Catalyst - Azure Assets

instructions for granting access for azure environment assessment requirements to execute the steps to perform the following steps, the user executing them must have owner role at the scope where the role assignment is being made (in this case, the root scope / ) to assign roles to the service principal (step 3) an azure cli environment for steps 1 3; we strongly recommend using the cloud shell available in the azure portal to run the az cli commands to grant admin consent, the user must be an azure entra global administrator or privileged role administrator (step 4) permissions our application will be granted we request the following permission to be assigned to our application reader role allows us to view all resources in your azure environment without the ability to make any changes documentation reader role https //learn microsoft com/en us/azure/role based access control/built in roles#reader directory read all permission enables us to read directory data in your organization, such as users, groups, and applications documentation directory read all permission https //learn microsoft com/en us/graph/permissions reference#directoryreadall step by step instructions you will require access to the azure cli to execute these commands 1\ validate your current tenant run the following command to validate you're currently active under the tenant you intend to grant access for az account list query "\[?isdefault] {tenantid tenantid, name name, tenantdefaultdomain tenantdefaultdomain}" you should see something like the result below please provide this information back to your onboarding expert so they can prepare the data collection process on their side for each tenant you wish to onboard 2\ create a service principal for our application run the following command to create a service principal for our application using its application id az ad sp create id efa9a6be 5289 4ca4 830d 7f2216951cb2 explanation this command creates a service principal associated with our application a service principal is an identity used by applications or services to access azure resources by creating this, you establish an identity for our app in your azure active directory (azure ad) application id efa9a6be 5289 4ca4 830d 7f2216951cb2 is the application id for catalyst for shi 3\ assign the reader role to the service principal run the following command to assign the reader role to our service principal az role assignment create assignee efa9a6be 5289 4ca4 830d 7f2216951cb2 role 'reader' scope / explanation this command assigns the reader role to our service principal at the root scope ( / ), which means it applies to all resources in your azure environment this allows our app to view all your resources without the ability to modify them, including accessing security information and log analytics data validation az role assignment list all assignee efa9a6be 5289 4ca4 830d 7f2216951cb2 include inherited include groups o table you should see the id efa9a6be 5289 4ca4 830d 7f2216951cb2 listed with a reader role and a scope of / 4\ grant admin consent for directory read all permission our application requires the directory read all permission to access directory data to grant this permission, an administrator needs to provide consent you should receive a link from your shi onboarding expert that you can use (or provide to an azure entra administrator) in order to grant our application this directory read all permission if you have multiple tenants, you may need to approve multiple tenants, each with their own unique link explanation this link directs you to sign in as an administrator and grant admin consent to our application for the directory read all permission this permission allows our app to read directory data such as users, groups, and applications, which is crucial for a thorough access and security assessment troubleshooting no access to create the sp/role? az role assignment list role "user access administrator" scope "/" query "\[] {principalname\ principalname, principaltype\ principaltype, principalid\ principalid}" o table validate you can do this and you're on this list