Introduction
In order to scan your Azure resources, Chronom uses an Azure App Registration to authenticate with your Azure Tenant and scan the resources in your Azure Subscriptions.
The App Registration is created in your Microsoft Entra ID tenant and assigned read-only permissions to your Azure subscriptions.
Note that while the App Registration is created in your tenant, the custom role is created in the subscription you want to scan.
By design, the App Registration has read-only permissions only to the subscription you want to scan, and it does not have access to any other resources in your tenant nor does it have the ability to modify any resources.
High-Level Overview
This guide will walk you through the process of adding your Azure Subscriptions to Chronom.
The process consists of the following steps:
-
Create a New Azure App Registration in your Azure Tenant.
This App Registration will be used by Chronom to authenticate with your Azure Tenant and scan your Azure Subscriptions, therefor it only needs to be created once per tenant. -
Grant the App Registration Permissions to Read Your Azure Subscriptions.
This step can be done in two ways:-
Recommended - Grant the App Registration Permissions at the Root Management Group Level.
This step involves creating a custom role at the root management group level and assigning it to the App Registration. (This method requires Azure Management Groups to be enabled in your Azure Tenant) -
Grant the App Registration Permissions to Read Your Azure Subscriptions.
This step involves creating a custom role in each of your Azure Subscriptions and assigning it to the App Registration.
-
Prerequisites
If you have Conditional Access Policies enabled, you need to ensure that the App Registration can bypass the policies.
(Please contact our support for more information)
In order to add your Azure subscriptions to Chronom, you need to have the following:
- high-level
- app-registration
- subscription
- An Active Azure Subscription.
- An Active Azure Tenant.
- An Azure App Registration with a client secret. Create a New Azure App Registration
- The following permissions Microsoft Entra ID Permissions:
microsoft.directory/applications/createAsOwnermicrosoft.directory/oAuth2PermissionGrants/createAsOwnermicrosoft.directory/servicePrincipals/createAsOwner
(These permissions are part of theApplication Developerrole)
- Azure Management Groups enabled in your Azure Tenant (If choosing to use method 2.i.).
- The ability to create a custom role in the subscription you want to scan.
- The ability to assign the custom role to the App Registration.
(Those abilities are usually granted by theOwnerrole in the subscription)
Chronom's App Registration Subscription Level Permissions
For Chronom to scan your Azure resources, the App Registration needs to have the necessary permissions to read the resources in your Azure Subscriptions.
Detailed below are the permissions that should be assigned to the App Registration.
In addition to the baseline permissions, you can optionally grant the App Registration additional permissions to allow for a more comprehensive and detailed scan of your Azure resources.
- required-minimum
- extendad aks permissions
The App Registration must be assigned at least with the Reader Role in the subscription you want to scan.
The Reader Role has the following permissions:
{
"id": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
"properties": {
"roleName": "Reader",
"description": "View all resources, but does not allow you to make any changes.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
Granting Chronom's App Registration the Reader Role will allow you to have the basic level of scanning capabilities.
This custom role is an extension of the Reader Role and includes the following additional permissions:
- Allows Chronom to scan the content of the Azure Kubernetes Service (AKS) clusters.
The following json is not a complete role definition, it is only the additional permissions that are added to the Reader Role.
{
"id": "/providers/Microsoft.Authorization/roleDefinitions/reader-plus-aks",
"properties": {
"roleName": "Reader Plus AKS",
"description": "Enhanced Reader Role with AKS access",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/runCommand/action",
"Microsoft.ContainerService/managedClusters/commandResults/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/*/read",
"Microsoft.ContainerService/managedClusters/events/*/read",
"Microsoft.ContainerService/managedClusters/*/read",
"Microsoft.ContainerService/managedClusters/extensions/*/read",
"Microsoft.ContainerService/managedClusters/*/events/read",
"Microsoft.ContainerService/managedClusters/*/leases/read",
"Microsoft.ContainerService/managedClusters/autoscaling/*/read",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/*/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/*/read",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/*/read"
],
"notDataActions": []
}
]
}
}
While it is not recommended, you can optionally disable Chronom's access to the secrets by adding the "Microsoft.ContainerService/managedClusters/secrets/*" action to the notDataActions list.