Configure App Registration and RBAC for Microsoft Azure Resources

For Alert Logic to protect your Azure deployments, you must configure Microsoft Azure resources to allow Alert Logic to monitor your assets. All procedures require administrative permission in the Azure portal.

You must create an app registration, and then use Azure role-based access control (RBAC) to create and assign a role to that app registration. This enables fine-grained access management for Azure accounts.

To further your security configuration measures, you must grant certain permissions to access Microsoft Graph and Azure Key Vault. This practice is required for compliance with Center for Internet Security (CIS) benchmarks for Microsoft Azure, an established best practices baseline configuration guideline, and allows Alert Logic to perform CIS benchmark checks on your deployments that expose vulnerabilities.

For more information about Microsoft Azure CIS Benchmarks, see cisecurity.org/benchmark/azure.

These instructions do not apply in the following cases:

A remediation to update your Azure resources for Microsoft Azure CIS benchmark requirements will be listed in the Remediations page in the Alert Logic console.

You can also generate a CIS Foundations Benchmark report for Azure in the Alert Logic console. For more information, see CIS Microsoft Azure Foundation Benchmark

To create an RBAC, ensure you have one of the following command line interfaces installed before you begin:

If you have Azure CLI 1.0 installed, Microsoft recommends you upgrade to CLI 2.0 and use the deprecated CLI 1.0 only for support with the Azure Service Management (ASM) model with "classic" resources. For more information, contact Microsoft Azure support.

To configure your Azure resources, you must:

  1. Create an app registration in Azure
  2. Create a custom RBAC role
  3. Grant permissions to access Microsoft Graph
  4. Grant permissions to access Azure Key Vault
  5. Assign the role to the app registration

Create an app registration in Azure

Create an app registration in the Azure portal. You will assign an RBAC role to this app registration.

To create an app registration:

  1. Log into the Azure portal.
  2. In the left menu, click Azure Active Directory.
  3. On the left panel, under Manage, click App registrations.
  4. Click + New registration, and enter a name.
  5. Click Register. Note the Application (client) ID, and the Directory (tenant) ID, which you will need later.
  6. On the left panel, under Manage, click Certificates & secrets, and then click + New client secret.
  7. Enter a description, and then on Expire, select Never.
  8. Click Add. Note the Value, which you will need later.

Create a custom RBAC role

After you create an app registration, you must assign an RBAC role to that registration to grant Alert Logic permission to monitor your environments. This allows limited access to your environments, and no further access.

For more information about Azure RBAC or managing roles with command-line applications, see:

To create a custom RBAC role, you must first create a role document and then create a custom role in the Azure portal.

To create a custom RBAC role, you must:

Create a role document

To create a role document:

  1. Create a new text file and copy the Alert Logic role into it. Note the directory where you save the file. You must know the path and file name for later in the procedure.
  2. Make the following changes to the file:
    1. In the "Name": "<Resource Explorer (Alert Logic)>", line, change the <Resource Explorer (Alert Logic)> to a descriptive name.
    2. In the "/subscriptions/<subscription id>" line, change the <subscription id> value to the subscription ID found on your Azure portal Subscriptions blade. Example: "/subscriptions/00xxx000-x-000-0x0x-0000-000xx000000x"
  3. Save the text file as a JSON file.

Create a custom role in Azure

To create a custom role in Azure:

  1. Open either Azure CLI 2.0 or Azure PowerShell, and log in to your Azure account, and then specify the default subscription.
  2. Create your custom role in Azure.
  3. In the Azure portal, under Subscriptions, select your subscription, and then click Access control (IAM).
  4. Click Roles to verify that the RBAC role you created appears in the portal.
  5. If the role does not appear, refresh the list of roles.

Grant permissions to access Microsoft Graph

You must grant permissions to access Microsoft Graph in the Azure portal, which allows Alert Logic to perform CIS benchmark checks.

To grant permissions to access Microsoft Graph:

  1. In the Azure portal, click Azure Active Directory.
  2. On the left panel, click App registrations, and then select your app registration.
  3. On the left panel, click API permissions, and then click + Add a permission.
  4. On the Request API permissions blade, click Microsoft Graph.
  5. Click Application permissions, and then in the list, select the following permissions:
    1. Click Application to see permissions in this category, and then select Application.Read.All.
    2. Click Group to see permissions in this category, and then select Group.Read.All.
    3. Click RoleManagement to see permissions in this category, and then select RoleManagement.Read.Directory.
    4. Click User to see permissions in this category, and then select User.Read.All.
  6. Click Add permissions, and then on the API permissions pane, click Grant admin consent for Default Directory.
  7. In the pop-up window, click Yes to allow the changes you made on the permissions.

Grant permissions to access Azure Key Vault

You must grant certain permissions to access your Azure Key Vault in the Azure portal, which allows Alert Logic to perform CIS benchmark checks. You must repeat these steps for each of your key vaults.

To grant permissions to access your key vault:

  1. In the Azure portal, click Key vaults.
  2. Select a key vault from the list, and then on the left panel, click Access policies.
  3. Click + Add Access Policy.
  4. In the Key permissions field, select Get and List.
  5. In the Secret permissions field, select Get and List.
  6. Click Select principal, and then from the list, select the app registration you created.
  7. Click Add.

    You must repeat these steps for each key vault in the list.

Assign the role to the app registration

You must assign the role you created to your registered app.

  1. In the Azure portal, click Subscriptions.
  2. In the Subscriptions blade, select the subscription you want Alert Logic to protect, and then click Access Control (IAM). Note the subscription ID, which you will need when you create an Azure deployment.
  3. Click +Add, and then click Add role assignment.
  4. Select the RBAC role you created.
  5. From the list, click the app you registered earlier.
  6. Click SAVE.

Create a deployment in the Alert Logic console

In the Alert Logic console, fill out the required fields:

  • Subscription ID
  • Active Directory ID
  • Application ID
  • Key ID

The steps you must take to create a deployment vary based on your subscription level.

For Essentials subscriptions, see Microsoft Azure Deployment Configuration (Essentials Subscription)

For Professional subscriptions, see Microsoft Azure Deployment Configuration (Professional Subscription).