Documentation

Azure

Suggest Edits

Overview

Azure is a comprehensive cloud computing platform provided by Microsoft that offers a wide range of services and tools for building, deploying, and managing applications and infrastructure, including virtual machines, databases, analytics, and AI services.

Entitle manages the following resource types in the Azure Cloud Platform:

  • Admin Roles
    • Groups
      • Note: In the Azure portal, you can see some groups whose membership and group details you can't manage in the portal:
        • Groups synced from on-premises Active Directory can be managed only in the on-premises Active Directory.
        • Other group types, such as distribution lists and mail-enabled security groups, can be managed only in the Exchange or Microsoft 365 admin centers. You must sign in to these centers to manage these groups.
  • SSO Apps
  • All of Azure’s Subscription Resources, such as:
    • Compute resources - Virtual Machines, Virtual Machine Scale Sets, Azure Kubernetes Service (AKS), Azure Container Instances (ACI), and Azure Functions
    • Networking resources - Virtual Networks, Load Balancers, Application Gateways, Azure DNS, Traffic Manager, ExpressRoute, and VPN Gateway
    • Storage resources - Blob storage, File storage, Queue storage, Table storage, Disk storage, and Archive storage
    • Database resources - Azure SQL Database, Azure Cosmos DB, Azure Database for MySQL, Azure Database for PostgreSQL, Azure Database Migration Service, and Azure Cache for Redis
    • Web resources - App Service, API Management, Azure SignalR Service, Azure Notification Hubs, and Content Delivery Network
    • Security resources - Azure Security Center, Azure Active Directory, Azure Key Vault, Azure Information Protection, and Azure Firewall
    • Analytics and AI resources - Azure Stream Analytics, Azure Data Factory, Azure DataBricks, Azure HDInsight, Azure Machine Learning, and Azure Cognitive Services
    • Management resources - Azure Monitor, Azure Log Analytics, Azure Automation, Azure Resource Manager, and Azure Advisor

General guidelines

To integrate your Azure in Entitle, you must create an Azure application and a role for Entitle.

How does it work?

  1. Entitle connects to the management group of your organization.
  2. From the management group, Entitle communicates with the roles configured in the subscription you chose to connect Entitle to.
  3. Within the subscriptions, Entitle uses the Entitle role to retrieve and manage the resources.
  4. When permissions are granted, the employee who requested them gets temporary access assigned to their user.
  5. In the diagram above - Alice received an hour of access to an SQL database in subscription 1.
  6. When permissions are revoked, the employee's permission will be removed from their user’s permissions.

Entitle’s application required permissions

Required

  • Directory.ReadWrite.All is required to read the directory resources, update users, and assign applications/licenses - as all of these actions are doable via Entitle.
  • Directory.Write.Restricted is required to perform the actions above by Entitle as an application (rather than a signed-in user).
  • Group.ReadWrite.All is required to manage groups through Entitle's app.
  • TeamMember.ReadWrite.All is required to add/remove members from teams by Entitle as an application. Also allows changing a team member's role (for example from owner to non-owner).
  • User.ReadWrite.All is required to get managers' information by Entitle and populate it to workflows, UAR campaigns, etc.

Optional - Admin Roles Management

  • If you wish to manage admin roles with Entitle, the following permission is required:
    • RoleManagement.ReadWrite.Directory

Entitle’s role required permissions

Required

  • "Microsoft.Resources/subscriptions/resourceGroups/read" is required to read the resource groups within subscriptions.
  • "Microsoft.Resources/subscriptions/providers/read" is required to read the providers within subscriptions.
  • "Microsoft.Resources/subscriptions/resourcegroups/deployments/read" is required to read the deployments within subscriptions.
  • "Microsoft.Resources/subscriptions/resourcegroups/resources/read" is required to read the resources within subscriptions.

Optional - SSO Applications assignments

  • If you wish to manage SSO applications with Entitle, the following permissions are required:
    • "Microsoft.Authorization/roleAssignments/read" is required to read role assignments within Azure's role-based access control (RBAC) system.
    • "Microsoft.Authorization/roleAssignments/write" is required to update role assignments within Azure's role-based access control (RBAC) system.
    • "Microsoft.Authorization/roleAssignments/delete" is required to remove role assignments created by Entitle within Azure's role-based access control (RBAC) system.

Set up Azure to work with Entitle

Step 1: Creating an application for Entitle

  1. Navigate to the Microsoft Azure portal.

  2. Click on Microsoft Entra ID.

  3. Click on the App registrations tab in the left-side menu.

  4. Click on New registration.

  5. Give your app a Name and leave the rest as is. Then, click on Register.

  6. Keep your Application (client) ID and Directory (tenant) ID for later. Then, click on Add a certificate or secret on the right side.

  7. Click New client secret.

  8. In the pop-up window, choose a Description that you will remember and an expiration time of your choice. Note that you will have to create a new secret and hence a new integration when it expires. Once done, click Add.

