Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Current »

For customers deploying our security solutions into a Microsoft Azure environment, we recommend setting up a new subscription to house the stack. While it is possible to deploy into an existing subscription, it’s often easier to maintain as a separate subscription. This article describes the steps to create a new subscription, into which the Armor solution will be deployed. It also describes the permissions that will be required by Armor during

Creating a New Azure Subscription

There are several options for procuring a new subscription that depend on your engagement model with Microsoft. Each are described below:

Creating a Pay-As-You-Go Subscription

  1. Begin by opening the Subscriptions blade in the Azure portal.

  2. In the top left, click Add.

  3. In the Pay-As-You-Go card, click Select offer.

  4. You’ll be redirect to a sign-up form. Fill out the required information, then click Sign up.

Creating an Enterprise Agreement (EA) Subscription

To create an EA subscription, use the following Microsoft guide for configuring your subscription: https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/create-enterprise-subscription

Creating a Microsoft Customer Agreement (MCA) Subscription

To create an MCA subscription, use the following Microsoft guide for configuring your subscription: https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/create-subscription

Create a Cloud Solution Provider (CSP) Subscription

If you wish to use Armor as your CSP, simply let your solutions consultant know and Armor will provide the new subscription for you. Your solution consultant will collect a few basic details to configure the subscription and it will appear in your Azure portal upon provisioning.

If you have an existing relationship with another CSP, contact them to request a new subscription.

Provisioning the Armor Service Account

Armor will require specific access in order to manage the initial deployment and configuration of the new subscription. While most interactions after the initial provisioning will be handled via an Azure Lighthouse delegation, there are certain activities which can only be performed by a service account in your tenant’s Azure Active Directory (for example, management of Azure Key Vault stores).

Command Line Service Account Creation

You can use the following script included in the infrastructure-live-customer repository to create the service account:

# Set a password for the account as an environment variable
read -rs ARMOR_SERVICE_ACCOUNT_PASSWORD
export ARMOR_SERVICE_ACCOUNT_PASSWORD

# Setup a custom role on the subscription
.tools/azure/create-azure-deployment-credentials.sh \
  --environment <ENVIRONMENT> \
  --subscription <SUBSCRIPTION_ID> \
  --domain <AZURE_AD_DOMAIN>

Manual Service Account Creation

If you do not have the required Azure Active Directory permissions to create the role, have an Azure AD administrator create the following resources:

  1. A user principal named quantumsa and display name Quantum Service Account.

  2. A custom Azure role with the following permissions with a scope of the target subscription(s):

  • Microsoft.Authorization/policies/audit/action

  • Microsoft.Authorization/policies/auditIfNotExists/action

  • Microsoft.Authorization/roleAssignments/delete

  • Microsoft.Authorization/roleAssignments/read

  • Microsoft.Authorization/roleAssignments/write

  • Microsoft.Insights/Workbooks/Read

  • Microsoft.Insights/Workbooks/Write

  • Microsoft.Insights/Workbooks/Delete

  • Microsoft.Logic/workflows/read

  • Microsoft.Logic/workflows/write

  • Microsoft.Logic/workflows/delete

  • Microsoft.Logic/workflows/triggers/listCallbackUrl/action

  • Microsoft.Logic/workflows/triggers/read

  • Microsoft.Logic/workflows/triggers/reset/action

  • Microsoft.Logic/workflows/triggers/run/action

  • Microsoft.Logic/workflows/triggers/setState/action

  • Microsoft.ManagedServices/operationStatuses/read

  • Microsoft.ManagedServices/registrationAssignments/read

  • Microsoft.ManagedServices/registrationAssignments/write

  • Microsoft.ManagedServices/registrationDefinitions/read

  • Microsoft.ManagedServices/registrationDefinitions/write

  • Microsoft.OperationalInsights/workspaces/read

  • Microsoft.OperationalInsights/workspaces/write

  • Microsoft.OperationalInsights/workspaces/datasources/read

  • Microsoft.OperationalInsights/workspaces/datasources/write

  • Microsoft.OperationalInsights/workspaces/datasources/delete

  • Microsoft.OperationalInsights/workspaces/savedSearches/read

  • Microsoft.OperationalInsights/workspaces/savedSearches/write

  • Microsoft.OperationalInsights/workspaces/savedSearches/delete

  • Microsoft.OperationalInsights/workspaces/sharedKeys/action

  • Microsoft.OperationsManagement/solutions/read

  • Microsoft.OperationsManagement/solutions/write

  • Microsoft.Resources/deployments/read

  • Microsoft.Resources/deployments/write

  • Microsoft.Resources/deployments/delete

  • Microsoft.Resources/deployments/exportTemplate/action

  • Microsoft.Resources/deployments/operationstatuses/read

  • Microsoft.Resources/deployments/validate/action

  • Microsoft.Resources/subscriptions/resourceGroups/read

  • Microsoft.Resources/subscriptions/resourceGroups/write

  • Microsoft.Resources/subscriptions/resourcegroups/deployments/read

  • Microsoft.Resources/subscriptions/resourcegroups/deployments/write

  • Microsoft.Resources/subscriptions/resourcegroups/resources/read

  • Microsoft.SecurityInsights/alertRules/read

  • Microsoft.SecurityInsights/alertRules/write

  • Microsoft.SecurityInsights/alertRules/delete

  • Microsoft.SecurityInsights/alertRules/actions/read

  • Microsoft.SecurityInsights/alertRules/actions/write

  • Microsoft.SecurityInsights/alertRules/actions/delete

  • Microsoft.SecurityInsights/automationRules/read

  • Microsoft.SecurityInsights/automationRules/write

  • Microsoft.SecurityInsights/automationRules/delete

  • Microsoft.SecurityInsights/dataConnectors/read

  • Microsoft.SecurityInsights/dataConnectors/write

  • Microsoft.SecurityInsights/dataConnectors/delete

  • Microsoft.SecurityInsights/Watchlists/read

  • Microsoft.SecurityInsights/Watchlists/write

  • Microsoft.SecurityInsights/Watchlists/delete

  • Microsoft.Storage/storageAccounts/blobServices/read

  • Microsoft.Storage/storageAccounts/blobServices/write

  • Microsoft.Storage/storageAccounts/fileServices/read

  • Microsoft.Storage/storageAccounts/fileServices/write

  • Microsoft.Storage/storageAccounts/listkeys/action

  • Microsoft.Storage/storageAccounts/read

  • Microsoft.Storage/storageAccounts/write

  • Microsoft.Web/connections/Read

  • Microsoft.Web/connections/Write

  • Microsoft.Web/connections/Delete

  • Microsoft.Web/connections/Join/Action

  • Microsoft.Web/connections/Move/Action

Note that some of the resources (some SOAR Logic Apps and the Azure Lighthouse delegation) may require additional permissions during deployment and may fail to deploy specific resources without these permissions:

  • Microsoft.Authorization/roleAssignments/write

  • Application.Read.All or Directory.Read.All

  • No labels