Fortanix Key Insight - Azure Configuration for Scanning Using Built-In Roles

1.0 Introduction

The purpose of this article is to describe the minimum access privileges required for Fortanix Key Insight to scan the Azure cloud subscription(s) or management groups.

2.0 Configure Azure Cloud in Fortanix Key Insight

This section outlines the necessary steps to securely integrate an Azure cloud with Fortanix Key Insight, which enables streamlined monitoring, management, and optimization of key resources. The integration leverages Azure's Role-Based Access Control (RBAC) for granular permission management.

2.1 Prerequisites

The following are the prerequisites to configure an Azure cloud in Fortanix Key Insight:

  • The supported Azure agreement types: Enterprise Agreement, Microsoft Customer Agreement, and Pay-as-you-go.

  • Access to your Azure subscription: You should be a Global Administrator with elevated access to set up Azure integration in Fortanix Key Insight as shown in the following diagram. Refer to Elevated access to manage Azure Management Groups and Subscriptions for more details.

    image-20240313-143554.png

    Figure 1: Global Administrator with Elevated Access

  • A registered Fortanix Key Insight Account. For detailed steps to get started with Fortanix Key Insight, refer to Fortanix Key Insight – Getting Started Guide.

2.2 Create a Service Principal in Microsoft Entra ID (Azure Active Directory)

Perform the following steps to create a service principal in Microsoft Entra ID:

  1. Navigate to the Azure portal and search for Microsoft Entra ID.

  2. Select App registrations under Manage in the left navigation menu on the Microsoft Entra ID page.

    Select Subscription Groups.png

    Figure 2: Access App Registrations

    NOTE

    You can also search for App registrations in the Microsoft Azure search bar.

  3. Click New registration.

    6.png

    Figure 3: Add a New App Registration

  4. On the Register an application page, configure the following fields:

    • Name: The user-facing display name for this application. For example, key-insight-app.

    • Supported account types: Select Accounts in this organizational directory only (<your organization name> only - Single tenant).

    • Redirect URI: This is optional.

    image-20240313-180859.png

    Figure 4: Register the New Application

  5. Click Register to register an application. The new application will be registered in Microsoft Azure.

    image-20240313-175134.png

    Figure 5: View the Registered Application

    NOTE

    Ensure to copy and save the Directory (tenant) ID and Application (client) ID values. These values are required during the Azure cloud connection on the Fortanix Key Insight.

  6. Perform the following steps to create a new client secret:

    • Navigate to Certificates & secrets from the left navigation menu.

    • Click New client secret.

    • On the Add a client secret panel, enter the following:

      • Description: Enter the description for this secret. For example, key-insight-app-client-secret.

      • Expires: Select 730 days (24 months).

    • Click Add.

    image-20240313-181210.png

    Figure 6: Add a New Client Secret

    NOTE

    You can only view Client secret value immediately after creation. Ensure to copy and save the secret value before leaving the page. This value is required during the Azure cloud connection on Fortanix Key Insight.

2.3 Choose the Scope

You can choose Management Groups or Subscription scopes during Azure cloud setup in Fortanix Key Insight. For more details on Azure cloud setup, refer to User Guide: Key Insight Getting Started Guide.

2.3.1 Obtain a Management Group ID

Perform the following steps to obtain a management group ID:

  1. Navigate to Management groups on Microsoft Azure.

  2. Copy the value from the column ID in your Azure Management groups. For example, engineering-management-group from the ID column as shown below:

image-20240317-230149.png

Figure 7: Get a Management Group ID

2.3.2 Obtain a Subscription ID

Perform the following steps to obtain a subscription ID:

  1. Navigate to Management groups on Microsoft Azure.

  2. Select your subscription.

  3. Copy the Subscription ID from your Azure subscription. For example, the Subscription ID is copied from the Fortanix-Internal subscription as shown below:

image-20240318-002646.png

Figure 8: Get a Subscription ID

2.4 Provide Permissions in Your Azure Service Principal

You must provide permissions in your Azure service principal at the management group and subscription levels to help users scan the required keys and services on Fortanix Key Insight.

2.4.1 Permissions at the Management Group Level

Perform the following steps to provide permissions at the Management group level:

  1. Navigate to Access control (IAM) in the selected management group.

  2. Click Add role assignment.

  3. Perform Steps 3 to 6 mentioned in Section 2.4.2: Permissions at the Subscriptions Level and provide permissions for the selected management group.

  4. Reader and Key Vault Reader roles will be automatically inherited for all the linked subscriptions. You do not have to go to individual subscriptions to provide the access permissions.

2.4.2 Permissions at the Subscriptions Level

Perform the following steps to provide permissions at the subscription level:

  1. Navigate to Access control (IAM) in the selected subscription.

  2. Click Add role assignment.

    image-20240318-003358.png

    Figure 9: Add a Role Assignment

  3. Select Reader role and click Next.

    image-20240318-005759.png

    Figure 10: Select a Reader Role

  4. For the Reader role, perform the following steps to select members:

    1. Click Select members.

    2. Add your app (for example, key-insight-app), as created in Section 2.2: Create a Service Principal for Microsoft Entra ID.

    3. Click Select.

    image-20240318-010728.png

    Figure 11: Add a Role Assignment

  5. Click Review + assign.

    image-20240318-011307.png

    Figure 12: Reader Role Assignment

  6. Perform the following steps to provide the Key Vault Reader role permission for your Azure app:

    1. Repeat Steps 1 to 2 above.

    2. Select the Key Vault Reader role and click Next.

      image-20240318-023816.png

      Figure 13: Key Vault Reader Role Assignment

    3. Select members to add a Key Vault Reader role for your app and click Select.

      image-20240318-023856.png

      Figure 14: Add a Key Vault Reader Role

    4. Click Review + assign.

      image-20240318-023924.png

      Figure 15: Review and Assign the Permissions

3.0 Help and Support