Configure Role-Based Access Control (RBAC) for Microsoft Azure Resources

For Alert Logic to protect assets in Microsoft Azure, you must create an app registration with administrative permissions. Role-Based Access Control (RBAC) enables fine-grained access management for Azure accounts. When you assign a RBAC role to the app registration you create, you grant only the amount of access required to allow Alert Logic to monitor your environments.

This procedure requires administrative permissions in Azure, and the installation of one of the following command line interfaces:

If you have Azure CLI 1.0 installed, Microsoft recommends you upgrade to CLI 2.0 and use the deprecated CLI 1.0 only for support with the Azure Service Management (ASM) model with "classic" resources. For more information, contact Microsoft Azure support.

To configure your RBAC role in Azure:

  1. Create an app registration in Azure
  2. Create a custom RBAC role
  3. Assign the role to the user account

Create an app registration in Azure

  1. Log into the Azure portal.
  2. In the left menu, click Azure Active Directory.
  3. On the left panel, under Manage, click App registrations.
  4. Click New registration, and enter a name.
  5. Make note of the name, which you need later when you create an Azure deployment.
  6. Click Register.
    Make note of the Application (client ID), and the Directory (tenant ID) which you need later when you create an Azure deployment.
  7. On the left panel, under Manage, click Certificates & secrets, and then click +New client secret.
  8. Enter a description, and then on Expire, select Never.
    Make note of the key value, which you need later.

Create a custom RBAC role

RBAC roles enable fine-grained access management for Azure. After you create an app registration, you must assign an RBAC role to that registration. The Alert Logic RBAC role grants only the amount of access required to monitor your environments.

For more information about Azure RBAC or managing roles with command-line applications, see:

To create a custom RBAC role, you must first create a role document and then create a custom role in the Azure portal.

To create a custom RBAC role:

To create a role document:

  1. Create a new text file and copy the Alert Logic RBAC role into it.
Make note of the directory in which you saved the file. You must know the path and file name later in the procedure.
  1. Make the following changes to the file:
    1. In the "Name": "user name", line, change the "user name" entry to the user name for the app registration you just created.
    2. In the "AssignableScopes":"/subscriptions/<subscription id>" line, change the <subscription ID> value to the Subscription ID found on your Azure portal Subscriptions blade.
  2. Save the text file as a JSON file.

To create a custom role in Azure:

  1. Open either Azure CLI 2.0 or Azure PowerShell, and log in to your Azure account, and then specify the default subscription.
  2. Create your custom role in Azure.
  3. In the Azure portal, under Subscriptions, select your subscription, and then click select Access control (IAM).
  4. Click Roles to verify that the RBAC role you created appears in the portal.

Assign the role to the user account

After you create the RBAC role, you must assign it to the Azure app you registered. In Azure, roles are assigned in the Access Control portion of the Subscriptions blade.

  1. In the Azure Navigation Menu, click Subscriptions.
  2. In the Subscriptions blade, select the subscription you want Alert Logic to protect, and then click Access Control (IAM).

    Make note of the subscription ID, which you need later when you create an Azure deployment.

  3. Above the list of users, click +Add, and then click Add role assignment.
  4. In the Add access blade, select the RBAC role you created from those listed.
  5. Click SAVE.

Obtain the Active Directory ID in Azure

You need the Active Directory ID to complete the assignment of the RBAC role to the user account that grants access to Alert Logic.

To obtain the Active Directory ID:

  1. In the Azure portal, on the bar on the top right, click the Help icon ().
  2. Click Show Diagnostics to download the JSON file, and then open it in a text editor.
  3. Under the "tenants": line, look for "id": "your active directory ID".
  4. Take note of the active directory ID.

Create a deployment in the Alert Logic console

The steps you must take to create a deployment vary based on your subscription level.

For Essentials subscriptions, see Microsoft Azure Deployment Configuration (Essentials Subscription)

For Professional subscriptions, see Microsoft Azure Deployment Configuration (Professional Subscription).