Skip to content
Xavier Garceau-Aranda edited this page Jan 31, 2020 · 32 revisions

Azure

Table of contents

Authentication

There are a number of ways to run Scout against an Azure tenant.

Supported Methods

azure-cli

  1. On most system, you can install azure-cli using pip install azure-cli
  2. Log into an account
    1. The easiest way to do it it with az login(for more authentication method, you can refer to https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latest)
  3. Run Scout with the --cli flag

User Credentials

  1. Run Scout using --user-account
  2. Scout will prompt you for your credentials
User Credentials via Browser
  1. Run Scout using --user-account-browser
  2. Scout will provide an URL as well as access tokens which need to be provided through a browser

This authentication method is mostly useful for users which have MFA enabled.

Service Principal

  1. Set up a Service Principal on the Azure portal (you can refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal)
  2. Run Scout with the --service-principal flag.
  3. Scout will prompt you for the required information
File-Based Authentication
  1. Create a Service Principal for azure SDK. You can do this with azure-cli by running:
az ad sp create-for-rbac --sdk-auth > mycredentials.json
  1. Run Scout while providing it with the credentials file using --file-auth path/to/mycredentials.json

Managed Service Identity

  1. Configure your identity on the Azure portal (you can refer to https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/)
  2. Run Scout with the --msi flag

MFA

To run Scout Suite against an Azure user with MFA enabled, there are two options:

  • Azure CLI
  • User Browser Login
    • Run Scout with the Azure --user-account-browser option
      • Scout will provide an URL as well as access tokens which need to be provided through a browser

Permissions

Scout will require that the provided credentials have the Reader role over all the subscriptions to assess.

Additionally, when running Scout with Service Principals, the following Azure Active Directory Graph API application permissions is required:

  • Directory.Read.All

The following screenshot shows the required configuration:

Service Principal Directory Permissions

Options

Subscriptions

  • By default, Scout will query the subscriptions to which the provided credentials have access to, and use the first one in the list.
    • For some modes of authentication (i.e. Service Principal, or user credentials via Browser, the tenant ID must be provided).
  • The --subscriptions option can be used to scan a number of subscriptions in one execution.
    • e.g. --subscriptions 11111111-2222-3333-4444-555555555555 66666666-7777-8888-9999-000000000000
  • The --all-subscriptions option can be used to scan all the subscriptions to which the provided credentials have access.
Clone this wiki locally