Configure Role-Based Access Control (RBAC) for Microsoft Azure Resources

For Alert Logic to protect assets in Microsoft Azure, you must create a user account with administrative permissions. Role-Based Access Control (RBAC) enables fine-grained access management for Azure accounts. Assignment of a RBAC role to the user account you create grants only the amount of access required to allow Alert Logic to monitor your environments.

This procedure requires administrative permissions in Azure, and the installation of one of the following command line interfaces:

If you have Azure CLI 1.0 installed, Microsoft recommends you upgrade to CLI 2.0 and use the deprecated CLI 1.0 only for support with the Azure Service Management (ASM) model with "classic" resources. For more information, please contact Microsoft Azure support.

To configure your RBAC role in Azure:

  1. Create a user account in Azure
  2. Create a custom RBAC role
  3. Assign the role to the user account

Create a user account in Azure

  1. Log into the Azure portal.
  2. In the left menu, click Azure Active Directory.
  3. On the left panel, under Manage, click Users.
  4. Click New user, and enter a name and email address.
  5. Make note of the name, which you need later when you create an Azure deployment.
  6. Ensure the Directory role is User.
  7. Click Create.
  8. Open a new browser window and navigate to the Azure portal login page.
  9. Log into the Azure portal as the new user.
  10. At the prompt, change the password for the user.
Make note of the new password, which you need later when you create an Azure deployment.

Create a custom RBAC role

RBAC roles enable fine-grained access management for Azure. After you create a user account, you must assign an RBAC role to the user. The Alert Logic RBAC role grants only the amount of access required to monitor your environments.

For more information about Azure RBAC or managing roles with command-line applications, see:

To create a custom RBAC role, you must first create a role document and then create a custom role in the Azure portal.

To create a custom RBAC role:

To create a role document:

  1. Create a new text file and copy the Alert Logic RBAC role into it.
Make note of the directory in which you saved the file. You must know the path and file name later in the procedure.
  1. Make the following changes to the file:
    1. In the "Name": "user name", line, change the "user name" entry to the user name for the user account you just created.
    2. In the "AssignableScopes":"/subscriptions/<subscription id>" line, change the <subscription ID> value to the Subscription ID found on your Azure portal Subscriptions blade.
  2. Save the text file as a JSON file.

To create a custom role in Azure:

  1. Open either Azure CLI 2.0 or Azure PowerShell, and log in to your Azure account, and then specify the default subscription.
  2. Create your custom role in Azure.
  3. In the Azure portal, under Subscriptions, select your subscription, and then click select Access control (IAM).
  4. Click Roles to verify that the RBAC role you created appears in the portal.

Assign the role to the user account

After you create the RBAC role, you must assign it to the user account. In Azure, roles are assigned in the Access Control portion of the Subscriptions blade.

  1. In the Azure Navigation Menu, click Subscriptions.
  2. In the Subscriptions blade, select the subscription you want Alert Logic to protect, and then click Access Control (IAM).

    Make note of the subscription ID, which you need later when you create an Azure deployment.

  3. Above the list of users, click +Add.
  4. In the Add access blade, select the RBAC role you created from those listed.
  5. In the Add users blade, enter the user account name in the search field, and then select the user account name from the list.
  6. Click Select.
  7. Click OK.

Obtain the Active Directory ID in Azure

You need the Active Directory ID to complete the assignment of the RBAC role to the user account that grants access to Alert Logic.

To obtain the Active Directory ID:

  1. In the Azure portal, on the bar on the top right, click the Help icon ().
  2. Click Show Diagnostics to download the JSON file, and then open it in a text editor.
  3. Under the "tenants": line, look for "id": "your active directory ID".
  4. Take note of the active directory ID.

Create a deployment in the Alert Logic console

The Deployments page appears under the Configuration tab in the Alert Logic console. To add a deployment, click the icon, and then select Microsoft Azure.

After you name your deployment, fill out the required fields to allow Alert Logic access to your account.

  1. Fill out the required fields:
    • Subscription ID
    • Active Directory ID
    • User (your email address)
    • Password
  2. Click Create.

For more information about adding Azure deployments, see Microsoft Azure Deployment Configuration.