For Alert Logic to protect assets in Microsoft Azure, you must create an app registration with administrative permissions. Role-Based Access Control (RBAC) enables fine-grained access management for Azure accounts. When you assign a RBAC role to the app registration you create, you grant only the amount of access required to allow Alert Logic to monitor your environments.
This procedure requires administrative permissions in Azure, and the installation of one of the following command line interfaces:
To configure your RBAC role in Azure:
- Log into the Azure portal.
- In the left menu, click Azure Active Directory.
- On the left panel, under Manage, click App registrations.
- Click New registration, and enter a name.
- Click Register.
Make note of the Application (client ID), and the Directory (tenant ID) which you need later when you create an Azure deployment.
- On the left panel, under Manage, click Certificates & secrets, and then click +New client secret.
- Enter a description, and then on Expire, select Never.
Make note of the key value, which you need later.
RBAC roles enable fine-grained access management for Azure. After you create an app registration, you must assign an RBAC role to that registration. The Alert Logic RBAC role grants only the amount of access required to monitor your environments.
For more information about Azure RBAC or managing roles with command-line applications, see:
- Role based access control custom roles
- Manage Role-Based Access Control with the Azure command-line interface
- Manage Role-Based Access Control with Azure PowerShell
To create a custom RBAC role, you must first create a role document and then create a custom role in the Azure portal.
To create a custom RBAC role:
- Create a new text file and copy the Alert Logic RBAC role into it.
- Make the following changes to the file:
- In the "Name": "user name", line, change the "user name" entry to the user name for the app registration you just created.
- In the "AssignableScopes":"/subscriptions/<subscription id>" line, change the <subscription ID> value to the Subscription ID found on your Azure portal Subscriptions blade.
- Save the text file as a JSON file.
- Open either Azure CLI 2.0 or Azure PowerShell, and log in to your Azure account, and then specify the default subscription. Azure Azure CLI 2.0 commands
az account set --subscription <your subscription id>Azure Azure PowerShell commands
Get-AzureRmSubscription –SubscriptionName [your subscription name] | Select-AzureRmSubscription
- Create your custom role in Azure.
- In the Azure portal, under Subscriptions, select your subscription, and then click select Access control (IAM).
- Click Roles to verify that the RBAC role you created appears in the portal.
After you create the RBAC role, you must assign it to the Azure app you registered. In Azure, roles are assigned in the Access Control portion of the Subscriptions blade.
- In the Azure Navigation Menu, click Subscriptions.
- In the Subscriptions blade, select the subscription you want Alert Logic to protect, and then click Access Control (IAM).
Make note of the subscription ID, which you need later when you create an Azure deployment.
- Above the list of users, click +Add, and then click Add role assignment.
- In the Add access blade, select the RBAC role you created from those listed.
- Click SAVE.
Obtain the Active Directory ID in Azure
You need the Active Directory ID to complete the assignment of the RBAC role to the user account that grants access to Alert Logic.
To obtain the Active Directory ID:
- In the Azure portal, on the bar on the top right, click the Help icon ().
- Click Show Diagnostics to download the JSON file, and then open it in a text editor.
- Under the "tenants": line, look for "id": "your active directory ID".
- Take note of the active directory ID.
Create a deployment in the Alert Logic console
The steps you must take to create a deployment vary based on your subscription level.
For Essentials subscriptions, see Microsoft Azure Deployment Configuration (Essentials Subscription)
For Professional subscriptions, see Microsoft Azure Deployment Configuration (Professional Subscription).