Docy Child

Microsoft Azure

Estimated reading: 3 minutes 600 views

Set up Microsoft Azure for automated tests with TrustCloud


Once you set up your compliance program, TrustCloud TrustOps works to ensure that your systems remain compliant with your adopted controls. To do so, TrustCloud runs automated tests against systems in your product and business stack, and verifies that they are properly configured.

This document outlines the steps you can take to grant TrustCloud access **to only read metadata about the configuration settings for your Microsoft Azure resources, so that TrustOps can validate and generate evidence for your compliance program.

Instructions to grant TrustCloud limited access to Azure metadata

Follow the steps below to create a new service principal account and grant that account read-only access to your Azure subscription. A service principal account is an account strictly created for applications and/or services. From Microsoft’s [documentation]( Azure service principal is,accessed and at which level.):

*Automated tools that use Azure services should always have restricted permissions. Instead of having applications sign in as a fully privileged user, Azure offers service principals.

An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. This access is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level. For security reasons, it’s always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.*

If Azure Active Directory is used, you also need to grant the new service account several read-only scopes within Azure AD, to allow the inspection of user and role settings.

Creating a service principal with certificate authentication

  1. For certificate authentication, you will need to create the account using the Azure CLI. Execute the following command to create a “KintentAzureService” account with a Reader role, replacing {subscriptionId} with your subscription ID:
    az ad sp create-for-rbac -n "KintentAzureService" --role Reader --create-cert --scopes /subscriptions/{subscriptionId}
  2. Save the output to a file.
  3. The output also contains a path to the certificate .pem file. Note this file’s location.
  4. To set up the connection in TrustOps, you will need the output from the Azure CLI, the contents of the PEM file, and your Azure Subscription ID.

Granting necessary scopes for Azure Active Directory Automated Tests

To support running TrustOps’s automated tests against Azure Active Directory, the created service principal must be granted several scopes:

  • AuditLog: AuditLog.Read.All
  • Group: Group.Read.All
  • Organization: Organization.Read.All
  • Policy: Policy.Read.All
  • RoleManagement: Role.Read.All
  • User: User.Read.All

To grant the required scopes:

  1. Navigate to the Azure Active Directory administration console.Azure Active directory
  2. Select the App Registrations link in the left navigation bar.
    image 1
  3. Select the All Applications tab
    image 2
  4. Find the name of the service principal you created previously (e.g. “KintentAzureService”), and select it.
    image 3
  5. In the left navigation, select API Permissions.
    image 4
  6. Click Add a permission.
    image 5
  7. Select Microsoft Graph.
    image 6
  8. Select Application permissions.
  9. Expand and select the following scopes:
    • AuditLog: AuditLog.Read.All
    • Group: Group.Read.All
    • Organization: Organization.Read.All
    • Policy: Policy.Read.All
    • RoleManagement: Role.Read.All
    • User: User.Read.All
    • DeviceManagementConfiguration: DeviceManagementConfiguration.Read.All
    • DeviceManagementManagedDevices: DeviceManagementManagedDevices.Read.All
    • DeviceManagementServiceConfig: DeviceManagementServiceConfig.Read.All
  10. Click Add Permissions. You will be brought back to the permissions list screen.
    azure 8
  11. Finally, select Grant admin consent for <Your org name> and select Yes.

Join the conversation

Twitter Facebook LinkedIn

❤️  Joyfully crafted by a 100% distributed team.