Keeper provides customers with fully automated Admin Approvals using an Azure Cloud Function. This is an advanced method of performing Admin Approvals in the customer's fully cloud-based Azure environment.
The Keeper Azure Function documented here provides the following capabilities:
Automated Team Creation Any team that has been provisioned to the Keeper Enterprise Application from your Azure environment will be created within the Keeper node within 10 minutes.
Automated User-to-Team Assignment After the user creates their Keeper vault, the user will be automatically provisioned to the designated Azure Team within 10 minutes.
Automated Team Folder Provisioning Any Shared Folders that are shared to the Team will appear in the user's vault, within 10 minutes of the user creating their vault.
Automated Device Approvals SSO Cloud users who authenticate with Azure and then click on "Request Admin Approval" will be automatically granted access with the necessary encryption keys, within about 15 seconds.
(1) Access the Github repository and binary applications: https://github.com/Keeper-Security/keeper-sdk-examples
(2) In the "Releases" section of the repository, download the following application files:
(3) Login to the Azure portal (https://portal.azure.com)
(4) Visit the "Functions" and click to create a new function.
The function configuration can use default settings for most options. Below are the specific settings that must be selected for Keeper's function (Runtime stack, Version).
Make note of your selection for "Resource Group" and "Function App name". In the example above, we have selected "Keeper" as the group and "craigdemoapprovals" as the function name.
Follow the wizard steps to create your Azure Function.
When the function is deployed, you'll receive a screen that looks like below:
(5) Click on the Terminal icon to run Azure Cloud Shell in Powershell mode:
(6) In this step, we will upload the Azure function to the Azure Cloud Shell storage location
Type "df" which displays the storage configuration. Make note of the storage name and file share name as identified in the section in red below. In the below example, the storage name of the
(7) From the Azure main navigation, go to Home > Storage Accounts > then select the Storage Name as appears above. Then scroll down and select "File Shares" and select the file share ID that matches the above. For example:
(8) Click on the file share and then click on "Upload"
(9) Select the AzureAdminAutoApprove.zip package that was downloaded in step 1. Upload this file to the Cloud Share.
(10) From the Azure Cloud Shell, change directory to the cloud function location:
PS /home/e4b62e6f-e3e0-4d4a-a068-bcd0d8eb> cd /usr/csuser/clouddrive/PS /usr/csuser/clouddrive>
Deploy the function using the command below (replace "Keeper" and "craigdemoapprovals" with your specific group name and function name specified in step (4) above.
az functionapp deployment source config-zip -g Keeper -n craigdemoapprovals --src ./AzureAdminAutoApprove.zip
This will deploy the Azure function.
(11) From the Azure Functions (in this case "craigdemoapprovals"), click on "Functions" then in the list of functions, go ahead and disable the ApprovePendingRequestsByTimer for now until we're ready to go live.
(12) On any Windows computer, extract the file Commander.zip from step (2) and run the Keeper Commander.exe executable within the extracted file.
(14) Create an authentication profile in Keeper
Keeper Commander is now used to create an authentication profile that contains keys required for the Azure Function to authenticate against the Keeper Cloud. It is recommended that you create a special service account for performing the Admin Approvals, or you can use your Keeper Admin account. On the Keeper Commander prompt, type the following:
(a) "login <email>"
Not logged in> login [email protected]
(b) You'll be asked to verify your device. Typically this is performed using email verification, so type "email_send"
(never) > email_send
(c) Check your email and click the verification code or type in the requested code.
(d) If 2FA is enforced, you'll also be asked for your 2FA code. Make sure that you select "forever" when prompted so that the MFA code does not expire within the Azure function.
(d) Enable session persistence and register the device to Keeper:
My Vault> this-device registerMy Vault> this-device persistent_login on
(e) While the Commander session is still active, locate the config.json property file that was created which contains the encryption keys and device identifier data needed for the Azure Function.
The file should be located on the Windows computer in the following location:
This PC > Documents > .keeper
(f) Keep commander running on the local workstation, until after the config.json file is copied (per steps below).
(15) In the Azure portal, navigate to the storage account for the resource group of the Azure function.
(a) Go to Azure Functions and click on our function.
(b) Click on the resource group (in this case, "Keeper"):
(c) Navigate to Storage Account > File Shares > .keeper folder
(16) Upload config.json file from step (14)(e) to the .keeper folder:
(a) Kill the Commander session or type "q" to quit. DO NOT issue a "logout" or the process will break and you have to repeat step (14).
(17) Enable the Timer function ApprovePendingRequestsByTimer
(18) After a few minutes, the function should start running.
By default, the Keeper function "ApprovePendingRequestsByTimer" will execute once every minute. If there is no active connection (web socket) to the Keeper Cloud, a connection is established and the Azure Function will authenticate. A web socket is then established and held for as long as the Azure Function is allowed to process. If there is already an active web socket connection to the Keeper Cloud, no action is performed.
To monitor the invocation, click on the "Monitor" and "Invocations" tab.
(19) Configuration is complete. Now, when a user requests "Admin Approval" from their vault, the Azure Function will immediately approve their request.
Now that the function ApprovePendingRequestsByTimer is running, any user who requests "Admin Approval" will be immediately approved within a few seconds.
The function ApproveQueuedTeamsByTimer handles the Team and User approvals.
In our testing, the monthly cost of hosting the Keeper Azure function is close to $0.00 due to the small amount of instantiations required for device and team approval.