-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Azure
Sophie Dorval edited this page Apr 15, 2021
·
32 revisions
There are a number of ways to run Scout against an Azure tenant.
- On most system, you can install azure-cli using
pip install azure-cli
- Log into an account
- The easiest way to do it it with
az login
(for more authentication method, you can refer to https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latest)
- The easiest way to do it it with
- Run Scout with the
--cli
flag
- Run Scout using
--user-account
- Scout will prompt you for your credentials
- Run Scout using
--user-account-browser
- Through a browser, choose or enter your azure account
This authentication method is mostly useful for users which have MFA enabled.
- Set up a Service Principal on the Azure portal (you can refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal)
- Run Scout with the
--service-principal
flag. - Scout will prompt you for the required information
- Create a Service Principal for azure SDK. You can do this with
azure-cli
by running:
az ad sp create-for-rbac --sdk-auth > mycredentials.json
- Run Scout while providing it with the credentials file using
--file-auth path/to/mycredentials.json
- Configure your identity on the Azure portal (you can refer to https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/)
- Run Scout with the
--msi
flag
To run Scout Suite against an Azure user with MFA enabled, there are two options:
- Azure CLI
- Install the CLI: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest
- Run
az login
to log the CLI into your account. This will open a web browser and let you log in - Run Scout with the Azure
--cli
option
- User Browser Login
- Run Scout with the Azure
--user-account-browser
option - Through a browser, choose or enter your azure account
- Run Scout with the Azure
Scout will require that the provided credentials have the Reader
and Security Reader
roles in all the subscriptions to assess:
- Create a user in the desired directory
- Grant the given user the role of Global Reader in the directory
- Add the user to the desired subscription, with both
Reader
andSecurity Reader
roles
Additionally, when running Scout with Service Principals, the following Azure Active Directory Graph API application permissions is required:
Directory.Read.All
The following screenshot shows the required configuration:
- By default, Scout will query the subscriptions to which the provided credentials have access to, and use the first one in the list.
- For some modes of authentication (i.e. Service Principal, or user credentials via Browser, the tenant ID must be provided).
- The
--subscriptions
option can be used to scan a number of subscriptions in one execution.- e.g.
--subscriptions 11111111-2222-3333-4444-555555555555 66666666-7777-8888-9999-000000000000
- e.g.
- The
--all-subscriptions
option can be used to scan all the subscriptions to which the provided credentials have access.
- Home
- Getting Started
- Setup
- Compliance
- Configuration and Usage
- Docker
- [v6] Upgrade to v6-alpha
- Advanced Usage
- Understanding the Architecture
- How to Contribute
- FAQ