Azure Environment Setup

Setting up your Azure environment to work with KeeperPAM

Azure Environment Overview

In order to set up your Azure environment, the following steps must be taken:

  • Create an Azure application in the default Azure Active Directory.

  • Get values for the Keeper PAM Configuration from this new application.

  • Grant permissions to the application to access the Azure Active Directory.

  • Create a custom role to allow the application to access/perform actions on various Azure resources.

Create an Azure App Registration

Go to the Azure portal > Home and click on Microsoft Entra ID on the left side vertical menu. Select App Registrations, and then New Registration. Give the new application a name and select Single tenant. Then click the Register button at the bottom.

In the Overview of the application, the Application (client) ID UUID is shown. This is the Client Id field of the Keeper PAM Configuration record. The Directory (tenant) ID is also shown. This is the Tenant Id field of the Keeper PAM Configuration record. Save these values for later.

Create Application

Next, go to Home > General > Subscriptions and get your subscription ID. Copy the subscription ID into the Keeper PAM Configuration "Subscription ID" field. For more information on how to get your subscription ID, visit this page.

Next, click on the Add a certification or secret for Client credentials. On the next page, click on New client secret, give the client secret a Description, and select a desired Expires date, and click Add.

The page will refresh showing the secret Value. Copy the Value (not Secret ID) into the Keeper PAM Configuration "Client Secret" field. Save this value for later.

Client Secret

At this point, all the required the PAM Configuration fields should be filled in. You also have an Azure application that cannot do anything yet.

Assign Roles and Administrators

In order for the Azure tenant service principal/application to rotate Azure Active Directory users or Azure Active Directory Domain Service users, the application must be a assigned to an Administrative role.

From the Azure portal go to Home > Azure Active Directory > Roles and administrators, and click on the Administrative role to use (such as Privileged Authentication Administrator). The correct role depends on what privileges are needed for your use case. Custom roles can be used.

  • Global Administrator - It is not recommended to use a Global Administrator on a service principal. However, it will allow both administrator and user passwords to be rotated.

  • Privileged Authentication Administrator - Can change the password for any user, including a Global Administrator user.

  • Authentication Administrator - Can change the password for any user, except a Global Administrator user.

To add the application, click Add assignments and Search for the service principal/application that was created, click it, and then Add.

Assign Administrator Role to Keeper Application

Assign Azure Role

Roles need to be attached to the Azure Application (also called a Service Principle here) in order to rotate passwords of target resources. This is done in the Subscription section of the Azure portal.

Go to the Azure portal > Home > Subscriptions then select your subscription. Click on Access control (IAM), and then Roles.

Click Add on the top menu, and then Add custom role. Jump to the JSON tab. Click on Edit and paste the JSON object from below, modifying it according to your setup.

This is a complete list of all of the permissions that Keeper Gateway can use, if applicable. Only include those that are needed for your setup.

Change the following before you save:

  • <ROLE NAME>: Role Name, e.g. "Keeper Secrets Manager"

  • <DESCRIPTION>: Description, e.g. "Role for password rotation"

  • <SUBSCRIPTION ID>: Subscription ID of this Azure subscription

{
    "properties": {
        "roleName": "<ROLE NAME>",
        "description": "<DESCRIPTION>",
        "assignableScopes": [
            "/subscriptions/<SUBSCRIPTION ID>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Compute/virtualMachines/read",
                    "Microsoft.Network/networkInterfaces/read",
                    "Microsoft.Network/publicIPAddresses/read",
                    "Microsoft.Network/networkSecurityGroups/read",
                    "Microsoft.Compute/virtualMachines/instanceView/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.AAD/domainServices/read",
                    "Microsoft.Network/virtualNetworks/subnets/read",
                    "Microsoft.Sql/servers/read",
                    "Microsoft.Sql/servers/databases/read",
                    "Microsoft.DBforPostgreSQL/servers/read",
                    "Microsoft.DBforMySQL/servers/read",
                    "Microsoft.DBforPostgreSQL/servers/databases/read",
                    "Microsoft.Sql/servers/write",
                    "Microsoft.DBforPostgreSQL/servers/write",
                    "Microsoft.DBforMySQL/servers/write",
                    "Microsoft.DBforMySQL/flexibleServers/read",
                    "Microsoft.DBforPostgreSQL/flexibleServers/read",
                    "Microsoft.DBforPostgreSQL/flexibleServers/write",
                    "Microsoft.DBforMySQL/flexibleServers/write",
                    "Microsoft.DBforMariaDB/servers/read",
                    "Microsoft.DBforMariaDB/servers/write"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Click Save.

When done, click Review + create, and click Create.

Once the role is created, it needs to be assigned to the Application (Service Principle). Click View in the Details column.

Role

A panel will appear on the right side of the screen. Click Assignments, and then Add assignment.

Enter in the new role's name in the search bar on the Role tab, then double click it to select it. Move to the Members tab. Click Select members. In the panel that opens, enter the name of the Azure application, select the current application, and click Select.

Create Azure Custom Role
Assign Role to Keeper Secrets Manager application member

Go to the Review + assign tab click Review + assign.

At this point, you have created the necessary roles and applications within your Azure environment.

PAM Features

The "PAM Features Allowed" and "Session Recording Types Allowed" sections in the PAM Configuration allow owners to enable or disable KeeperPAM features for resources managed through the PAM configuration:

Field
Description

Rotation

If enabled, allow rotations on privileged user users managed by this PAM configuration

Connections

If enabled, allow connections on resources managed by this PAM configuration

Remote Browser Isolation (RBI)

If enabled, allow RBI sessions on resources managed by this PAM configuration

Tunneling

If enabled, allow tunnels on resources managed by this PAM configuration

Graphical Session Recording

If enabled, visual playback sessions will be recorded for all connections and RBI sessions

Text Session Recording (TypeScript)

If enabled, text input and output logs will be logged for all connections and RBI sessions

Configuring PAM Features on PAM Record Types

After creating the PAM configuration, visit the following pages to:

PreviousAWS Environment SetupNextLocal Environment Setup

Last updated

Was this helpful?