

  5. Add Access Policy by selecting all List permissions to Key, Secret & Certificate Management as follow.

Add Access Policy

Here is an example how this looks like in the Access policies for a specific Key vault.

Access Policies

References

  1. Scan Credentials

  2. Install the Azure CLI - https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest

  3. Tutorial: Create a custom role for Azure resources using Azure CLI - https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-cli

  4. How to: Use the portal to create an Azure AD application and service principal that can access resources - https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

Appendix A

Azure_Foundations_1.1.1_benchmark_role.json
CODE
{
   "properties": {
        "roleName": "Azure Foundations 1.1.1 Benchmark Role",
        "isCustom": true,
        "description": "Perform checks of Azure CIS Foundations 1.1.1 Benchmark.",
        "assignableScopes":[
            "/subscriptions/1546581-1562-152a-xxyx-abcdabcdabcdabcd"
        ],
        "permissions":[
            {
                "actions": [
                    "Microsoft.Authorization/*/read",
                    "Microsoft.Compute/disks/read",
                    "Microsoft.Compute/diskEncryptionSets/read",
                    "Microsoft.Compute/locations/publishers/read",
                    "Microsoft.Compute/locations/publishers/artifacttypes/types/read",
                    "Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read",
                    "Microsoft.Compute/virtualMachines/read",
                    "Microsoft.Compute/virtualMachines/extensions/read",
                    "Microsoft.Compute/virtualMachines/instanceView/read",
                    "Microsoft.ContainerService/managedClusters/read",
                    "Microsoft.DBforMySQL/servers/read",
                    "Microsoft.DBforMySQL/servers/*/read",
                    "Microsoft.DBforPostgreSQL/servers/read",
                    "Microsoft.DBforPostgreSQL/servers/*/read",
                    "Microsoft.DBforPostgreSQL/serversv2/*/read",
                    "Microsoft.KeyVault/vaults/read",
                    "Microsoft.KeyVault/deletedVaults/read",
                    "Microsoft.KeyVault/*/read",
                    "Microsoft.Network/networkSecurityGroups/read",
                    "Microsoft.Network/networkSecurityGroups/securityRules/read",
                    "Microsoft.Network/networkWatchers/read",
                    "Microsoft.Network/networkWatchers/queryFlowLogStatus/action",
                    "Microsoft.Network/networkWatchers/securityGroupView/action",
                    "Microsoft.Resources/subscriptions/*/read",
                    "Microsoft.Security/*/read",
                    "Microsoft.Sql/servers/read",
                    "Microsoft.Sql/servers/administrators/read",
                    "Microsoft.Sql/servers/auditingSettings/read",
                    "Microsoft.Sql/servers/databases/read",
                    "Microsoft.Sql/servers/databases/auditingSettings/read",
                    "Microsoft.Sql/servers/databases/transparentDataEncryption/read",
                    "Microsoft.Sql/servers/databases/securityAlertPolicies/read",
                    "Microsoft.Sql/servers/databases/vulnerabilityAssessments/read",
                    "Microsoft.Sql/servers/encryptionProtector/read",
                    "Microsoft.Sql/servers/extendedAuditingSettings/read",
                    "Microsoft.Sql/servers/firewallRules/read",
                    "Microsoft.Sql/servers/securityAlertPolicies/read",
                    "Microsoft.Sql/servers/virtualNetworkRules/read",
                    "Microsoft.Storage/storageAccounts/read",
                    "Microsoft.Storage/storageAccounts/*/read",
                    "Microsoft.Web/sites/read",
                    "Microsoft.Web/sites/config/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read"
                  ],
                  "notActions": [],
                  "dataActions": [],
                  "notDataActions": []
            }
        ]

   } 
}

Appendix B

Azure Foundations 1.1.0 Benchmark Role.json
CODE
{
  "Name": "Azure Foundations 1.1.0 Benchmark Role",
  "IsCustom": true,
  "Description": "Perform checks of Azure CIS Foundations 1.1.0 Benchmark.",
  "Actions": [
    "Microsoft.Authorization/*/read",
    "Microsoft.Compute/disks/read",
    "Microsoft.Compute/diskEncryptionSets/read",
    "Microsoft.Compute/locations/publishers/read",
    "Microsoft.Compute/locations/publishers/artifacttypes/types/read",
    "Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read",
    "Microsoft.Compute/virtualMachines/read",
    "Microsoft.Compute/virtualMachines/extensions/read",
    "Microsoft.Compute/virtualMachines/instanceView/read",
    "Microsoft.ContainerService/managedClusters/read",
    "Microsoft.DBforMySQL/servers/read",
    "Microsoft.DBforMySQL/servers/*/read",
    "Microsoft.DBforPostgreSQL/servers/read",
    "Microsoft.DBforPostgreSQL/servers/*/read",
    "Microsoft.DBforPostgreSQL/serversv2/*/read",
    "Microsoft.KeyVault/vaults/read",
    "Microsoft.KeyVault/deletedVaults/read",
    "Microsoft.KeyVault/*/read",
    "Microsoft.Network/networkSecurityGroups/read",
    "Microsoft.Network/networkSecurityGroups/securityRules/read",
    "Microsoft.Network/networkWatchers/read",
    "Microsoft.Network/networkWatchers/queryFlowLogStatus/action",
    "Microsoft.Network/networkWatchers/securityGroupView/action",
    "Microsoft.Resources/subscriptions/*/read",
    "Microsoft.Security/*/read",
    "Microsoft.Sql/servers/read",
    "Microsoft.Sql/servers/administrators/read",
    "Microsoft.Sql/servers/auditingSettings/read",
    "Microsoft.Sql/servers/databases/read",
    "Microsoft.Sql/servers/databases/auditingSettings/read",
    "Microsoft.Sql/servers/databases/transparentDataEncryption/read",
    "Microsoft.Sql/servers/databases/securityAlertPolicies/read",
    "Microsoft.Sql/servers/databases/vulnerabilityAssessments/read",
    "Microsoft.Sql/servers/encryptionProtector/read",
    "Microsoft.Sql/servers/extendedAuditingSettings/read",
    "Microsoft.Sql/servers/firewallRules/read",
    "Microsoft.Sql/servers/securityAlertPolicies/read",
    "Microsoft.Sql/servers/virtualNetworkRules/read",
    "Microsoft.Storage/storageAccounts/read",
    "Microsoft.Storage/storageAccounts/*/read",
    "Microsoft.Subscription/SubscriptionDefinitions/read", <<<< Remove this line since it is no longer supported
    "Microsoft.Web/sites/read",
    "Microsoft.Web/sites/config/Read"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscription_id}"
  ]
}




Copyright

© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.