How to onboard MS Azure account to Kloudle

• What is Kloudle?
• What is this document about?
• Azure Service Principal setup via web console
  • Pre-Requisites when using the web console
  • Create a new App registration
  • Generate an App Secret for the app
  • Get Azure Subscription ID
  • Assign Roles to the App for Azure Access
  • Add Microsoft Graph and Windows Azure AD App Permissions
• Azure Service Principal setup using an Automated script
  • Pre-Requisites (when using Automated script)
  • Steps to set up the service principal
• Onboard Azure to Kloudle
• Video Instructions

What is Kloudle?

Kloudle is a Digital Assets Security Automation Platform for SREs and DevOps. When integrated with your Cloud or SaaS provider, Kloudle takes periodic security snapshots and provides complete security contextual visibility that allows you to make informed decisions about your infrastructure, the assets and their various configurations.

Kloudle collects metadata about the resources and analyses them to identify misconfigurations and using a massive research powered knowledge base, identifies what would go wrong if these misconfigurations were exploited and what you can do to fix them.

As part of making sure the lives of SREs and DevOps become easier, Kloudle offers the ability to create “rules” that allow a user to take automated actions against a baseline. These automated actions, which we call Security Processes, allow users to configure a series of steps that kick in when custom events occur to ensure the security of the monitored cloud and SaaS platform.

What is this document about?

This document details the steps to set up an Azure service principal, add the required roles, and generate credentials for the service principal that are required for onboarding Azure to Kloudle. There are two ways of setting up the Azure service principal - via web console or using a quick automated script in cloud shell - as described in the following sections. Users can follow either of the two ways.

Azure Service Principal setup via web console

Kloudle needs a Service Principal to onboard an Azure account. The following sections show how to create a service principal, add the required roles, and generate credentials for the service principal via web console to be used for onboarding Azure to Kloudle.

Pre-Requisites when using the web console

Following are the pre-requisite to create a service principal via web console:

1. An Azure account that has Owner/Administrator privileges to Azure. The user should be able to create App Registrations

Create a new App registration

1. Start a new App registration using the link https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/CreateApplicationBlade/quickStartType~/null/isMSAApp~/false

2. Provide kloudle-app-readonly as the name

3. Select Accounts in this organizational directory only (Default Directory only - Single tenant) under Supported account types

4. Click on Register

   

5. Note the following values from the App page. These values will be required when onboarding the Azure account to Kloudle

   a. Application (client) ID b. Directory (tenant) ID

   

Generate an App Secret for the app

1. Click on Add a certificate or secret

2. Click on New client secret

   

3. Give the secret a description of kloudle-app-secret and choose expiry of 12 months

   

4. Click on add to create the secret

5. Copy the value of the secret as this will not be shown again. This value is the Application (client) Secret

   

Get Azure Subscription ID

1. Search for Subscriptions in the Azure search box

   

2. Under Subscriptions, note the Subscription ID of the one that you want to onboard to Kloudle

   

Assign Roles to the App for Azure Access

Assign the “Reader” permission

1. Click on the selected Subscription and in the subscription detail page, click on Access Control (IAM)

2. Click on ”+ Add” and Add role assignment

   

3. In the Add role assignment page, click on Reader role. Click the Next button

   

4. Click on ”+ Select members” and in the right pane, type the name of the app that was created. Select the application when it is populated. Click Select. Click on the Next button

   

5. Click on Review + assign button

   

Assign the “Reader and Data Access” permission

1. In the subscription detail page, click on Access Control (IAM)

2. Click on ”+ Add” and Add role assignment

   

3. Search for the Reader and Data Access role and click Next

   

4. Select the app in the next page and click Next

5. Review the role and click on “Review + assign” button

Assign the “Security Reader” permission

1. In the subscription detail page, click on Access Control (IAM)

2. Click on ”+ Add” and Add role assignment

   

3. Search for the Security Reader role and click Next

   

