Skip to content
Xavier Garceau-Aranda edited this page Jan 31, 2020 · 32 revisions

Azure

Table of contents

Authentication

There are a number of ways to run Scout against an Azure tenant.

azure-cli

  1. On most system, you can install azure-cli using pip install azure-cli
  2. Log into an account
    1. The easiest way to do it it with az login(for more authentication method, you can refer to https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latest)
  3. Run Scout with the --cli flag

User Credentials

  1. Run Scout using --user-account
  2. Scout will prompt you for your credentials

User Credentials via Browser

  1. Run Scout using --user-account-browser
  2. Scout will provide an URL as well as access tokens which need to be provided through a browser

This authentication method is mostly useful for users which have MFA enabled.

Service Principal

  1. Set up a Service Principal on the Azure portal (you can refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal)
  2. Run Scout with the --service-principal flag.
  3. Scout will prompt you for the required information

File-Based Authentication

  1. Create a Service Principal for azure SDK. You can do this with azure-cli by running:
az ad sp create-for-rbac --sdk-auth > mycredentials.json
  1. Run Scout while providing it with the credentials file using --file-auth path/to/mycredentials.json

Managed Service Identity

  1. Configure your identity on the Azure portal (you can refer to https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/)
  2. Run Scout with the --msi flag

Permissions

Scout will require the Reader role over all the subscriptions to assess.

MFA

To run Scout Suite against an Azure user with MFA enabled, there are two options:

  • Azure CLI.
  • User Browser Login
    • Run Scout with the Azure --user-account-browser option
      • Scout will provide an URL as well as access tokens which need to be provided through a browser
Clone this wiki locally