Configure RBAC roles in Microsoft Azure

For Alert Logic to protect assets in Microsoft Azure, you must create a user account with specific permissions. Role-Based Access Control (RBAC) enables fine-grained access management for Azure accounts. Assignment of a RBAC role to the user account you create grants only the amount of access required to allow Alert Logic to monitor your environments.

This procedure requires administrative permissions in Azure, and the installation of one of the following command line interfaces:

If you have an older version of Azure CLI installed, Microsoft recommends you upgrade to CLI 2.0 and use the deprecated CLI 1.0 only for support with the Azure Service Management (ASM) model with "classic" resources. For more information, please contact Microsoft Azure support.

To configure your RBAC role in Azure:

  1. Create a user account in Azure
  2. Create a custom RBAC role
  3. Assign the role to the user account

Create a user account in Azure

  1. Log in to the Azure portal.
  2. On the left menu, click Azure Active Directory.
  1. In the Azure Resource Menu, click Domain names, and then make note of the primary Active Directory domain name.
Make note of the domain name, which you need later when you create an Azure deployment in Cloud Defender.
  1. In the Azure Resource Menu, click Overview.
  2. In the Azure Active Directory blade, under Quick tasks, click Add a user.
  3. Enter a Name (for example, AL Cloud Defender).
  4. Enter a User name. The user name should be in the form of an email address based on the Active Directory (for example, ALCloudDefender@alazurealertlogic.onmicrosoft.com).
Make note of the user name, which you need later when you create an Azure deployment in Cloud Defender.
  1. Select the Show Password check box and make note of the password.
  2. Click Create. Profile and Properties can be set if needed.
  3. Back on the Azure Active Directory blade, click Users and groups.
  4. Click All users, and ensure the new user name appears in alphabetical order in the list.
  5. Open a new browser window.
  6. Log in to the Azure portal as the new user.
  7. At the prompt, change the password for the user.
Make note of the new password, which you need later when you create an Azure deployment in Cloud Defender.

Create a custom RBAC role

RBAC roles enable fine-grained access management for Azure. After you create a user account, you must assign an RBAC role to the user. The Alert Logic RBAC role grants only the amount of access required to monitor your environments.

 

To create a custom RBAC role:

To create a role document:

  1. Create a new text file and copy the Alert Logic RBAC role into it.
Make note of the directory in which you saved the file. You must know the path and file name later in the procedure.
  1. Make the following changes to the file:
    1. In the Name field, change the entry to the user name for the user account you just created.
    2. In the AssignableScopes field, change the <subscription ID> value to the Subscription ID value found on your Azure portal Subscriptions blade.
  2. Save the text file as a .JSON file.

To create a custom role in Azure:

  1. Open either Azure CLI or Azure PowerShell and log in to your Azure account and specify the default subscription.
  1. Create your custom role in Azure.
  1. In the Azure portal, verify that the new role appears in the Roles tab in Subscriptions > Access Control (IAM).

Assign the role to the user account

Once the RBAC role is created, it must be assigned to the user account. In Azure, roles are assigned in the Access Control portion of the Subscriptions blade.

  1. In the Azure Navigation Menu, click Subscriptions.
  2. In the Subscriptions blade, select the subscription you want Alert Logic to protect and then click Access Control (IAM).
Make note of the subscription ID, which you need later when you create an Azure deployment in Cloud Defender.
  1. Above the list of users, click +Add.
  2. In the Add access blade, select the created RBAC role from those listed.
  3. In the Add users blade, enter the user account name in the search field and select the user account name from the list.
  4. Click Select.
  5. Click OK.