-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Azure
There are a number of ways to run Scout against an Azure tenant.
- On most system, you can install azure-cli using
pip install azure-cli
- Log into an account
- The easiest way to do it it with
az login
(for more authentication method, you can refer to https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latest)
- The easiest way to do it it with
- Run Scout with the
--cli
flag
- Run Scout using
--user-account
- Scout will prompt you for your credentials
- Run Scout using
--user-account-browser
- Through a browser, pick your azure account
This authentication method is mostly useful for users which have MFA enabled.
- Set up a Service Principal on the Azure portal (you can refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal)
- Run Scout with the
--service-principal
flag. - Scout will prompt you for the required information
- Create a Service Principal for azure SDK. You can do this with
azure-cli
by running:
az ad sp create-for-rbac --sdk-auth > mycredentials.json
- Run Scout while providing it with the credentials file using
--file-auth path/to/mycredentials.json
- Configure your identity on the Azure portal (you can refer to https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/)
- Run Scout with the
--msi
flag
To run Scout Suite against an Azure user with MFA enabled, there are two options:
- Azure CLI
- Install the CLI: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest
- Run
az login
to log the CLI into your account. This will open a web browser and let you log in - Run Scout with the Azure
--cli
option
- User Browser Login
- Run Scout with the Azure
--user-account-browser
option - Through a browser, pick your azure account
- Run Scout with the Azure
Scout will require that the provided credentials have the Reader
and Security Reader
roles in all the subscriptions to assess:
- Create a user in the desired directory
- Grant the given user the role of Global Reader in the directory
- Add the user to the desired subscription, with both
Reader
andSecurity Reader
roles
When using a Scout Suite v5 or below. Additionally, when running Scout with Service Principals, the following Azure Active Directory Graph API application permissions are required:
Directory.Read.All
The following screenshot shows the required configuration:
On version v6, since we use Microsoft Graph, when running Scout with Service Principals the following Microsoft Graph applications permissions are required:
Directory.Read.All
Policy.Read.All
The following screenshot shows the required configuration:
- By default, Scout will query the subscriptions to which the provided credentials have access to, and use the first one in the list.
- For some modes of authentication (i.e. Service Principal, or user credentials via Browser, the tenant ID must be provided).
- The
--subscriptions
option can be used to scan a number of subscriptions in one execution.- e.g.
--subscriptions 11111111-2222-3333-4444-555555555555 66666666-7777-8888-9999-000000000000
- e.g.
- The
--all-subscriptions
option can be used to scan all the subscriptions to which the provided credentials have access.
- Home
- Getting Started
- Setup
- Compliance
- Configuration and Usage
- Docker
- [v6] Upgrade to v6-alpha
- Advanced Usage
- Understanding the Architecture
- How to Contribute
- FAQ