1.0 Introduction
This article describes the least privileged permissions that Fortanix Key Insight requires to use an Azure custom role using an Azure script.
2.0 Setup Your Azure Cloud Using Custom Roles
Use the Azure command line interface (CLI) script to set up your Azure cloud with custom roles based on least-privileged permissions.
The Azure script helps you to:
Create an Azure service principal.
Create a custom role with specific permissions.
Assign the custom role to the service principal within the scope of the subscription or management group.
NOTE
Before running the script, ensure your Azure CLI is running in a Bash environment, either locally or Azure Cloud Shell in portal.azure.com.
You must have the following permissions at the appropriate levels:
The Application Administrator or Cloud Application Administrator role at the Azure tenant level. These roles are necessary for creating an Azure service principal.
The Owner, User Access Administrator, or Role Based Access Control Administrator permissions at the Subscription or Management Group level to create, define, and assign a custom role.
Perform the following steps to configure an Azure cloud using the Azure script with Subscription or Management Group scopes:
Download the following script (
.sh) file:Run the following command to make the script executable:
chmod +x fortanix_key_insight_azure_cloud_onboarding.shUse the various options to run the script at different scopes:
Subscription scope
./fortanix_key_insight_azure_cloud_onboarding.sh -s <subscription-id>Management Group scope
./fortanix_key_insight_azure_cloud_onboarding.sh -m <management-group-name-or-id>NOTE
At once, you can only specify either a subscription ID or a management group ID as the specified scope.
Use the following command to get all the available options:
./fortanix_key_insight_azure_cloud_onboarding.sh -h
After executing the script successfully, you can retrieve the following:
Subscription ID or Management Group ID
Client ID
Client secret
Tenant ID
You must use these values to set up the Azure cloud connection in Fortanix Key Insight.
.png?sv=2022-11-02&spr=https&st=2025-04-27T13%3A47%3A44Z&se=2025-04-27T13%3A59%3A44Z&sr=c&sp=r&sig=68bhvANyr%2FU5ZrSBgOIzwmfJOH6ZEccFv%2BJ6lMgiw8E%3D)
Figure 1: Azure cloud connection - subscription scope credentials
After you complete the configuration and scan your Azure resources, you can view the discovery and assessment results in the Fortanix Key Insight dashboard. The dashboard provides a detailed overview of your scanned key vaults and the keys in those vaults, along with using these keys in services such as Azure SQL, Azure storage accounts, and Azure Managed disks. You will see an assessment of the keys with a risk score, highlighting any violations, expired keys, disabled key rotation, vulnerable keys, and instances where the same key is shared across multiple resources.
For more details on the Azure dashboard, refer to Fortanix Key Insight – Azure User Interface Components.
.png?sv=2022-11-02&spr=https&st=2025-04-27T13%3A47%3A44Z&se=2025-04-27T13%3A59%3A44Z&sr=c&sp=r&sig=68bhvANyr%2FU5ZrSBgOIzwmfJOH6ZEccFv%2BJ6lMgiw8E%3D)
Figure 2: View Azure cloud dashboard
3.0 Additional References
For Fortanix key Insight and Azure terminologies, refer to Key Insight - Concepts Guide and Key Insight – Azure Concepts Guide.
To onboard an Azure cloud in Fortanix Key Insight using Azure built-in roles, refer to Fortanix Key Insight - Azure Configuration for Scanning Using Built-In Roles.