Azure Cloud

Last modified on December 13, 2024

This guide explains what capabilities StrongDM can provide for managing command line access to the Azure cloud. It also provides setup and configuration instructions to add Azure as a resource in StrongDM and begin using StrongDM to control access for users who wish to access your cloud via the Azure CLI. StrongDM users are authenticated with Azure and granted the level of access that you configure on the Azure side.

In addition to access control and auditing, Azure access through StrongDM can be a part of a variety of use cases and access control methodologies:

Least Privilege: For Azure clouds, least privilege can be accomplished by setting up multiple instances of the console as StrongDM resources. Each resource would connect to Azure using a different set of credentials with different permissions granted to it.
Just-in-Time Access: StrongDM users are able to use any access workflows you set up to request access to Azure, allowing you the choice between granting Just-in-Time (JIT) access with requests, or providing standing access to particular users or roles within your StrongDM organization. For more details, see the Access Workflows section.
To avoid confusion during access requests, if there are multiple Azure cloud resources in StrongDM, it may be useful to name them in such a way that indicates the level of access, so that users know the name of the resource to request.
Context-Based Policy: StrongDM policies that restrict or enable users’ ability to connect to Azure cloud resources based on their context can be used to limit availability of your Azure CLI to users in particular geographic locations or with good device trust scores. Policies can also be used to provide an MFA challenge prior to connection, and help solve for many more use cases. For more details, see the Policies section.

Note that this is the method by which to set up your Azure cloud as a resource in StrongDM, and manage it with the Azure CLI utility. If you intend to connect to a specific Azure-hosted resource, that resource needs to be set up separately in the appropriate areas of the Admin UI.

Limitations

There is no SDK, Terraform, Ansible, or other such support for Azure.
The Azure driver does nothing to limit privilege escalation. It is the responsibility of the resource creator not to provide credentials that can be used to create more credentials.

Azure Cloud Properties

Azure resources support the Azure CLI (az).

In StrongDM, there are two types of Azure cloud resources: Azure, which is configured to accept a password; and AzureCertificate, which is configured to accept a certificate file.

Both Azure and AzureCertificate cloud types always bind to port 65113.

Prerequisites

In StrongDM, you must have the Admin permission level.
You must have administrator access to your Azure cloud environment and be familiar with the Azure CLI (az).
Your Azure Active Directory account must have permission to create a service principal.
You must have the Azure CLI downloaded and installed.

Configuration

Generate credentials

Log in to Azure (az login).
In the Azure CLI, create an Azure service principal with the az ad sp create-for-rbac command.
Decide which type of sign-in authentication the service principal should use (password-based or certificate-based authentication), and follow the instructions provided.

Create a service principal with a password

Use the following command, being sure to replace the placeholders with the actual values:

az ad sp create-for-rbac --name $<SERVICE_PRINCIPAL_NAME> --role $<ROLE_NAME> --scopes $SCOPES

For example, your command may look like this:

az ad sp create-for-rbac --name ExampleName --role Contributor --scopes /subscriptions/jynb88ey-kqrd-8wqv-fh24-9m9sb05jmb9b

From the output, copy the appId, tenant, and password values. You need them later when setting up the Azure cloud type in StrongDM. Note that you can reset the password key if you forget it, but you cannot retrieve it later.
Your example output may look similar to this:
```
{
"appId": "myAppId",
"displayName": "myDisplayName",
"name": "http://myName",
"password": "generatedPassword",
"tenant": "myTenantId"
}
```

Create a service principal with a self-signed certificate

Use the following command with the --create-cert argument, being sure to replace the placeholders with the actual values:

az ad sp create-for-rbac --name $<SERVICE_PRINCIPAL_NAME> --role $<ROLE_NAME> --create-cert

For example, your command may look like this:

az ad sp create-for-rbac --name ExampleName --role Contributor --create-cert

From the output, copy the appId and tenant. From the PEM file, copy the entirety of the file, which includes the private key and certificate values. You need them later when setting up the AzureCertificate cloud type in StrongDM.

Your example output may look similar to this:

{
"appId": "myAppId",
"displayName": "myDisplayName",
"name": "http://myName",
"fileWithCertAndPrivateKey": "C:\\myPath\\myNewFile.pem",
"password": null,
"tenant": "myTenantId"
}

Example contents of the new PEM file:

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD0l6E0MVSYnEXD...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD0l6E0MVSYnEXD...
-----END CERTIFICATE-----

Admin UI setup

If you prefer to set up your Azure resource in StrongDM using the CLI, skip this step and read CLI setup. If you want to set up Azure as a cloud resource in the StrongDM Admin UI, go to Resources > Clouds in the Admin UI and click the Add cloud button.

