• Request for Comment

    • Microsoft Azure Subscription Setup

    Owned by Luke Fritz (Unlicensed)
    Last updated: 24 May 2023 by Brady Rogers
    2 min read

    For customers deploying our security solutions into a Microsoft Azure environment, we recommend setting up a new subscription to house the stack. While it is possible to deploy into an existing subscription, it’s often easier to maintain as a separate subscription. This article describes the steps to create a new subscription, into which the Armor solution will be deployed. It also describes the permissions that will be required by Armor during deployment.

    Creating a New Azure Subscription

    There are several options for procuring a new subscription that depend on your engagement model with Microsoft. Each are described below:

    Creating a Pay-As-You-Go Subscription

    1. Begin by opening the Subscriptions blade in the Azure portal.

    2. In the top left, click Add.

    3. In the Pay-As-You-Go card, click Select offer.

    4. You’ll be redirect to a sign-up form. Fill out the required information, then click Sign up.

    Creating an Enterprise Agreement (EA) Subscription

    To create an EA subscription, use the following Microsoft guide for configuring your subscription: Create an Enterprise Agreement subscription - Azure Cost Management + Billing

    Creating a Microsoft Customer Agreement (MCA) Subscription

    To create an MCA subscription, use the following Microsoft guide for configuring your subscription: Create a Microsoft Customer Agreement subscription - Azure Cost Management + Billing

    Create a Cloud Solution Provider (CSP) Subscription

    If you wish to use Armor as your CSP, simply let your solutions consultant know and Armor will provide the new subscription for you. Your solution consultant will collect a few basic details to configure the subscription and it will appear in your Azure portal upon provisioning.

    If you have an existing relationship with another CSP, contact them to request a new subscription.

    Provisioning the Armor Service Account

    Armor will require specific access in order to manage the initial deployment and configuration of the new subscription. While most interactions after the initial provisioning will be handled via an Azure Lighthouse delegation, there are certain activities which can only be performed by a service account in your tenant’s Azure Active Directory (for example, management of Azure Key Vault stores).

    Command Line Service Account Creation

    You can use the following script included in the infrastructure-live-customer repository to create the service account:

    # Set a password for the account as an environment variable read -rs ARMOR_SERVICE_ACCOUNT_PASSWORD export ARMOR_SERVICE_ACCOUNT_PASSWORD # Setup a custom role on the subscription .tools/azure/create-azure-deployment-credentials.sh \ --environment <ENVIRONMENT> \ --subscription <SUBSCRIPTION_ID> \ --domain <AZURE_AD_DOMAIN>

    Manual Service Account Creation

    If you do not have the required Azure Active Directory permissions to create the role, have an Azure AD administrator create the following resources:

    1. A user principal named quantumsa and display name Quantum Service Account.

    2. A custom Azure role with the following permissions with a scope of the target subscription(s):

    • Microsoft.Authorization/policies/audit/action

    • Microsoft.Authorization/policies/auditIfNotExists/action

    • Microsoft.Authorization/roleAssignments/delete

    • Microsoft.Authorization/roleAssignments/read

    • Microsoft.Authorization/roleAssignments/write

    • Microsoft.Insights/Workbooks/Read

    • Microsoft.Insights/Workbooks/Write

    • Microsoft.Insights/Workbooks/Delete

    • Microsoft.Logic/workflows/read

    • Microsoft.Logic/workflows/write

    • Microsoft.Logic/workflows/delete

    • Microsoft.Logic/workflows/triggers/listCallbackUrl/action

    • Microsoft.Logic/workflows/triggers/read

    • Microsoft.Logic/workflows/triggers/reset/action

    • Microsoft.Logic/workflows/triggers/run/action

    • Microsoft.Logic/workflows/triggers/setState/action

    • Microsoft.ManagedServices/operationStatuses/read

    • Microsoft.ManagedServices/registrationAssignments/read

    • Microsoft.ManagedServices/registrationAssignments/write

    • Microsoft.ManagedServices/registrationDefinitions/read

    • Microsoft.ManagedServices/registrationDefinitions/write

    • Microsoft.OperationalInsights/workspaces/read

    • Microsoft.OperationalInsights/workspaces/write

    • Microsoft.OperationalInsights/workspaces/datasources/read

    • Microsoft.OperationalInsights/workspaces/datasources/write

    • Microsoft.OperationalInsights/workspaces/datasources/delete

    • Microsoft.OperationalInsights/workspaces/savedSearches/read

    • Microsoft.OperationalInsights/workspaces/savedSearches/write

    • Microsoft.OperationalInsights/workspaces/savedSearches/delete

    • Microsoft.OperationalInsights/workspaces/sharedKeys/action

    • Microsoft.OperationsManagement/solutions/read

    • Microsoft.OperationsManagement/solutions/write

    • Microsoft.Resources/deployments/read

    • Microsoft.Resources/deployments/write

    • Microsoft.Resources/deployments/delete

    • Microsoft.Resources/deployments/exportTemplate/action

    • Microsoft.Resources/deployments/operationstatuses/read

    • Microsoft.Resources/deployments/validate/action

    • Microsoft.Resources/subscriptions/resourceGroups/read

    • Microsoft.Resources/subscriptions/resourceGroups/write

    • Microsoft.Resources/subscriptions/resourcegroups/deployments/read

    • Microsoft.Resources/subscriptions/resourcegroups/deployments/write

    • Microsoft.Resources/subscriptions/resourcegroups/resources/read

    • Microsoft.SecurityInsights/alertRules/read

    • Microsoft.SecurityInsights/alertRules/write

    • Microsoft.SecurityInsights/alertRules/delete

    • Microsoft.SecurityInsights/alertRules/actions/read

    • Microsoft.SecurityInsights/alertRules/actions/write

    • Microsoft.SecurityInsights/alertRules/actions/delete

    • Microsoft.SecurityInsights/automationRules/read

    • Microsoft.SecurityInsights/automationRules/write

    • Microsoft.SecurityInsights/automationRules/delete

    • Microsoft.SecurityInsights/dataConnectors/read

    • Microsoft.SecurityInsights/dataConnectors/write

    • Microsoft.SecurityInsights/dataConnectors/delete

    • Microsoft.SecurityInsights/Watchlists/read

    • Microsoft.SecurityInsights/Watchlists/write

    • Microsoft.SecurityInsights/Watchlists/delete

    • Microsoft.Storage/storageAccounts/blobServices/read

    • Microsoft.Storage/storageAccounts/blobServices/write

    • Microsoft.Storage/storageAccounts/fileServices/read

    • Microsoft.Storage/storageAccounts/fileServices/write

    • Microsoft.Storage/storageAccounts/listkeys/action

    • Microsoft.Storage/storageAccounts/read

    • Microsoft.Storage/storageAccounts/write

    • Microsoft.Web/connections/Read

    • Microsoft.Web/connections/Write

    • Microsoft.Web/connections/Delete

    • Microsoft.Web/connections/Join/Action

    • Microsoft.Web/connections/Move/Action

    Note that some of the resources (some SOAR Logic Apps and the Azure Lighthouse delegation) may require additional permissions during deployment and may fail to deploy specific resources without these permissions:

    • Microsoft.Authorization/roleAssignments/write

    • Application.Read.All or Directory.Read.All