Azure Assets - Catalyst
To perform the following steps, the user executing them must have:
- Owner role at the scope where the role assignment is being made (in this case, the root scope /) to assign roles to the service principal (Step 3).
- An Azure CLI environment for Steps 1-3. We strongly recommend using the Cloud Shell available in the Azure Portal to run the az cli commands.
- To grant admin consent, the user must be an Azure Entra Global Administrator or Privileged Role Administrator (Step 4).
We request the following permission to be assigned to our application:
- Reader role: Allows us to view all resources in your Azure environment without the ability to make any changes.
- Directory.Read.All permission: Enables us to read directory data in your organization, such as users, groups, and applications.
You will require access to the Azure CLI to execute these commands.
Run the following command to validate you're currently active under the tenant you intend to grant access for:
You should see something like the result below.
Please provide this information back to your onboarding expert so they can prepare the data collection process on their side for each tenant you wish to onboard.
Run the following command to create a service principal for our application using its application ID:
Explanation: This command creates a service principal associated with our application. A service principal is an identity used by applications or services to access Azure resources. By creating this, you establish an identity for our app in your Azure Active Directory (Azure AD).
- Application ID: efa9a6be-5289-4ca4-830d-7f2216951cb2 is the Application ID for "Catalyst for SHI".
Run the following command to assign the Reader role to our service principal:
Explanation: This command assigns the Reader role to our service principal at the root scope (/), which means it applies to all resources in your Azure environment. This allows our app to view all your resources without the ability to modify them, including accessing security information and log analytics data.
You should see the id efa9a6be-5289-4ca4-830d-7f2216951cb2 listed with a Reader role and a scope of /.
Our application requires the Directory.Read.All permission to access directory data. To grant this permission, an administrator needs to provide consent.
You should receive a link from your SHI onboarding expert that you can use (or provide to an Azure Entra administrator) in order to grant our application this Directory.Read.All permission.
If you have multiple tenants, you may need to approve multiple tenants, each with their own unique link.
Explanation: This link directs you to sign in as an administrator and grant admin consent to our application for the Directory.Read.All permission. This permission allows our app to read directory data such as users, groups, and applications, which is crucial for a thorough access and security assessment.
- az role assignment list --role "User Access Administrator" --scope "/" --query "[].{principalName:principalName, principalType:principalType, principalId:principalId}" -o table
- Validate you can do this and you're on this list.
