Configure Azure Cloud

Last modified on October 4, 2023

This configuration guide explains how to add Azure as a cloud resource in StrongDM. Configuration involves creating the Azure cloud resource, enabling it to support the proxy, and adding the cloud in StrongDM. After setup is complete, you will be able to manage access to your Azure cloud environment in the command line via StrongDM.

Limitations

  • There is no SDK, Terraform, Ansible, or other such support for Azure.
  • The Azure driver does nothing to limit privilege escalation. It is the responsibility of the resource creator not to provide credentials that can be used to create more credentials.

Azure Cloud Properties

Azure resources support the Azure CLI (az).

In StrongDM, there are two types of Azure cloud resources: Azure, which is configured to accept a password; and AzureCertificate, which is configured to accept a certificate file.

Both Azure and AzureCertificate cloud types always bind to port 65113.

Prerequisites

  • In StrongDM, you must have the Admin permission level.
  • You must have administrator access to your Azure cloud environment and be familiar with the Azure CLI (az).
  • Your Azure Active Directory account must have permission to create a service principal.
  • You must have the Azure CLI downloaded and installed.

Steps

Generate credentials

  1. Log in to Azure (az login).
  2. In the Azure CLI, create an Azure service principal with the az ad sp create-for-rbac command.
  3. Decide which type of sign-in authentication the service principal should use (password-based or certificate-based authentication), and follow the instructions provided.

Create a service principal with a password

  1. Use the following command, being sure to replace the placeholders with the actual values:

    az ad sp create-for-rbac --name $<SERVICE_PRINCIPAL_NAME> --role $<ROLE_NAME> --scopes $SCOPES
    

    For example, your command may look like this:

    az ad sp create-for-rbac --name ExampleName --role Contributor --scopes /subscriptions/jynb88ey-kqrd-8wqv-fh24-9m9sb05jmb9b
    
  2. From the output, copy the appId, tenant, and password values. You need them later when setting up the Azure cloud type in StrongDM. Note that you can reset the password key if you forget it, but you cannot retrieve it later.

    Your example output may look similar to this:

    {
    "appId": "myAppId",
    "displayName": "myDisplayName",
    "name": "http://myName",
    "password": "generatedPassword",
    "tenant": "myTenantId"
    }
    

Create a service principal with a self-signed certificate

  1. Use the following command with the --create-cert argument, being sure to replace the placeholders with the actual values:

    az ad sp create-for-rbac --name $<SERVICE_PRINCIPAL_NAME> --role $<ROLE_NAME> --create-cert
    

    For example, your command may look like this:

    az ad sp create-for-rbac --name ExampleName --role Contributor --create-cert
    
  2. From the output, copy the appId and tenant. From the PEM file, copy the entirety of the file, which includes the private key and certificate values. You need them later when setting up the AzureCertificate cloud type in StrongDM.

    Your example output may look similar to this:

    {
    "appId": "myAppId",
    "displayName": "myDisplayName",
    "name": "http://myName",
    "fileWithCertAndPrivateKey": "C:\\myPath\\myNewFile.pem",
    "password": null,
    "tenant": "myTenantId"
    }
    

    Example contents of the new PEM file:

    -----BEGIN PRIVATE KEY-----
    MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD0l6E0MVSYnEXD...
    -----END PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD0l6E0MVSYnEXD...
    -----END CERTIFICATE-----
    

CLI setup

To set up Azure cloud in the CLI, open your terminal. While logged in to StrongDM, use the following command:

sdm admin clouds add azure

You can view all help text and options by appending --help or -h to the same command:

NAME:
   sdm admin clouds add azure - create Azure (Password) cloud

USAGE:
   sdm admin clouds add azure [command options] <name>

OPTIONS:
   --app-id value              the application ID to authenticate with (required, secret)
   --egress-filter value       apply filter to select egress nodes e.g. 'field:name tag:key=value ...'
   --password value            service principal password (required, secret)
   --port-override value       port profile override (default: -1)
   --secret-store-id value     secret store id
   --tags value                tags e.g. 'key=value,...'
   --template, -t              display a JSON template
   --tenant-id value        the tenant ID to authenticate to (required, secret)

Admin UI setup

If you would rather set up Azure cloud in the StrongDM Admin UI, go to Infrastructure > Clouds and click the Add cloud button.

Add Azure Cloud Type
Add Azure Cloud Type

Set the following properties:

PropertyRequirementDescription
Display NameRequiredEnter a meaningful name for this resource. This name displays throughout StrongDM. Do not include special characters like quotes (") or angle brackets (< or >).
Cloud TypeRequiredSelect Azure if you are using password-based authentication; select AzureCertificate if you are using certificate-based authentication.
Secret StoreOptionalCredential store location; defaults to Strong Vault
App IDRequiredFor the Azure cloud type, set the appID copied from the password-based service principal output.
TenantRequiredSet the tenant copied from the service principal output.
PasswordRequiredFor the Azure cloud type, set the password key copied from the password-based service principal output.
CertificateRequiredFor the AzureCertificate cloud type, paste the entirety of the PEM file of the service principal with a self-signed certificate, which contains the private key and certificate values.

Click Create to save the configuration settings.

CLI usage

After you have generated credentials, created the resources in Azure, and added Azure as a cloud type in StrongDM, you should be able to call Azure in the CLI via sdm az or sdm azure.

Note that Azure can only use sdm az cli, which passes your az arguments in order following that command (for example, sdm az cli aks list).

You can use sdm azure --help to view example usage and command options:

NAME:
   sdm azure - azure commands

USAGE:
   sdm azure command [command options] [arguments...]

COMMANDS:
   cli  Execute an Azure CLI Command.

OPTIONS:
   --help, -h  show help

Logging

In the Cloud Logs section of the Admin UI, you can find all of the activities of the users who accessed the Azure resource. Note that StrongDM makes an attempt to drop credentials out of logs for display in the Admin UI but does not replace them with any values for Azure resources.

User Setup Steps and Usage

This section describes general installation and usage for the users in your organization. You can follow along by logging in with a User permission level.

For your organization’s users to access the Azure cloud resource via StrongDM, they need to install the following:

  • The StrongDM Desktop application
  • The latest version of the StrongDM CLI. If the CLI is already installed, you can run sdm update in the CLI to update it. Alternatively, if any updates are available, you can open the StrongDM desktop application and click the Upgrade button.
  • The Azure CLI

After installation, users must exit and restart the desktop app, and then select the Azure cloud resource to connect to.

Users can then open a terminal and use the Azure CLI through StrongDM, with the base syntax of sdm az cli instead of the usual az. Commands are always the same as with the Azure CLI, just with the sdm az cli prefix instead.

Connection to Multiple Cloud Resources

If your organization has multiple AWS Console resources, and you are connected to both at once, you may specify a --name value in commands in order to specify which you intend to execute the command on. For example, sdm aws --name <YOUR_RESOURCE_NAME> cli. The flag must come before the cli portion of the command in order to preserve the ability to use the command as normal with a single AWS Console resource connected.