-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Azure
Xavier Garceau-Aranda edited this page Jan 31, 2020
·
32 revisions
- Authentication
- Permissions
- [CLI Options](#CLI Options)
There are a number of ways to run Scout against an Azure tenant.
- On most system, you can install azure-cli using
pip install azure-cli
- Log into an account
- The easiest way to do it it with
az login
(for more authentication method, you can refer to https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latest)
- The easiest way to do it it with
- Run Scout with the
--cli
flag
- Run Scout using
--user-account
- Scout will prompt you for your credentials
- Run Scout using
--user-account-browser
- Scout will provide an URL as well as access tokens which need to be provided through a browser
This authentication method is mostly useful for users which have MFA enabled.
- Set up a Service Principal on the Azure portal (you can refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal)
- Run Scout with the
--service-principal
flag. - Scout will prompt you for the required information
- Create a Service Principal for azure SDK. You can do this with
azure-cli
by running:
az ad sp create-for-rbac --sdk-auth > mycredentials.json
- Run Scout while providing it with the credentials file using
--file-auth path/to/mycredentials.json
- Configure your identity on the Azure portal (you can refer to https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/)
- Run Scout with the
--msi
flag
To run Scout Suite against an Azure user with MFA enabled, there are two options:
- Azure CLI
- Install the CLI: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest
- Run
az login
to log the CLI into your account. This will open a web browser and let you log in - Run Scout with the Azure
--cli
option
- User Browser Login
- Run Scout with the Azure
--user-account-browser
option- Scout will provide an URL as well as access tokens which need to be provided through a browser
- Run Scout with the Azure
Scout will require the Reader
role over all the subscriptions to assess.
- By default, Scout will query the subscriptions to which the provided credentials have access to, and use the first one in the list.
- For some modes of authentication (i.e. Service Principal, or user credentials via Browser, the tenant ID must be provided).
- The
--subscriptions
option can be used to scan a number of subscriptions in one execution.- e.g.
--subscriptions 11111111-2222-3333-4444-555555555555 66666666-7777-8888-9999-000000000000
- e.g.
- The
--all-subscriptions
option can be used to scan all the subscriptions to which the provided credentials have access.
- Home
- Getting Started
- Setup
- Compliance
- Configuration and Usage
- Docker
- [v6] Upgrade to v6-alpha
- Advanced Usage
- Understanding the Architecture
- How to Contribute
- FAQ