  9. Click on the copy icon to copy your new Client Secret Value and keep it for later.

  10. Go to the API Permissions page within your newly created application, and click Add a permission.

  11. Select Application Permission, and then Microsoft Graph.

  12. Add the following permissions:

    Directory.ReadWrite.All
Directory.Write.Restricted
Group.ReadWrite.All
TeamMember.ReadWriteNonOwnerRole.All
User.ReadWrite.All

  13. If you wish to manage admin roles with Entitle - please add the following permission as well:

    RoleManagement.ReadWrite.Directory

    ℹ️

    Note

    For further information about the required permissions, see Entitle's Application Required Permissions section.

  14. Once the permissions are added, click Grant admin consent for Default Directory.

Stage 2: Assign Permissions via new role

  1. Navigate to the Microsoft Azure portal.

  2. In the search prompt, type subscriptions and click the corresponding option.

  3. If you wish to manage access for multiple subscriptions, select the subscriptions for which you want to create an Entitle integration. Otherwise, select the subscription you wish to manage and make sure you copy the subscription ID, as you will use it later.

ℹ️

Note

The following steps 4-17 should be executed for each of the subscriptions you wish to manage access with Entitle.

  1. On the Subscriptions page, click Access control (IAM) → Roles.

  2. Click Add → Add custom role.

  3. Enter entitle-role under Custom role name.

  4. For baseline permissions, choose Start from scratch.

  5. Go to the JSON tab and click Edit in the top-right corner.

  6. Click Properties → permissions → actions, and add the following permissions:

"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/providers/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
"Microsoft.Resources/subscriptions/resourcegroups/resources/read"
  1. If you wish to manage applications assignments with Entitle, add the following permissions as well:
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
  1. For further reading about the required permissions, see Entitle's Role Required Permissions section.
  2. Click Save at the top right corner, and then Review + create in the left bottom corner.
  3. Click Create at the bottom left corner, and then click OK on the message that should appear at the top stating that the role was created.
  4. Go back to the Access Control (IAM) page and click the Role Assignments tab.
  5. Click AddAdd role assignment:
  1. Under the role tab, choose entitle-role.
  2. Under the Members tab, click Select Members. Then, search by name, and select the application created in Stage 1.
  3. Click Select at the bottom of the side tab.
  4. Click Review + Assign.

Creating the integration in Entitle

All that is left to do is to create an integration on the Entitle application.

  1. Log into Entitle and navigate to the Integrations page.

  2. After clicking the Add Integration button, type Azure in the Application field.

  3. Don’t forget to set Save on correctly for your agent or on Entitle’s cloud.

  4. In the Connection JSON, add the following information:

    1. “client_id” - The value of Application (client) ID.

    2. “secret” - The value of Client Secret.

    3. “subscription_id” - The value of Subscription ID.

    4. “tenant” - The value of Directory (tenant) ID.

    5. If you wish to manage specific resource types in Entitle, add the relevant resource types to the “resource_types” field under "options" :

      • SSO Apps - “sso_apps”
      • Admin - “admin”
      • Groups - “groups”
      • Management groups - “management_groups”
      • Subscriptions - “subscriptions”

        ℹ️

        Note

        If you wish to manage multiple subscriptions, fill in the following value to Entitle's configuration: "subscription_id": "ALL". Entitle will fetch the resources in the configured subscriptions.

      • Resource groups - “resource_groups”
      • Resources - “resources”

      ℹ️

      Note

      A non-existent "options" field means that Entitle will manage the default list of resource types, presented in the Overview section of this guide:


Resources hierarchy and conditions

📘

Reminder

  • The following Azure resource types are part of the hierarchical structure:
    Management Groups → Subscriptions → Resource Groups → Resources.
  • The following Azure resource types are not part of the hierarchical structure:
    • SSO Apps
    • Admin roles
    • Groups
  • In case you would like to manage specific resources, it is required to add “management_groups” or “subscriptions” to the list of resource types. Below are additional conditions:
    • If only “management_groups” are added to the list of resource types, only management groups are fetched.
    • If only “management_groups” and “subscriptions” are added to the list of resource types, both management groups and subscriptions are populated.
  • If a lower-level resource is added to the list of resource types, Entitle will automatically fetch the upper-level resources. For example:
    • If only "subscriptions” and “resources” are added to the list of resource types, Entitle will fetch subscriptions, resource groups, and resources.
    • If only “management_groups” and “resources” are added to the list of resource types, Entitle will fetch management groups, subscriptions, resource groups, and resources.
    • If only “management_groups” and “resource_groups” are added to the list of resource types, Entitle will fetch management groups, subscriptions, and resource groups.
  1. Example Configuration JSON with “options” field:
{
  "client_id": "<YOUR_CLIENT_ID>",
  "secret": "<YOUR_CLIENT_SECRET>",
  "subscription_id": "<YOUR_SUBSCRIPTION_ID>",
  "tenant": "<YOUR_TENANT_ID>"
  "options": {
    "resource_types": [
	    "sso_apps",
	    "admin",
	    "groups",
	    "management_groups",
      "subscriptions",
      "resource_groups"
    ]
  }
}
  1. Click Save, you are done!

Updated about 1 month ago

What’s Next