4. Select the app in the next page and click Next

5. Review the role and click on “Review + assign” button

Assign the “Website Contributor” permission

1. In the subscription detail page, click on Access Control (IAM)

2. Click on ”+ Add” and Add role assignment

   

3. Search for the Website Contributor role and click Next

   

4. Select the app in the next page and click Next

5. Review the role and click on “Review + assign” button

Assign the “Web Plan Contributor” permission

1. In the subscription detail page, click on Access Control (IAM)

2. Click on ”+ Add” and Add role assignment

   

3. Search for the Website Contributor role and click Next

   

4. Select the app in the next page and click Next

5. Review the role and click on “Review + assign” button

Add Microsoft Graph and Windows Azure AD App Permissions

1. Search for Azure Active Directory in the Azure Search box

   

2. Click on App Registrations in the left menu and select the App that we created

   

3. Click on API permissions and then ”+ Add a permission” as shown below

   

4. Search for string 00000002-0000-0000-c000-000000000000 in the Request API permissions under APIs my organization uses tab

   

5. Select the Windows Azure Active Directory entry that has been found and select Application permissions

   

6. Select Application.Read.All and Directory.Read.All permission from the menu. Click Add permissions

   

7. Click on ”+ Add a permission” again

   

8. Search for 00000003-0000-0000-c000-000000000000 in the Request API permissions under APIs my organization uses tab

   

9. Select the Microsoft Graph entry that has been found and select Application permissions

10. In the Select permissions search box, search for Directory and select Directory.Read.All. Click on Add permissions

    

11. The App’s Configured Permissions should look like the following

    

12. Click on Grant admin consent for Default Directory and Yes on the confirmation to complete this section

    

13. The status should turn green for the API permissions that were added as shown below

    

Azure Service Principal setup using an Automated script

Kloudle needs a Service Principal to onboard an Azure account. The following sections shows a quick way to create a service principal, add the required roles, and generate credentials for the service principal using an automated script that will be used for onboarding Azure to Kloudle.

Pre-Requisites (when using Automated script)

Following are the pre-requisite to set up a service principal using the automated script:

1. An Azure account that has Owner/Administrator privileges to Azure. The user should be able to create App Registrations

2. Access to Azure Cloud Shell where this script will be run. The Azure Cloud Shell has all the required tooling for this script to work quickly and without additional configuration

3. Also ensure that you are in the correct Azure account and the correct subscription in Azure Cloud Shell. You can confirm this by running az account show command before running the script

Steps to set up the service principal

Following are the steps to create a service principal, add the required roles, and generate credentials for the service principal:

1. Launch Azure Cloud Shell and make sure you are in the correct Azure account and Subscription by running az account show command in Azure Cloud Shell

   

   Note: If you are running the Azure Cloud shell for the first time, you will be prompted to choose a Storage and to select Bash or Windows Powershell. Please choose Bash to proceed

   

2. Run the following command in Azure Cloud Shell

   curl -sS https://raw.githubusercontent.com/Kloudle/kloudle-azure-onboarding/main/azure-service-principal-creator.sh | sh

3. This will create a service principal, add the required roles and generate credentials for the service principal to be used for onboarding the Azure account to Kloudle. Note down the tenant_id, subscription_id, client_id, and client_secret values

   

Onboard Azure to Kloudle

Once the Application ID (client_id), Application Secret (client_secret), Directory ID (tenant_id), and Subscription ID (subscription_id) are ready with you, follow the steps below to onboard your Azure account to Kloudle:

1. Log in to your Kloudle workspace at https://app.kloudle.com

2. In the side menu, go to Manage and select MS Azure under Cloud Integrations tab

   

3. On the onboard cloud account page, provide the Account Name. You can give a custom name for the account being onboarded

   

4. Next, under Authentication Details section provide the following information that we had captured in the previous sections:

   a. Subscription ID (subscription_id) b. Directory ID (tenant_id) c. Application ID (client_id) d. Application Secret (client_secret)

   

5. Once the authentication details are verified, click on Save button and your Azure account will be onboarded to Kloudle

   

Video Instructions

Here’s a video that shows how you can do this.