Configure Role-Based Access Control (RBAC) for Microsoft Azure Resources

For Alert Logic to protect assets in Microsoft Azure, you must create an app registration with administrative permissions. Role-Based Access Control (RBAC) enables fine-grained access management for Azure accounts. When you assign a RBAC role to the app registration, you grant Alert Logic access to monitor your environments, and no further access.

This procedure requires administrative permissions in Azure, and the installation of one of the following command line interfaces:

If you have Azure CLI 1.0 installed, Microsoft recommends you upgrade to CLI 2.0 and use the deprecated CLI 1.0 only for support with the Azure Service Management (ASM) model with "classic" resources. For more information, contact Microsoft Azure support.

To configure your RBAC role in Azure, you must:

  1. Create an app registration in Azure
  2. Create a custom RBAC role
  3. Assign the role to the user account

Create an app registration in Azure

  1. Log into the Azure portal.
  2. In the left menu, click Azure Active Directory.
  3. On the left panel, under Manage, click App registrations.
  4. Click New registration, and enter a name. Note the name of the registration, which you will need later when you create an Azure deployment.
  5. Click Register. Note the Application (client) ID, and the Directory (tenant) ID, which you will need later.
  6. On the left panel, under Manage, click Certificates & secrets, and then click +New client secret.
  7. Enter a description, and then on Expire, select Never.
  8. Click Add. Note the key value, which you will need later.

Create a custom RBAC role

RBAC roles enable fine-grained access management for Azure. After you create an app registration, you must assign an RBAC role to that registration to grant Alert Logic permission to monitor your environments.

For more information about Azure RBAC or managing roles with command-line applications, see:

To create a custom RBAC role, you must first create a role document and then create a custom role in the Azure portal.

To create a custom RBAC role, you must:

Create a role document

To create a role document:

  1. Create a new text file and copy the Alert Logic RBAC role into it. Note the directory where you save the file. You must know the path and file name for later in the procedure.
  2. Make the following changes to the file:
    1. In the "Name": "<role name>", line, change the "<role name>" entry to the name for the app registration you just created.
    2. In the "AssignableScopes":"/subscriptions/<subscription id>" line, change the <subscription ID> value to the Subscription ID found on your Azure portal Subscriptions blade.
  3. Save the text file as a JSON file.

Create a custom role in Azure

To create a custom role in Azure:

  1. Open either Azure CLI 2.0 or Azure PowerShell, and log in to your Azure account, and then specify the default subscription.
  2. Create your custom role in Azure.
  3. In the Azure portal, under Subscriptions, select your subscription, and then click select Access control (IAM).
  4. Click Roles to verify that the RBAC role you created appears in the portal.
  5. If the role does not appear, refresh the list of roles.

Assign the role to the user account

After you create the RBAC role, you must assign it to the Azure app you registered. In Azure, roles are assigned in the Access Control portion of the Subscriptions blade.

  1. In the Azure Navigation Menu, click Subscriptions.
  2. In the Subscriptions blade, select the subscription you want Alert Logic to protect, and then click Access Control (IAM). Note the subscription ID, which you will need when you create an Azure deployment.
  3. Click +Add, and then click Add role assignment.
  4. Select the RBAC role you created.
  5. From the list, click the app you registered earlier.
  6. Click SAVE.

Create a deployment in the Alert Logic console

The steps you must take to create a deployment vary based on your subscription level.

For Essentials subscriptions, see Microsoft Azure Deployment Configuration (Essentials Subscription)

For Professional subscriptions, see Microsoft Azure Deployment Configuration (Professional Subscription).