Create an Azure Service Principal Role

Tenable Cloud Security requires adequate permissions to read the resources in your Azure subscription. Provision a service principal role in the target Azure subscription and configure it for Tenable Cloud Security to read the resources in the same account.

The following permissions are required for a vulnerability scan of Azure virtual machines:

  • Reader

  • Disk Snapshot Contributor

Follow these steps to create a service principal and assign a role to it:

  1. Register an application with Azure to create the service principal.

  2. Choose one of the following options to assign a role to the service principal for accessing the resources in your subscription:

  3. Create a client secret for authenticating the service principal from Tenable Cloud Security.

Register an application with Azure

When you register an application through the Azure portal, Azure automatically creates an application object and service principal in your tenant. For more information on the relationship between application registration, application objects, and service principals, see Application and service principal objects in Azure Active Directory.

To create a service principal role in Azure:

  1. Log in to the Microsoft Azure portal.

  2. In the home page, click App registrations.

    The App registrations page appears.

  3. Click New registration.

    The Register an application page appears.

  4. Type a name for the application you want to register.

  5. Click Register.

    The application details page appears.

  6. Note down the following values. You need these values when onboarding the service account in Tenable Cloud Security:

    • Application (client) ID: This is the client ID requested by Tenable Cloud Security.

    • Directory (tenant) ID: This is the Tenant ID requested by Tenable Cloud Security.

Create a custom role and assign it to the service principal

For a comprehensive scan including managed clusters and storage accounts, add a custom role with expanded read access for the service principal you created. The following Azure resources require specific permissions in the access control of that resource:

  • Storage Account requires one of the following: Owner, Contributor, Storage Account Contributor.

  • Kubernetes Cluster requires one of the following: Owner, Contributor, Azure Kubernetes Service Cluster Admin Role.

  • Cosmos DB requires one of the following: Owner, Contributor, DocumentDB Account Contributor.

  • Function App requires one of the following: Owner, Contributor, Website Contributor.

  • Snapshot requires the Disk Snapshot Contributor role for scanning virtual machine snapshots with Agentless Assessment.

For more information about these permissions, see Azure built-in roles in Azure documentation.

To create a custom role and assign it to the service principal:

  1. On the home page of the Azure portal, click Subscriptions.

    The Subscriptions page appears.

  2. On the left navigation bar, click Access Control (IAM).

    The Access control (IAM) page for your subscription appears.

  3. In the Create a custom role section, click Add.

    The Create a custom role page appears.

  4. In Baseline permissions, select the Start from JSON option.

    You can create a custom role in the following ways:

    • Clone a role: Create a custom role by cloning an existing role and modifying the role, as required.

    • Start from scratch: Create a custom role by using the Azure user interface.

    • Start from JSON: Create a custom role by uploading a JSON file with the required permissions.

    For more information about these methods, see Create or update Azure custom roles using the Azure portal in Azure documentation.

    Note: This procedure describes how to create a custom role using a JSON file.

  5. Click to upload a JSON file that has the required permissions.

    Azure validates the JSON file and uploads the file for role creation.

    The following sample JSON file creates a role with read permissions along with the list APIs for the Storage Accounts, Kubernetes cluster, Cosmos DB, and Function App services:

    {
        "properties": {
            "roleName": "Tenablecs-ReaderPlusStorageAccountRead",
            "description": "Custom role for Tenable Cloud Security",
            "assignableScopes": [
                "/subscriptions/<subscription-id>"
            ],
            "permissions": [
                {
                    "actions": [
                        "*/read",
                        "Microsoft.Storage/storageAccounts/listkeys/action",
                        "Microsoft.Storage/storageAccounts/listAccountSas/action",
                        "Microsoft.Storage/storageAccounts/listServiceSas/action",
                        "Microsoft.Storage/storageAccounts/localusers/listKeys/action",
                        "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
                        "Microsoft.DocumentDB/databaseAccounts/listKeys/action",
                        "Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
                        "Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/action",
                        "Microsoft.Web/sites/config/list/action"
                    ],
                    "notActions": [],
                    "dataActions": [],
                    "notDataActions": []
                }
            ]
        }
    }

