Configure Azure Cloud
This configuration guide explains how to add Azure as a Cloud resource in strongDM. Configuration involves creating the Azure Cloud resource, enabling it to support the proxy, and adding the Cloud in strongDM. After setup is complete, you will be able to manage access to your Azure Cloud environment in the command line via strongDM.
Limitations
- There is no SDK, Terraform, Ansible, or other such support for Azure.
- The Azure driver does nothing to limit privilege escalation. It is the responsibility of the resource creator to not provide credentials that can be used to create more credentials.
Azure Cloud Properties
Azure resources support the Azure CLI (az
).
In strongDM, there are two types of Azure Cloud resources: Azure, which is configured to accept a password; and AzureCertificate, which is configured to accept a certificate file.
Both Azure and AzureCertificate Cloud types always bind to port 65113.
Prerequisites
- In strongDM, you must have the Account Administrator Permission Level.
- You must have administrator access to your Azure Cloud environment and be familiar with the Azure CLI (
az
). - Your Azure Active Directory account must have permission to create a service principal.
- You must have the Azure CLI downloaded and installed.
Steps
Generate credentials
- Log in to Azure (
az login
). - In the Azure CLI, create an Azure service principal with the
az ad sp create-for-rbac
command. - Decide which type of sign-in authentication the service principal should use (password-based or certificate-based authentication), and follow the instructions provided.
Create a service principal with a password
- Use the following command, being sure to replace the placeholders with the actual values:
az ad sp create-for-rbac --name $<SERVICE_PRINCIPAL_NAME> --role $<ROLE_NAME> --scopes $SCOPES
Example:az ad sp create-for-rbac --name ExampleName --role Contributor --scopes /subscriptions/jynb88ey-kqrd-8wqv-fh24-9m9sb05jmb9b
- From the output, copy the
appId
,tenant
, andpassword
values. You will need them later when setting up the Azure Cloud type in strongDM. Note that you can reset thepassword
key if you forget it, but you cannot retrieve it later.
Example output:
{
"appId": "myAppId",
"displayName": "myDisplayName",
"name": "http://myName",
"password": "generatedPassword",
"tenant": "myTenantId"
}
Create a service principal with a self-signed certificate
- Use the following command with the
--create-cert
argument, being sure to replace the placeholders with the actual values:az ad sp create-for-rbac --name $<SERVICE_PRINCIPAL_NAME> --role $<ROLE_NAME> --create-cert
Example:az ad sp create-for-rbac --name ExampleName --role Contributor --create-cert
- From the output, copy the
appId
andtenant
. From the PEM file, copy the entirety of the file, which includes the private key and certificate values. You will need them later when setting up the AzureCertificate Cloud type in strongDM.
Example output:
{
"appId": "myAppId",
"displayName": "myDisplayName",
"name": "http://myName",
"fileWithCertAndPrivateKey": "C:\\myPath\\myNewFile.pem",
"password": null,
"tenant": "myTenantId"
}
Example contents of the new PEM file:
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD0l6E0MVSYnEXD...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD0l6E0MVSYnEXD...
-----END CERTIFICATE-----
CLI setup
To set up Azure Cloud in the CLI, open your terminal. While logged in to strongDM, use the following command:
sdm admin clouds add azure
You can view all help text and options by appending --help
or -h
to the same command:
NAME:
sdm admin clouds add azure - create Azure (Password) cloud
USAGE:
sdm admin clouds add azure [command options] <name>
OPTIONS:
--app-id value the application ID to authenticate with (required, secret)
--egress-filter value apply filter to select egress nodes e.g. 'field:name tag:key=value ...'
--password value service principal password (required, secret)
--port-override value port profile override (default: -1)
--secret-store-id value secret store id
--tags value tags e.g. 'key=value,...'
--template, -t display a JSON template
--tenant-id value the tenant ID to authenticate to (required, secret)
Admin UI setup
If you would rather set up Azure Cloud in the strongDM Admin UI, go to Infrastructure > Clouds and click the add cloud button.
az
or Azure CLI utility. If you intend to connect to a specific Azure-hosted resource, that resource needs to be set up separately in the appropriate areas of the Admin UI.In the configuration dialog, set the following properties:
- Display Name (Required): Enter a meaningful name for this resource. This name displays throughout strongDM. Do not include special characters like quotes (") or angle brackets (< or >).
- Cloud Type (Required): Select Azure if you are using password-based authentication; select AzureCertificate if you are using certificate-based authentication.
- Secret Store (Optional): If a secret store integration is configured, select where the credentials for this resource will be stored.
- App ID (Required): For the Azure Cloud type, set the
appID
copied from the password-based service principal output. - Tenant (Required): Set the
tenant
copied from the service principal output. - Password (Required): For the Azure Cloud type, set the
password
key copied from the password-based service principal output. - Certificate (Required): For the AzureCertificate Cloud type, paste the entirety of the PEM file of the service principal with a self-signed certificate, which contains the private key and certificate values.
Click create when done.
CLI usage
After you have generated credentials, created the resources themselves in Azure, and added Azure as a Cloud type in strongDM, you should be able to call Azure in the CLI via sdm az
or sdm azure
.
Note that Azure can only use sdm az cli
, which passes your az
arguments in order following that command (e.g., sdm az cli aks list
).
You can use sdm azure --help
to view example usage and command options:
NAME:
sdm azure - azure commands
USAGE:
sdm azure command [command options] [arguments...]
COMMANDS:
cli Execute an Azure CLI Command.
OPTIONS:
--help, -h show help
If any errors occur, please copy them into an email and send them to support@strongdm.com.
Logging
In the Cloud Logs section of the Admin UI, you can find all of the activities of the Users who accessed the Azure resource. Note that strongDM makes an attempt to drop credentials out of logs for display in the Admin UI but does not replace them with any values for Azure resources.
User Setup Steps and Usage
This section describes general installation and usage for the Users in your organization. You can follow along by logging in with a User Permission Level.
In order for your organization’s Users to access the Azure Cloud resource via strongDM, Users will need to install the following:
- The strongDM GUI
- The latest version of the strongDM CLI. If the CLI is already installed, you can run
sdm update
in the CLI to update it. Alternatively, if any updates are available, you can open the GUI and click the upgrade button. - The Azure CLI
After installation, Users must exit and restart the GUI, and then select the Azure Cloud resource to connect to.
Then, Users can open a terminal and use the Azure CLI through strongDM, using the base syntax of sdm az cli
instead of the usual az
. Commands will always be the same as they are with the Azure CLI, just with the sdm az cli
prefix instead.