Skip to content
Xavier Garceau-Aranda edited this page Jan 31, 2020 · 32 revisions

Azure

Table of contents

Authentication

There are a number of ways to run Scout against an Azure tenant.

Supported Methods

azure-cli

  1. On most system, you can install azure-cli using pip install azure-cli
  2. Log into an account
    1. The easiest way to do it it with az login(for more authentication method, you can refer to https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latest)
  3. Run Scout with the --cli flag

User Credentials

  1. Run Scout using --user-account
  2. Scout will prompt you for your credentials
User Credentials via Browser
  1. Run Scout using --user-account-browser
  2. Scout will provide an URL as well as access tokens which need to be provided through a browser

This authentication method is mostly useful for users which have MFA enabled.

Service Principal

  1. Set up a Service Principal on the Azure portal (you can refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal)
  2. Run Scout with the --service-principal flag.
  3. Scout will prompt you for the required information
File-Based Authentication
  1. Create a Service Principal for azure SDK. You can do this with azure-cli by running:
az ad sp create-for-rbac --sdk-auth > mycredentials.json
  1. Run Scout while providing it with the credentials file using --file-auth path/to/mycredentials.json

Managed Service Identity

  1. Configure your identity on the Azure portal (you can refer to https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/)
  2. Run Scout with the --msi flag

MFA

To run Scout Suite against an Azure user with MFA enabled, there are two options:

  • Azure CLI
  • User Browser Login
    • Run Scout with the Azure --user-account-browser option
      • Scout will provide an URL as well as access tokens which need to be provided through a browser

Permissions

Scout will require the Reader role over all the subscriptions to assess.

Options

Subscriptions

  • By default, Scout will query the subscriptions to which the provided credentials have access to, and use the first one in the list.
    • For some modes of authentication (i.e. Service Principal, or user credentials via Browser, the tenant ID must be provided).
  • The --subscriptions option can be used to scan a number of subscriptions in one execution.
    • e.g. --subscriptions 11111111-2222-3333-4444-555555555555 66666666-7777-8888-9999-000000000000
  • The --all-subscriptions option can be used to scan all the subscriptions to which the provided credentials have access.
Clone this wiki locally