For customers deploying our security solutions into a Microsoft Azure environment, we recommend setting up a new subscription to house the stack. While it is possible to deploy into an existing subscription, it’s often easier to maintain as a separate subscription. This article describes the steps to create a new subscription, into which the Armor solution will be deployed. It also describes the permissions that will be required by Armor during
Creating a New Azure Subscription
There are several options for procuring a new subscription that depend on your engagement model with Microsoft. Each are described below:
Creating a Pay-As-You-Go Subscription
Begin by opening the Subscriptions blade in the Azure portal.
In the top left, click Add.
In the Pay-As-You-Go card, click Select offer.
You’ll be redirect to a sign-up form. Fill out the required information, then click Sign up.
Creating an Enterprise Agreement (EA) Subscription
To create an EA subscription, use the following Microsoft guide for configuring your subscription: https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/create-enterprise-subscription
Creating a Microsoft Customer Agreement (MCA) Subscription
To create an MCA subscription, use the following Microsoft guide for configuring your subscription: https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/create-subscription
Create a Cloud Solution Provider (CSP) Subscription
If you wish to use Armor as your CSP, simply let your solutions consultant know and Armor will provide the new subscription for you. Your solution consultant will collect a few basic details to configure the subscription and it will appear in your Azure portal upon provisioning.
If you have an existing relationship with another CSP, contact them to request a new subscription.
Provisioning the Armor Service Account
Armor will require specific access in order to manage the initial deployment and configuration of the new subscription. While most interactions after the initial provisioning will be handled via an Azure Lighthouse delegation, there are certain activities which can only be performed by a service account in your tenant’s Azure Active Directory (for example, management of Azure Key Vault stores).
Command Line Service Account Creation
You can use the following script included in the infrastructure-live-customer
repository to create the service account:
# Set a password for the account as an environment variable read -rs ARMOR_SERVICE_ACCOUNT_PASSWORD export ARMOR_SERVICE_ACCOUNT_PASSWORD # Setup a custom role on the subscription .tools/azure/create-azure-deployment-credentials.sh \ --environment <ENVIRONMENT> \ --subscription <SUBSCRIPTION_ID> \ --domain <AZURE_AD_DOMAIN>
Manual Service Account Creation
If you do not have the required Azure Active Directory permissions to create the role, have an Azure AD administrator create the following resources:
A user principal named
quantumsa
and display nameQuantum Service Account
.A custom Azure role with the following permissions with a scope of the target subscription(s):
Microsoft.Authorization/policies/audit/action
Microsoft.Authorization/policies/auditIfNotExists/action
Microsoft.Authorization/roleAssignments/delete
Microsoft.Authorization/roleAssignments/read
Microsoft.Authorization/roleAssignments/write
Microsoft.Insights/Workbooks/Read
Microsoft.Insights/Workbooks/Write
Microsoft.Insights/Workbooks/Delete
Microsoft.Logic/workflows/read
Microsoft.Logic/workflows/write
Microsoft.Logic/workflows/delete
Microsoft.Logic/workflows/triggers/listCallbackUrl/action
Microsoft.Logic/workflows/triggers/read
Microsoft.Logic/workflows/triggers/reset/action
Microsoft.Logic/workflows/triggers/run/action
Microsoft.Logic/workflows/triggers/setState/action
Microsoft.ManagedServices/operationStatuses/read
Microsoft.ManagedServices/registrationAssignments/read
Microsoft.ManagedServices/registrationAssignments/write
Microsoft.ManagedServices/registrationDefinitions/read
Microsoft.ManagedServices/registrationDefinitions/write
Microsoft.OperationalInsights/workspaces/read
Microsoft.OperationalInsights/workspaces/write
Microsoft.OperationalInsights/workspaces/datasources/read
Microsoft.OperationalInsights/workspaces/datasources/write
Microsoft.OperationalInsights/workspaces/datasources/delete
Microsoft.OperationalInsights/workspaces/savedSearches/read
Microsoft.OperationalInsights/workspaces/savedSearches/write
Microsoft.OperationalInsights/workspaces/savedSearches/delete
Microsoft.OperationalInsights/workspaces/sharedKeys/action
Microsoft.OperationsManagement/solutions/read
Microsoft.OperationsManagement/solutions/write
Microsoft.Resources/deployments/read
Microsoft.Resources/deployments/write
Microsoft.Resources/deployments/delete
Microsoft.Resources/deployments/exportTemplate/action
Microsoft.Resources/deployments/operationstatuses/read
Microsoft.Resources/deployments/validate/action
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/subscriptions/resourceGroups/write
Microsoft.Resources/subscriptions/resourcegroups/deployments/read
Microsoft.Resources/subscriptions/resourcegroups/deployments/write
Microsoft.Resources/subscriptions/resourcegroups/resources/read
Microsoft.SecurityInsights/alertRules/read
Microsoft.SecurityInsights/alertRules/write
Microsoft.SecurityInsights/alertRules/delete
Microsoft.SecurityInsights/alertRules/actions/read
Microsoft.SecurityInsights/alertRules/actions/write
Microsoft.SecurityInsights/alertRules/actions/delete
Microsoft.SecurityInsights/automationRules/read
Microsoft.SecurityInsights/automationRules/write
Microsoft.SecurityInsights/automationRules/delete
Microsoft.SecurityInsights/dataConnectors/read
Microsoft.SecurityInsights/dataConnectors/write
Microsoft.SecurityInsights/dataConnectors/delete
Microsoft.SecurityInsights/Watchlists/read
Microsoft.SecurityInsights/Watchlists/write
Microsoft.SecurityInsights/Watchlists/delete
Microsoft.Storage/storageAccounts/blobServices/read
Microsoft.Storage/storageAccounts/blobServices/write
Microsoft.Storage/storageAccounts/fileServices/read
Microsoft.Storage/storageAccounts/fileServices/write
Microsoft.Storage/storageAccounts/listkeys/action
Microsoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/write
Microsoft.Web/connections/Read
Microsoft.Web/connections/Write
Microsoft.Web/connections/Delete
Microsoft.Web/connections/Join/Action
Microsoft.Web/connections/Move/Action
Note that some of the resources (some SOAR Logic Apps and the Azure Lighthouse delegation) may require additional permissions during deployment and may fail to deploy specific resources without these permissions:
Microsoft.Authorization/roleAssignments/write
Application.Read.All
orDirectory.Read.All