Cloud One Conformity requires metadata about your Azure system to run all the rules. In order to retrieve this metadata, Cloud One Conformity requires you to apply some roles and permissions to your Azure account using the scripts in this repository to apply these roles and permissions.
This script creates a new Custom role "Custom Role - Cloud One Conformity" within the Active Directory that the App Registration resides in.
This new Custom role along with the built-in "Reader" role will be applied to either all the Subscriptions in the Active Directory or just the subscription that is specified.
There is an additional "Custom Role - Cloud One Conformity (Tenant scope)" that is optional.
The script can also create a new App Registration to apply these permissions which can be used to allow Conformity to access to your Azure instance.
The version of Azure CLI used to run the script must be 2.40.0
or higher
bash apply-roles
Cloud One Conformity is granted read-only access to your Azure Active Directory resources via an App Registration. The script will prompt you to use the "Conformity Azure access" App Registration or to use a different App Registration by providing its Application (client) ID.
If you choose to use the "Conformity Azure access" App Registration, and it hasn't been created before, the script with automatically create it and add the required API permissions for Conformity to run the rule checks.
The script will automatically generate a Client secret key for the created App Registration. This Client secret key will be displayed when the script has completed.
This is the only time this secret will be displayed so please store in a secure location for use while setting up your account in Conformity.
Note: This Client secret key can be revoked and/or new Client secret keys can be generated through the Azure Portal.
The script will prompt you to add new subscriptions to the assignable scopes of the custom role "Custom Role - Cloud One Conformity". This is necessary when new subscription(s) have been added to the Active Directory after the role has already been created.
Note: This requires the role to have been already created.
Note: This will only update the role assignable scopes and not attempt to assign the updated role to any new subscriptions.
You can opt to apply the Custom role along with the built-in "Reader" role to all subscriptions or to just one single subscription.
Note: Subscription id is required in the case of applying roles to one single subscription.
You can opt to apply the Tenant scope Custom role to the service principal. Please ensure you have access to the tenant root group.
- Log in to the Azure portal using your credentials.
- Open a Cloud Shell bash terminal (For details, see Cloud shell docs).
- Clone the Github repository.
- In the same directory as the bash script run.
bash apply-roles
Note: Run az login
in the Cloud shell before creating a new App Registration.
- Install Azure CLI (Installation instructions).
- Log into your Azure account using
az login
. - Clone the Github repository or copy all the files to your local machine.
- In the same directory as the bash script run.
bash apply-roles
If you get the following error when running the script:
The role Custom Role - Cloud One Conformity is not available for assignment at the requested scope.
This error is most commonly caused by the addition of a new subscription to the Active Directory after the custom role has been created.
To resolve this you will need to add new subscriptions to the assignable scopes of the custom role before you can assign it to the new subscription. Once the new subscription is added to the assignable scopes of the custom role wait a few minutes before you re-run the script as it can take a few minutes for the changes to be reflected in the Azure system.
-
Doesn't gracefully handle subscriptions with no permissions to update
When running the script against all subscriptions in the Active Directory if there is a subscription which the user running the script doesn't have permissions to apply the roles to, the script will fail. Any subscriptions that were processed before this subscription will have the roles applied. This applies to the tenant custom role as well.
The code style of the shell script follows the Google Shell Style Guide