Skip to content

Azure

Jump to bottom
Vincent Fortin edited this page Apr 11, 2019 · 32 revisions

Azure

There are five ways to run scout against an Azure organization.

1. azure-cli

1. On most system, you can install azure-cli using `pip install azure-cli`.
2. Log into an account. The easiest way to do it it with `az login`(for more authentication method,
you can refer to https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latest).
3. Run Scout with the `--cli` flag.

2. Managed Service Identity

1. Configure your identity on the Azure portal (you can refer to
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/)
2. Run Scout with the `--msi` flag.

3. Service Principal

1. Set up a service principal on the Azure portal (you can refer to
https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal)
2. Run Scout with the `--service-principal` flag. Scout will prompt you for the required information.

4. File-based Authentication

1. Create a Service Principal for azure SDK. You can do this with azure-cli using
`az ad sp create-for-rbac --sdk-auth > mycredentials.json`.
2. Run Scout while providing it with the credentials file using
`--azure-file-auth path/to/credentials/file`.

5. User Credentials

1. Run Scout using `--user-account`. The application will prompt you for your credentials.

Scout will require the Reader role over all the resources to assess. The easiest way is to authenticate with a principal that has this role over the target Subscription, as it will be inherited on all the resources.

You can also pass the credentials you want directly with command line arguments. The remaining ones will be asked interactively:

$ python scout.py azure --service-principal --tenant <TENANT_ID> --subscription <SUBSCRIPTION_ID> --client-id <CLIENT_ID>
--client-secret <CLIENT_SECRET>

You can also pass the credentials you want directly with command line arguments. The remaining ones will be asked interactively:

$ python scout.py azure --username <USERNAME> --password <PASSWORD>

MFA

To run Azure with an MFA-enabled account, you must use the Azure CLI. To do this, first install the cli: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest
Then, you can use az login to log the cli into your account. This will open a web browser and let you log in. Please note that there are no mechanism yet to login with MFA without a web browser.
Once this is done, you can run Scout with the azure cli option -c:
./Scout.py azure -c

Clone this wiki locally