Set the following properties:

Property	Requirement	Description
Display Name	Required	Enter a meaningful name for this resource. This name displays throughout StrongDM. Do not include special characters like quotes (") or angle brackets (< or >).
Cloud Type	Required	Select Azure if you are using password-based authentication; select AzureCertificate if you are using certificate-based authentication.
Secret Store	Optional	Credential store location; defaults to Strong Vault
App ID	Required	For the Azure cloud type, set the `appID` copied from the password-based service principal output.
Tenant	Required	Set the `tenant` copied from the service principal output.
Password	Required	For the Azure cloud type, set the `password` key copied from the password-based service principal output.
Certificate	Required	For the AzureCertificate cloud type, paste the entirety of the PEM file of the service principal with a self-signed certificate, which contains the private key and certificate values.

Click Create to save the configuration settings.

CLI setup

If you prefer to set up your resource using the CLI instead of the Admin UI, open your terminal. While logged in to StrongDM, use the following command:

sdm admin clouds add azure

You can view all help text and options by appending --help or -h to the same command:

NAME:
   sdm admin clouds add azure - create Azure (Password) cloud

USAGE:
   sdm admin clouds add azure [command options] <name>

OPTIONS:
   --app-id value            the application ID to authenticate with (required, secret)
   --bind-interface value    bind interface (default: "127.0.0.1")
   --egress-filter value     apply filter to select egress nodes e.g. 'field:name tag:key=value ...'
   --password value          service principal password (required, secret)
   --port-override value     port profile override (default: -1)
   --proxy-cluster-id value  proxy cluster id
   --secret-store-id value   secret store id
   --subdomain value         This will be used as your local DNS address. (e.g. app-prod1 would turn into app-prod1.<your-org-name>.sdm.network)
   --tags value              tags e.g. 'key=value,...'
   --template, -t            display a JSON template
   --tenant-id value         the tenant ID to authenticate to (required, secret)
   --timeout value           set time limit for command

Logs

For logs of access to an Azure cloud resource, in the Cloud logs section of the Admin UI (Logs > Cloud), you can find all of the activities of users connected through StrongDM. Note that StrongDM makes an attempt to drop the Authorization header of logs for display in the Admin UI. Note that any secrets displayed in the cloud logs are placeholder values. No actual keys or secrets are ever exposed in plaintext in the Admin UI.

CLI Usage

When the resource is created and configured, you are ready for users to connect to the resource. In order for your organization’s users to access the Azure cloud resource via StrongDM, users need to install the following:

The StrongDM Desktop application
The latest version of the StrongDM CLI. If the CLI is already installed, you can run sdm update in the CLI to update it. Alternatively, if any updates are available, you can open the desktop app and click the Upgrade button.
The gcloud command-line tool

After installation, users must exit and restart the desktop app, and then select the Azure cloud resource to connect to.

Click to connect to the resource in the desktop app, or run sdm connect <RESOURCE> in the CLI. Once connected, users can use the Azure CLI through StrongDM at their terminal, with the base syntax of sdm az cli or sdm azure cli.

You can use sdm az --help (or sdm azure --help) to view example usage and command options:

NAME:
   sdm azure - azure commands

USAGE:
   sdm azure command [command options] [arguments...]

COMMANDS:
   cli  Execute an Azure CLI Command.
   env  Print environment variables required to access an Azure resource.
   run  Execute an external command with environment variables configured to access an Azure resource.

OPTIONS:
   --name value     The name of the Azure resource to access. By default if there is only one connected Azure resource, that resource is used. [$SDM_AZURE_NAME]
   --help, -h  show help

az cli

The az cli command is followed by an Azure CLI command that you wish to run against your connected Azure resource. For more information about Azure CLI commands, see the Azure CLI documentation.

az env

The az env command outputs the environment variables that are required in order to access a Azure resource. This output is a similar format of the output of the standard env command, but only contains the relevant environment variables for connecting to Azure.

az run

The az run command is followed by a command that you wish to run against the connected resource, which is sent along with the necessary environment variables. An example of a use for az run would be if you have a pre-existing script for managing Azure resources that uses az commands. Instead of altering the script to work with StrongDM, you could use az run shellscript.sh and run the script.

–name

If your organization has multiple Azure cloud resources, and you are connected to more than one at once, you may specify a --name value in commands in order to specify which you intend to execute the command on. For example, sdm az --name <RESOURCE_NAME> cli. The flag must come before the cli portion of the command in order to preserve the ability to use the command as normal with a single Azure cloud resource connected.

Configuration directories

You should use a unique configuration directory for each Azure resource ($SDM_HOME/azure-config/<resource-id> instead of $SDM_HOME/azure-config), to isolate the configuration for different resources (and the default configuration), allowing commands against different resources to be safely run concurrently.

Error Cases

Should you attempt to use a cloud resource when you are not connected to it, StrongDM’s CLI commands warn you. You can get around this warning in some contexts (for example, by setting environment variables in your terminal). In these cases, you may encounter SSL errors, and nothing happens when you run commands.

Azure Cloud

Limitations #

Azure Cloud Properties #

Prerequisites #

Configuration #

Generate credentials #

Create a service principal with a password #

Create a service principal with a self-signed certificate #

Admin UI setup #

CLI setup #

Logs #

CLI Usage #

az cli #

az env #

az run #

–name #

Configuration directories #

Error Cases #