...
Armor will require specific access in order to manage the initial deployment and configuration of the new subscription. While most interactions after the initial provisioning will be handled via an Azure Lighthouse delegation, there are certain activities which can only be performed by a service account in your tenant’s Azure Active Directory (for example, management of Azure Key Vault stores).
Command Line Service Account Creation
You can use the following script included in the infrastructure-live-customer repository to create the service account:
| Code Block | ||
|---|---|---|
| ||
# Set a password for the account as an environment variable
read -rs ARMOR_SERVICE_ACCOUNT_PASSWORD
export ARMOR_SERVICE_ACCOUNT_PASSWORD
# Setup a custom role on the subscription
.tools/azure/create-azure-deployment-credentials.sh \
--environment <ENVIRONMENT> \
--subscription <SUBSCRIPTION_ID> \
--domain <AZURE_AD_DOMAIN> |
Manual Service Account Creation
If you do not have the required Azure Active Directory permissions to create the role, have an Azure AD administrator create the following resources:
A user principal named
quantumsaand display nameQuantum Service Account.A custom Azure role with the following permissions with a scope of the target subscription(s):
Microsoft.Authorization/policies/audit/actionMicrosoft.Authorization/policies/auditIfNotExists/actionMicrosoft.Authorization/roleAssignments/deleteMicrosoft.Authorization/roleAssignments/readMicrosoft.Authorization/roleAssignments/writeMicrosoft.Insights/Workbooks/ReadMicrosoft.Insights/Workbooks/WriteMicrosoft.Insights/Workbooks/DeleteMicrosoft.Logic/workflows/readMicrosoft.Logic/workflows/writeMicrosoft.Logic/workflows/deleteMicrosoft.Logic/workflows/triggers/listCallbackUrl/actionMicrosoft.Logic/workflows/triggers/readMicrosoft.Logic/workflows/triggers/reset/actionMicrosoft.Logic/workflows/triggers/run/actionMicrosoft.Logic/workflows/triggers/setState/actionMicrosoft.ManagedServices/operationStatuses/readMicrosoft.ManagedServices/registrationAssignments/readMicrosoft.ManagedServices/registrationAssignments/writeMicrosoft.ManagedServices/registrationDefinitions/readMicrosoft.ManagedServices/registrationDefinitions/writeMicrosoft.OperationalInsights/workspaces/readMicrosoft.OperationalInsights/workspaces/writeMicrosoft.OperationalInsights/workspaces/datasources/readMicrosoft.OperationalInsights/workspaces/datasources/writeMicrosoft.OperationalInsights/workspaces/datasources/deleteMicrosoft.OperationalInsights/workspaces/savedSearches/readMicrosoft.OperationalInsights/workspaces/savedSearches/writeMicrosoft.OperationalInsights/workspaces/savedSearches/deleteMicrosoft.OperationalInsights/workspaces/sharedKeys/actionMicrosoft.OperationsManagement/solutions/readMicrosoft.OperationsManagement/solutions/writeMicrosoft.Resources/deployments/readMicrosoft.Resources/deployments/writeMicrosoft.Resources/deployments/deleteMicrosoft.Resources/deployments/exportTemplate/actionMicrosoft.Resources/deployments/operationstatuses/readMicrosoft.Resources/deployments/validate/actionMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/writeMicrosoft.Resources/subscriptions/resourcegroups/deployments/readMicrosoft.Resources/subscriptions/resourcegroups/deployments/writeMicrosoft.Resources/subscriptions/resourcegroups/resources/readMicrosoft.SecurityInsights/alertRules/readMicrosoft.SecurityInsights/alertRules/writeMicrosoft.SecurityInsights/alertRules/deleteMicrosoft.SecurityInsights/alertRules/actions/readMicrosoft.SecurityInsights/alertRules/actions/writeMicrosoft.SecurityInsights/alertRules/actions/deleteMicrosoft.SecurityInsights/automationRules/readMicrosoft.SecurityInsights/automationRules/writeMicrosoft.SecurityInsights/automationRules/deleteMicrosoft.SecurityInsights/dataConnectors/readMicrosoft.SecurityInsights/dataConnectors/writeMicrosoft.SecurityInsights/dataConnectors/deleteMicrosoft.SecurityInsights/Watchlists/readMicrosoft.SecurityInsights/Watchlists/writeMicrosoft.SecurityInsights/Watchlists/deleteMicrosoft.Storage/storageAccounts/blobServices/readMicrosoft.Storage/storageAccounts/blobServices/writeMicrosoft.Storage/storageAccounts/fileServices/readMicrosoft.Storage/storageAccounts/fileServices/writeMicrosoft.Storage/storageAccounts/listkeys/actionMicrosoft.Storage/storageAccounts/readMicrosoft.Storage/storageAccounts/writeMicrosoft.Web/connections/ReadMicrosoft.Web/connections/WriteMicrosoft.Web/connections/DeleteMicrosoft.Web/connections/Join/ActionMicrosoft.Web/connections/Move/Action
Note that some of the resources (some SOAR Logic Apps and the Azure Lighthouse delegation) may require additional permissions during deployment and may fail to deploy specific resources without these permissions:
Microsoft.Authorization/roleAssignments/writeApplication.Read.AllorDirectory.Read.All