Configure Azure for Keyless Authentication

To integrate with Azure, you must first configure Azure for keyless authentication.

Before you begin

Make sure that you have:

  • A valid Azure subscription.

  • The Subject identifier from the Integrations > Add Azure - Keyless Integration dialog box in Tenable Attack Surface Management. For more information, see Integrate with Azure Using Keyless Authentication.

  • Azure Subscription ID.

  • Azure Resource Group Name.

To configure Azure for keyless authentication:

  1. Create a managed identity.

    Copy 
    az identity create -n TenableCloudConnectors --subscription <subscription-name> -g <resource-group-name>

    Where:

    • TenableCloudConnectors is the name of the managed identity.

    • subscription-name is the Azure subscription name.

    • resource-group-name is the group to which the managed identity belongs.

  2. Assign the Reader role for the managed identity.

    Copy 
    az role assignment create --assignee-object-id <managed-identity-id> --role "Reader" --scope "/subscriptions/<subscription-id>"

    Where:

    • managed-identity-id is the ID of the managed identity you created in Step 1.

    • subscription-id is the Azure subscription ID that has read access.

  3. Add Federated credentials for the managed identity.

    Copy 
    az identity federated-credential create --name TenableASMCloudConnector --identity-name TenableCloudConnectors --resource-group <resource-group-name> --audiences us-east-1:96e4d72b-7a36-4dc6-a64e-7baae60e027f --issuer https://cognito-identity.amazonaws.com  --subject <UUIDfromTheASMUI> --subscription <subscriptionID>

    Where:

    • TenableASMCloudConnector is the name of the federated credential.

    • TenableCloudConnectors is the name of the managed identity you created in Step 1.

    • resource-group-name is the resource group to which the managed identity belongs.

    • UUIDfromtheASMUI is the Subject identifier that you copied from the Integrations > Add Azure Keyless Integrations dialog box in Tenable Attack Surface Management.

  4. Copy the client ID of the Managed Identity.

    Copy 
    az identity show -n TenableCloudConnectors --resource-group <resources-group>

    Where:

  • TenableCloudConnectors is the name of the managed identity you created in Step 1.

  • resource-group-name is the resource group to which the managed identity belongs.

To configure Azure for keyless authentication:

  1. Sign in to the Azure portal.

  2. To create a new managed identity, in the All Services page, under Identity Management, select Managed Identities.

  3. Click Create.

  4. Provide the details and create the managed identity.

  5. In the left navigation pane of the managed identity, select Azure role assignments.

  6. Click Add role.

  7. Select your subscription and resource group, then select the role as Reader.

  8. Click Save.

    Azure saves the role.

  9. To add Federated credentials, in the left navigation pane, select Settings > Federated credentials.

    The Federated credentials pane appears on the right.

  10. Click Add Credential.

    The Add Federated Credential page appears.

  11. In the Federated credential scenario drop-down box, select Other Issuer.

    The Select a managed identity section appears.

  12. In the Issuer box, type https://cognito-identity.amazonaws.com.

  13. In the Subject identifier box, copy the subject identifier from the Add Azure - Keyless Integration dialog box in Tenable Attack Surface Management.

  14. In the Credential details section, provide a name, then in the Audience box, type us-east-1:96e4d72b-7a36-4dc6-a64e-7baae60e027f.

  15. Copy the Client ID from the Managed Identity's Overview page. You need the client ID when integrating the Azure with Tenable Attack Surface Management.

What to do next

Integrate with Azure Using Keyless Authentication