I have two subscriptions.
On one subscription I run logic apps and on the logic apps I have azure functions.
The other subscription contain target resources for the automation via logic apps and azure functions.
In order to run the Logic Apps and Azure functions associated it with it, what privileges do I need on target subscriptions? I want to be able to do things like stop VM, change NSG settings, run malware scans, etc
Do I need to run the logic app using an account that has owner permissions on both the subscriptions?
Regards,
Kelly
Its best to use a service principal for having centralized access control.
With this, you can use the service principal to authenticate and authorize actions against resources. It can be configured for the Azure Resource Manager connector in Logic Apps as well.
Another option would be to use Managed Identity, but that is supported only for the HTTP Action.
Even in your Function Apps, you could either setup Managed Identity or use the Client Credentials Flow using the Service Principal details.
As for the exact permissions for this service principal, you can use this reference of built-in roles for providing granular control. For example, to just stop/start VMs, your service principal would need Virtual Machine Contributor.
You could also provision finer access to resources by creating custom roles.
Related
Stuff in Azure are secured with Service Accounts. In order for me to see stuff I need to download the Service Account certificate and then log in via the Azure CLI using the extracted certificate and the Service Account Application Id. So now I can see everything the Service Account can see, great. But it is a pain in the neck and slow. So my question: Can I use the same certificate and credentials to log into the Azure Portal website so I can browse around using the web browser instead?
Using a Service Principal for interactive logins to the Azure Portal is not possible - which is by design. In order to be able to see the same resources as the Service Principal through the Azure Portal, you would require a user account that holds the Azure RBAC Reader role against those resources that are in scope of the Service Principal role assignments.
As you mentioned performance being an issue with using the Service Principal login, you could try Azure Resource Graph queries. These are supported by Azure CLI, Azure PowerShell as well as all the major Azure SDK's. Obviously, this won't bring you the visual experience like the Azure Portal but might resolve the performance piece maybe.
However, requesting/creating a user account that has the corresponding RBAC roles assigned would be the only way to allow you to see the resources through the Azure Portal.
I am creating an API client for Azure Compute. I want the ability to start/stop/restart my Azure virtual machines.
In the past when I've created apps using the Graph API, I created a new app registration and then gave the app permissions for the actions I wanted under 'Microsoft Graph API' permissions list.
However, I cannot find Azure Compute listed in the available Microsoft APIs. I'm confused as to what I need to do in order to get API permissions for Azure compute as opposed to some of the other APIs.
I've spent the morning searching for tutorials or example implementations to look through, but combinations of Azure/Compute/API/permissions/etc... don't seem to ever come up with the results that I'm looking for.
Has anyone done something like this? Is it possible to use application permissions for Azure compute or is it entirely separate? Will it require a service account instead?
However, I cannot find Azure Compute listed in the available Microsoft
APIs. I'm confused as to what I need to do in order to get API
permissions for Azure compute as opposed to some of the other APIs.
The API you're looking for is Azure Service Management.
Once you add this delegated permission, you will be able to perform operations on your Virtual Machines provided your Service Principal is assigned an appropriate role (Virtual Machine Contributor, for example) in an Azure Subscription.
You can assign the App an RBAC role as though it were a user that you were giving permission to restart VMs. For example, you could go to the resource group that contains the VM, then go to Access Control (IAM) -> Add Role Assignment -> Add the app registration to the Contributor role.
I am currently in the process of setting up Sentinel POC, within Sentinel you have playbooks which is basically Logic Apps, it is same as the playbooks in security center.
I need to know what permissions i need on target subscriptions in order to automate remediation of alerts, for example isolate a VM, Stop a VM, etc.
Our Sentinel will have its own subscription in a tenant where there are 100's of subscriptions.
Its best to use a service principal for having centralized access control.
With this, you can use the service principal to authenticate and authorize actions against resources. It can be configured for the Azure Resource Manager connector in Logic Apps as well.
Another option would be to use Managed Identity, but that is supported only for the HTTP Action.
As for the exact permissions for this service principal / managed identity, you can use this reference of built-in roles for providing granular control. For example, to just stop/start VMs, your service principal would need Virtual Machine Contributor.
You could also provision finer access to resources by creating custom roles.
I need to give a colleague access to a development azure portal so that he can learn how to create web bots. As he has no experience of azure, I dont want to through him in the deep end, so would rather use RBACs, but I cant quite see what roles would be best to apply. I had been thinking about creating a resource group and then scoping the 'contributor' role assignment to the group, but would like to try to find a more granular approach where the type of resources the user can create are restricted eg excluding VMs and SQL server?
When you deploy a bot, typically these resources are created in the Azure portal:
Resources
Web App
App Service
App Service plan
Application Insights
Storage account
If you wanted to get really granular, you could make your colleague these built-in roles as these are the typical services deployed with a bot:
Web Plan Contributor
Website Contributor
Storage Account Contributor
Application Insights Component Contributor
Another approach would be to go the Resource Group route and assign a policy to audit the creation of services so you can give your college more room to test
We are developing applications in .Net and deploying them to Azure app services. We currently have a multi-tier environment (QA/STG/PROD). In order to replicate the same environments we are using slots. However, the issue with slots is all developers who has access to QA slot are able to view/modify STG / PROD slot settings. We want to segregate this with authorization where-in users should only be able to publish apps on QA. Should we still use slots or we go with separate web apps?
As suggested in one of the comments you can use RBAC (Role Based Access Control) to control the user permissions on the web app/slots.
Azure RBAC has three basic roles that apply to all resource types:
Owner has full access to all resources including the right to delegate access to others.
Contributor can create and manage all types of Azure resources but can’t grant access to others.
Reader can view existing Azure resources.
So, you could add the developers as a READER to the webapp and as a CONTRIBUTOR to one of the slots. This will prevent the web app changes
Further, you can customize the RBAC to suit your requirements.
You can create a role with custom
Refer this article:
https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-custom-roles/
You can go with slots. Each slot creates a separate URL and you could control access to the slots by Authenticating using AD.
https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/