    The following sample JSON file creates a custom role with read permissions along with permissions to the access snapshots, which is required for Agentless Assessment:

    {
        "properties": {
            "roleName": "Tenablecs-ReaderPlusDiskSnapshotContributor",
            "description": "Custom role for Tenable Cloud Security",
            "assignableScopes": [
                "/subscriptions/<subscription-id>"
            ],
            "permissions": [
                {
                    "actions": [
                        "*/read",
                        "Microsoft.Storage/storageAccounts/listkeys/action",
                        "Microsoft.Storage/storageAccounts/listAccountSas/action",
                        "Microsoft.Storage/storageAccounts/listServiceSas/action",
                        "Microsoft.Storage/storageAccounts/localusers/listKeys/action",
                        "Microsoft.Compute/snapshots/beginGetAccess/action"
                    ],
                    "notActions": [],
                    "dataActions": [],
                    "notDataActions": []
                }
            ]
        }
    }

    where <subscription-id> is your Azure subscription ID.

  6. Click Review + create.

    The Review + create tab appears.

  7. Click Create.

    Azure creates the custom role and redirects you to the Access control (IAM) page.

  8. In the Grant access to this resource section, click Add role assignment to assign the custom role to the service principal.

    The Add role assignment page appears.

  9. On the Role tab, search for the custom role you created.

  10. Select the custom role and click Next.

    The Members tab appears.

  11. On the Members tab, do the following:

    1. Click Select Members.

    2. In the Select members window, search for the application you created.

    3. Select the application.

      The application appears under Selected members.

    4. Click Select.

      Azure adds the application for assigning the selected custom role.

    5. Click Next.

      The Review + assign tab appears.

  12. Review the details of the role and click Review + assign.

    13. Azure assigns the custom role to the service principal of the application and redirects you to the Access control (IAM) page.

Assign the Reader role to the service principal

Tenable Cloud Security requires the Reader role for accessing the resources for a cloud scan. This role provides limited permissions to the service principal. If you want to perform a comprehensive scan including managed clusters and storage accounts, create a custom role with expanded read permissions.

  1. On the home page of the Azure portal, click Subscriptions.

    The Subscriptions page appears.

  2. On the left navigation bar, click Access Control (IAM).

    The Access control (IAM) page for your subscription appears.

  3. In the Grant access to this resource section, click Add role assignment.

    The Add role assignment page appears.

  4. On the Role tab, search for the Reader role.

  5. Select the Reader role and click Next.

    The Members tab appears.

  6. On the Members tab, do the following:

    1. Click Select Members.

    2. In the Select members window, search for the application you created.

    3. Select the application.

      The application appears under Selected members.

    4. Click Select.

      Azure adds the application for assigning the Reader role.

    5. Click Next.

      The Review + assign tab appears.

  7. Review the details of the role and click Review + assign.

    8. Azure assigns the role to the service principal of the application and redirects you to the Access control (IAM) page.

Create a client secret

You can create a new application secret to authenticate the service principal.

  1. On the home page of the Azure portal, click App Registrations.

  2. Click the application that you created for Tenable Cloud Security.

  3. On the left navigation bar, click Certificates & secrets.

    The Certificates & secrets page appears.

  4. Click New client secret.

    The Add a client secret page appears.

  5. Provide a relevant description for the secret. For example, Tenable Cloud Security Scan.

  6. Set an expiration for the client secret.

  7. Click Add.

    The client secret value and ID appear.

  8. Record the Value of this client secret.

    Note: You cannot view this value again because Azure masks this value.

What to do next:

Onboard an Azure Account

You must have the following values for onboarding the Azure account in Tenable Cloud Security:

  • Client ID

  • Tenant ID

  • Secret value