Configure App Registration and RBAC for Microsoft Azure Resources

For Alert Logic to protect your Azure deployments, you must configure Microsoft Azure resources to allow Alert Logic to monitor your assets. All procedures require administrative permission in the Azure portal.

You must create an app registration, and then use Azure role-based access control (RBAC) to create and assign a role to that app registration.

To comply with Center for Internet Security (CIS) benchmarks for Microsoft Azure, an established best practices baseline configuration guideline, you must grant certain permissions to access Microsoft Graph and Azure Key Vault. With these permissions, Alert Logic will perform CIS benchmark checks on your deployments to detect vulnerabilities.

For more information about Microsoft Azure CIS Benchmarks, see cisecurity.org/benchmark/azure.

These instructions do not apply in the following cases:

A remediation to update your Azure resources for Microsoft Azure CIS benchmark requirements will be listed in the Remediations page in the Alert Logic console.

You can also generate a CIS Foundations Benchmark report for Azure in the Alert Logic console. For more information, see CIS Microsoft Azure Foundation Benchmark

To configure your Azure resources, you must:

  1. Create an app registration in Azure
  2. Create a custom RBAC role
  3. Grant permissions to access Microsoft Graph
  4. Grant permissions to access Azure Key Vault
  5. Assign the role to the app registration
  6. Create a deployment in the Alert Logic console

Create an app registration in Azure

Create an app registration in the Azure portal. You will assign an RBAC role to this app registration.

To create an app registration:

  1. Log into the Azure portal.
  2. Click the search bar, and then click Azure Active Directory. If necessary, type "Azure Active Directory".
  3. On the left panel, under Manage, click App registrations.
  4. Click + New registration, and enter a name.
  5. Click Register. Copy the Application (client) ID, and the Directory (tenant) ID to a text editor for later.
  6. On the left panel, under Manage, click Certificates & secrets, and then click + New client secret.
  7. Enter a description, and then on Expire, select 24 Months.
  8. Click Add. Copy the Value to a text editor for later.

Create a custom RBAC role

After you create an app registration, you must assign an RBAC role to that registration to grant Alert Logic permission to monitor your environments. This allows limited and controlled access to your environments.

For more information about Azure RBAC or managing roles with command-line applications, see:

You can create a custom RBAC role either in the Azure portal or through a command line interface (CLI), but not both.

Create a custom role in the Azure portal

To create a custom RBAC role, you must first create a role document and then create a custom role in the Azure portal.

  1. In the Azure portal, click the search bar and click Subscriptions.
  2. Select your subscription, and copy the Subscription ID to a text editor for later.
  3. Click Access control (IAM).
  4. Click + Add, and then click Add custom role.
  5. Click the JSON tab, and then click Edit.
  6. Delete everything in the window.
  7. Copy the text from this link and paste it into the JSON window.
  8. In the "/subscriptions/<subscription id>" line, change the <subscription id> value to the subscription ID found on your Azure portal Subscriptions blade. Example: "/subscriptions/00xxx000-x-000-0x0x-0000-000xx000000x"
  9. (Optional) If you have more than one subscription ID, you can make a list of them in this custom role. Example: 

    "assignableScopes": [

       "/subscriptions/00xxx000-x-000-0x0x-0000-000xx000000x",
       "/subscriptions/00xxx000-x-000-0x0x-0000-000xx000000x",
       "/subscriptions/00xxx000-x-000-0x0x-0000-000xx000000x"
    ],

  10. Click Save, click Review + create, and then click Create.
  11. Click Roles to verify that the RBAC role you created appears in the portal.

    12. If the role does not appear, refresh the list of roles.

 

Create a custom role in the CLI

You can create a custom role using a CLI if you do not want to create it in the Azure portal. Ensure you have one of the following installed before you begin:

If you have Azure CLI 1.0 installed, Microsoft recommends you upgrade to CLI 2.0 and use the deprecated CLI 1.0 only for support with the Azure Service Management (ASM) model with "classic" resources. For more information, contact Microsoft Azure support.

You must make changes to the Alert Logic template role document, and then create your role document in your command line interfaces.

