ZCSPM
Granting Access to Key Vaults in Microsoft Azure
You can grant the Azure app subscription access to your key vaults to enable an additional Azure security policy. ZCSPM cannot collect configuration metadata for this security policy using only the subscription reader role.
- See additional security policy with the storage account contributor role.Close
Policy Title Category Ensure that the expiry date is set on all Secrets in a Key Vault Key Management
To enable the Azure app subscription access to your key vault:
- Log in to the Azure Portal
- In the left-pane menu, click Key vaults.
- Click your key vault, then select Access policies.
- Click Add Access Policy.
- From the Key permissions drop-down menu, select List.
- From the Secret permissions drop-down menu, select List.
- Click Add.
You must enable the Azure app subscription access to all the key vaults.
If you have a lot of key vaults and don't want to manually give the Azure app subscription access to them, you can provision an automation account to do it for you:
- 1. Get the Application ID and Client Secret
- Log in to the Azure Portal
- In the left-pane menu, click Azure Active Directory.
- Select App registrations, then click New Registration.
- Enter the Name and select the Accounts in this organizational directory only button.
- Click Register.
- Copy the Application ID to the clipboard and store it. You need to submit this information in ZCSPM.
- In the left-pane menu, click Certificates & secrets, then click New client secret.
- Enter a Description and select an expiry time, then click Add.
- Copy the Client secret to the clipboard and store it. You need to submit this information in ZCSPM.
You will not be able to copy the Client secret later and will have to create a new one.
Close - 2. Grant Admin Consent for Microsoft Graph API Permissions
- Log in to the Azure Portal
- In the left-pane menu, click Azure Active Directory.
- Select App registrations, then select the ZCSPM application which you want to offboard.
- In the left-pane menu, click API permissions.
- Click Add a permission, then select Microsoft Graph.
- Click Application permissions, then select the Azure Active Directory Graph Application.ReadWrite.all permission.
- Click Add permissions.
- Click Grant admin consent for <your azure app>.
- 3. Grant the Registered Azure App Subscription Reader Role
- Log in to the Azure Portal as a Subscription Owner.
- Go to Subscriptions, then click the subscription where you want to assign the contributor role.
- Click Access Control (IAM), then click Add role assignments.
- From the Role drop-down menu, select Contributor.
- From the Assign access to drop-down menu, select User, group, or service principal.
- From the Select drop-down menu, select the newly registered Azure application.
- Click Save.
- 4. Provision the Registered Azure App with the List Permissions to Key Vaults
- Log in to the Azure Portal as a Subscription Owner.
- Click on the Cloud Shell icon.
- Choose PowerShell, then select your storage.
- Download the ZCSPM data collector provisioning script by using the following commands:
wget https://raw.githubusercontent.com/Cloudneeti/docs_cloudneeti/master/scripts/Provision-KeyVaultAccessAutomation.ps1 -O Provision-KeyVaultAccessAutomation.ps1
wget https://raw.githubusercontent.com/Cloudneeti/docs_cloudneeti/master/scripts/AutoAssign-PermissionsToKeyvault.ps1 -O AutoAssign-PermissionsToKeyvault.ps1
- Run the provisioning script using the following command:
./Provision-KeyVaultAccessAutomation.ps1 ` -CloudneetiRegisteredApplicationObjectId <data-collector-object-id> ` -ApplicationId <Contributor Application Id> ` -SubscriptionId <Azure Subscription Id where keyvaults are present> ` -AzureActiveDirectoryId <Azure Active Directory Id> ` -AutomationAccountName <Automation Account Name> ` -Location <Location>- Enter the ZCSPM data collector contributor application secret.
- A runbook will be created in the automation account which will assign List permissions to all the key vaults.
