Configure Azure Cloud

This configuration guide explains how to add Azure as a Cloud resource in strongDM. Configuration involves creating the Azure Cloud resource, enabling it to support the proxy, and adding the Cloud in strongDM. After setup is complete, you will be able to manage access to your Azure Cloud environment in the command line via strongDM.

Limitations

There is no SDK, Terraform, Ansible, or other such support for Azure.
The Azure driver does nothing to limit privilege escalation. It is the responsibility of the resource creator to not provide credentials that can be used to create more credentials.

Even though strongDM supports multiple Clouds (AWS, Azure, and GCP), only one Cloud Resource of a given type can be connected at the same time. You cannot currently connect to, for example, two AWS Clouds and use strongDM between the two. You can, however, be connected to a single instance each of any or all of the supported Cloud resources at one time.

Azure Cloud Properties

Azure resources support the Azure CLI (az).

In strongDM, there are two types of Azure Cloud resources: Azure, which is configured to accept a password; and AzureCertificate, which is configured to accept a certificate file.

Both Azure and AzureCertificate Cloud types always bind to port 65113.

Prerequisites

In strongDM, you must have the Account Administrator Permission Level.
You must have administrator access to your Azure Cloud environment and be familiar with the Azure CLI (az).
Your Azure Active Directory account must have permission to create a service principal.
You must have the Azure CLI downloaded and installed.

Steps

Generate credentials

Log in to Azure (az login).
In the Azure CLI, create an Azure service principal with the az ad sp create-for-rbac command.
Decide which type of sign-in authentication the service principal should use (password-based or certificate-based authentication), and follow the instructions provided.

Create a service principal with a password

Use the following command, being sure to replace the placeholders with the actual values:
az ad sp create-for-rbac --name $<SERVICE_PRINCIPAL_NAME> --role $<ROLE_NAME> --scopes $SCOPES

Example:
az ad sp create-for-rbac --name ExampleName --role Contributor --scopes /subscriptions/jynb88ey-kqrd-8wqv-fh24-9m9sb05jmb9b

From the output, copy the appId, tenant, and password values. You will need them later when setting up the Azure Cloud type in strongDM. Note that you can reset the password key if you forget it, but you cannot retrieve it later.

Example output:

{
  "appId": "myAppId",
  "displayName": "myDisplayName",
  "name": "http://myName",
  "password": "generatedPassword",
  "tenant": "myTenantId"
}

Create a service principal with a self-signed certificate

Use the following command with the --create-cert argument, being sure to replace the placeholders with the actual values:
az ad sp create-for-rbac --name $<SERVICE_PRINCIPAL_NAME> --role $<ROLE_NAME> --create-cert

Example:
az ad sp create-for-rbac --name ExampleName --role Contributor --create-cert

From the output, copy the appId and tenant. From the PEM file, copy the entirety of the file, which includes the private key and certificate values. You will need them later when setting up the AzureCertificate Cloud type in strongDM.

Example output:

{
  "appId": "myAppId",
  "displayName": "myDisplayName",
  "name": "http://myName",
  "fileWithCertAndPrivateKey": "C:\\myPath\\myNewFile.pem",
  "password": null,
  "tenant": "myTenantId"
}

Example contents of the new PEM file:

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD0l6E0MVSYnEXD...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD0l6E0MVSYnEXD...
-----END CERTIFICATE-----

CLI setup

To set up Azure Cloud in the CLI, open your terminal. While logged in to strongDM, use the following command:

sdm admin clouds add azure

You can view all help text and options by appending --help or -h to the same command:

NAME:
   sdm admin clouds add azure - create Azure (Password) cloud

USAGE:
   sdm admin clouds add azure [command options] <name>

OPTIONS:
   --app-id value              the application ID to authenticate with (required, secret)
   --egress-filter value       apply filter to select egress nodes e.g. 'field:name tag:key=value ...'
   --password value            service principal password (required, secret)
   --port-override value       port profile override (default: -1)
   --secret-store-id value     secret store id
   --tags value                tags e.g. 'key=value,...'
   --template, -t              display a JSON template
   --tenant-id value        the tenant ID to authenticate to (required, secret)

Admin UI setup

If you would rather set up Azure Cloud in the strongDM Admin UI, go to Infrastructure > Clouds and click the add cloud button.

Note that this is the method by which to set up your Azure Cloud, and manage it with the Azure az or Azure CLI utility. If you intend to connect to a specific Azure-hosted resource, that resource needs to be set up separately in the appropriate areas of the Admin UI.

In the configuration dialog, set the following properties:

Display Name (Required): Enter a meaningful name for this resource. This name displays throughout strongDM. Do not include special characters like quotes (") or angle brackets (< or >).
Cloud Type (Required): Select Azure if you are using password-based authentication; select AzureCertificate if you are using certificate-based authentication.
Secret Store (Optional): If a secret store integration is configured, select where the credentials for this resource will be stored.
App ID (Required): For the Azure Cloud type, set the appID copied from the password-based service principal output.
Tenant (Required): Set the tenant copied from the service principal output.
Password (Required): For the Azure Cloud type, set the password key copied from the password-based service principal output.
Certificate (Required): For the AzureCertificate Cloud type, paste the entirety of the PEM file of the service principal with a self-signed certificate, which contains the private key and certificate values.

Click create when done.

CLI usage

After you have generated credentials, created the resources themselves in Azure, and added Azure as a Cloud type in strongDM, you should be able to call Azure in the CLI via sdm az or sdm azure.

Note that Azure can only use sdm az cli, which passes your az arguments in order following that command (e.g., sdm az cli aks list).

You can use sdm azure --help to view example usage and command options:

NAME:
   sdm azure - azure commands

USAGE:
   sdm azure command [command options] [arguments...]

COMMANDS:
   cli  Execute an Azure CLI Command.

OPTIONS:
   --help, -h  show help

If any errors occur, please copy them into an email and send them to support@strongdm.com.

Should you attempt to use a Cloud resource when you are not connected to it, strongDM’s CLI commands will warn you. You can get around this warning in some contexts (e.g., by setting environment variables in your terminal). In these cases, you will likely see SSL errors, and nothing will happen when you run commands.

Logging

In the Cloud Logs section of the Admin UI, you can find all of the activities of the Users who accessed the Azure resource. Note that strongDM makes an attempt to drop credentials out of logs for display in the Admin UI but does not replace them with any values for Azure resources.

User Setup Steps and Usage

This section describes general installation and usage for the Users in your organization. You can follow along by logging in with a User Permission Level.

In order for your organization’s Users to access the Azure Cloud resource via strongDM, Users will need to install the following:

The strongDM GUI
The latest version of the strongDM CLI. If the CLI is already installed, you can run sdm update in the CLI to update it. Alternatively, if any updates are available, you can open the GUI and click the upgrade button.
The Azure CLI

After installation, Users must exit and restart the GUI, and then select the Azure Cloud resource to connect to.

Then, Users can open a terminal and use the Azure CLI through strongDM, using the base syntax of sdm az cli instead of the usual az. Commands will always be the same as they are with the Azure CLI, just with the sdm az cli prefix instead.

Configure Azure Cloud

Limitations #

Azure Cloud Properties #

Prerequisites #

Steps #

Generate credentials #

Create a service principal with a password #

Create a service principal with a self-signed certificate #

CLI setup #

Admin UI setup #

CLI usage #

Logging #

User Setup Steps and Usage #