  1. In the Azure portal, click the search bar and click Subscriptions.
  2. Select your subscription, and copy the Subscription ID to a text editor for later.
  3. Create a new text file and copy the Alert Logic role into it. Note the directory where you save the file. You must know the path and file name for later in the procedure.
  4. Make the following changes to the file:
    1. In the "Name": "<Resource Explorer (Alert Logic)>", line, change the <Resource Explorer (Alert Logic)> to a descriptive name.
    2. In the "/subscriptions/<subscription id>" line, change the <subscription id> value to the subscription ID found on your Azure portal Subscriptions blade. Example: "/subscriptions/00xxx000-x-000-0x0x-0000-000xx000000x"
  5. Save the text file as a JSON file.
  6. Open either Azure CLI 2.0 or Azure PowerShell, and log in to your Azure account, and then specify the default subscription.

    az login

    az account set --subscription <your subscription id>

    Login-AzureRmAccount

    Get-AzureRmSubscription –SubscriptionName <your subscription name> | Select-AzureRmSubscription

  7. Create your custom role in Azure.

    az role definition create --role-definition [path to the role document]

    New-AzureRmRoleDefinition -InputFile [path to the to the role document]

  8. In the Azure portal, under Subscriptions, select your subscription, and then click Access control (IAM).
  9. Click Roles to verify that the RBAC role you created appears in the portal.

    10. If the role does not appear, refresh the list of roles.

Grant permissions to access Microsoft Graph

You must grant permissions to access Microsoft Graph in the Azure portal, which allows Alert Logic to perform CIS benchmark checks.

To grant permissions to access Microsoft Graph:

  1. In the Azure portal, click Azure Active Directory.
  2. On the left panel, click App registrations, and then select your app registration.
  3. On the left panel, click API permissions, and then click + Add a permission.
  4. On the Request API permissions blade, click Microsoft Graph.
  5. Click Application permissions, and then in the list, select the following permissions:
    1. Click Application to see permissions in this category, and then select Application.Read.All.
    2. Click Group to see permissions in this category, and then select Group.Read.All.
    3. Click RoleManagement to see permissions in this category, and then select RoleManagement.Read.Directory.
    4. Click User to see permissions in this category, and then select User.Read.All.
  6. Click Add permissions, and then on the API permissions pane, click Grant admin consent for Default Directory.
  7. In the pop-up window, click Yes to allow the changes you made on the permissions.

Grant permissions to access Azure Key Vault

You must grant certain permissions to access your Azure Key Vault in the Azure portal, which allows Alert Logic to perform CIS benchmark checks. You must repeat these steps for each of your key vaults.

To grant permissions to access your key vault:

  1. In the Azure portal, click Key vaults.
  2. Select a key vault from the list, and then on the left panel, click Access policies.
  3. Click + Add Access Policy.
  4. In the Key permissions field, select Get and List.
  5. In the Secret permissions field, select Get and List.
  6. Click Select principal, and then from the list, select the app registration you created.
  7. Click Add.

    You must repeat these steps for each key vault in the list.

Assign the role to the app registration

You must assign the role you created to your registered app.

  1. In the Azure portal, click Subscriptions.
  2. In the Subscriptions blade, select the subscription you want Alert Logic to protect, and then click Access control (IAM). Note the subscription ID, which you will need when you create an Azure deployment.
  3. Click +Add, and then click Add role assignment.
  4. In the Role tab, search for the RBAC role you created, and then click View.
  5. Click the Members tab, and ensure the RBAC role you created is listed. If it is not listed, click + Select members to find the role.
  6. Click Review + assign.

If you have more than one subscription ID, you must repeat these steps to assign a role for each subscription.

Create a deployment in the Alert Logic console

In the Alert Logic console, fill out the required fields:

  • Subscription ID
  • Active Directory ID
  • Application ID
  • Key ID (the 24 month Value you copied earlier)

If you have more than one subscription ID, you must repeat these steps to assign a role for each subscription.

The steps you must take to create a deployment vary based on your subscription level.

For Essentials subscriptions, see Microsoft Azure Deployment Configuration (Essentials Subscription)

For Professional subscriptions, see Microsoft Azure Deployment Configuration (Professional Subscription).