Azure Environment Setup

In order to set up your Azure environment, the following steps must be taken:

• Create an Azure application in the default Azure Active Directory.

• Get values for the Keeper PAM Configuration from this new application.

• Grant permissions to the application to access the Azure Active Directory.

• Create a custom role to allow the application to access/perform actions on various Azure resources.

Create an Azure App Registration

Go to the Azure portal > Home and click on Azure Active Directory in the left side vertical menu. Select App Registrations, and then New Registration. Give the new application a name and select Single tenant for Supported accounts types. Then click the Register button at the bottom.

In the Overview of the application, the Application (client) ID UUID is shown. This is the Client Id field of the Keeper PAM Configuration record. The Directory (tenant) ID is also shown. This is the Tenant Id field of the Keeper PAM Configuration record. Save these values for later.

Next click on the Add a certification or secret for Client credentials. On the next page, click on New client secret, give the client secret a Description, and select a desired Expires date, and click Add.

The page will refresh showing the secret Value. Copy the Value (not Secret ID) into the Keeper PAM Configuration "Client Secret" field. Save this value for later.

At this point, all the required the PAM Configuration fields should be filled in. You also have an Azure application that cannot do anything yet.

Assign Roles and Administrators

In order for the Azure tenant service principal/application to rotate Azure Active Directory users or Azure Active Directory Domain Service users, the application must be a assigned to an Administrative role.

From the Azure portal go to Home > Azure Active Directory > Roles and administrators, and click on the Administrative role to use (such as Privileged Authentication Administrator). The correct role depends on what privileges are needed for your use case. Custom roles can be used.

• Global Administrator - It is not recommended to use a Global Administrator on a service principal. However, it will allow both administrator and user passwords to be rotated.

• Privileged Authentication Administrator - Can change the password for any user, including a Global Administrator user.

• Authentication Administrator - Can change the password for any user, except a Global Administrator user.

To add the application, click Add assignments and Search for the service principal/application that was created, click it, and then Add.

Assign Azure Role

Roles need to be attached to the Azure Application (also called a Service Principle here) in order to rotate passwords of target resources. This is done in the Subscription section of the Azure portal.

Go to the Azure portal > Home > Subscriptions then select your subscription. Click on Access control (IAM), and then Roles.

Click Add on the top menu, and then Add custom role. Jump to the JSON tab. Click on Edit and paste the JSON object from below, modifying it according to your setup.

Change the following before you save:

• <ROLE NAME>: Role Name, e.g. "Keeper Secrets Manager"

• <DESCRIPTION>: Description, e.g. "Role for password rotation"

• <SUBSCRIPTION ID>: Subscription ID of this Azure subscription

{
    "properties": {
        "roleName": "<ROLE NAME>",
        "description": "<DESCRIPTION>",
        "assignableScopes": [
            "/subscriptions/<SUBSCRIPTION ID>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Compute/virtualMachines/read",
                    "Microsoft.Network/networkInterfaces/read",
                    "Microsoft.Network/publicIPAddresses/read",
                    "Microsoft.Network/networkSecurityGroups/read",
                    "Microsoft.Compute/virtualMachines/instanceView/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.AAD/domainServices/read",
                    "Microsoft.Network/virtualNetworks/subnets/read",
                    "Microsoft.Sql/servers/read",
                    "Microsoft.Sql/servers/databases/read",
                    "Microsoft.DBforPostgreSQL/servers/read",
                    "Microsoft.DBforMySQL/servers/read",
                    "Microsoft.DBforPostgreSQL/servers/databases/read",
                    "Microsoft.Sql/servers/write",
                    "Microsoft.DBforPostgreSQL/servers/write",
                    "Microsoft.DBforMySQL/servers/write",
                    "Microsoft.DBforMySQL/flexibleServers/read",
                    "Microsoft.DBforPostgreSQL/flexibleServers/read",
                    "Microsoft.DBforPostgreSQL/flexibleServers/write",
                    "Microsoft.DBforMySQL/flexibleServers/write",
                    "Microsoft.DBforMariaDB/servers/read",
                    "Microsoft.DBforMariaDB/servers/write"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Click Save.

When done, click Review + create, and click Create.

Once the role is created, it needs to be assigned to the Application (Service Principle). Click View in the Details column.

A panel will appear on the right side of the screen. Click Assignments, and then Add assignment.

Enter in the new role's name in the search bar on the Role tab, then double click it to select it. Move to the Members tab. Click Select members. In the panel that opens, enter the name of the Azure application, select the current application, and click Select.

Go to the Review + assign tab click Review + assign.

🎉 At this point, you have created the necessary roles and applications within your Azure environment.