From d83b30ba2954fb0dfba4ae5b8e4dfd0d2f7f8b58 Mon Sep 17 00:00:00 2001 From: ikemsley Date: Fri, 22 Sep 2017 13:04:52 +0100 Subject: [PATCH 1/7] US63918 - Create RBAC role for app identity via ARM template --- README.md | 31 ++++++++++++++++++++++--------- template.json | 16 +++++++++++++++- 2 files changed, 37 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 7dd7851..599f3b5 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,11 @@ In order to install O365 Log collector: 1. On `Required permissions` panel click `Required permissions` button and confirm the selection. **Note**, only AD tenant admin can grant permisions to an Azure AD application. 1. On the `Settings` panel of the application and select `Keys`. 1. Enter key `Description` and `Duration` and click `Save`. **Note**, please save the key value, it is needed later during template deployment. +1. Save the `Application ID` and `Service Principal ID` for use below. To get the `Service Principal ID`, navigate to the `Registered App` blade, +click on the link under `Managed application in local directory`. Then click `Properties`. The `Service Principal ID` +is labled `Object ID` on the properties page. **Caution** This is not the same `Object ID` listed in the `Properties` blade reached +by clicking `Settings` or `All Settings` from the `Registered app`. It is also not the `Object ID` shown on the `Registered app` +blade itself. ## Create an Alert Logic Access Key @@ -86,15 +91,23 @@ curl -X POST -H "x-aims-auth-token: " https://api.global-services.global. 1. Click `Build your own template in the editor` and load the file previously downloaded on step 1 above. 1. Click `Save` button. 2. Fill in required template parameters and click the `Purchase` button to start a deployment. I.e.: - - `APP_TENANT_ID` - The GUID of the tenant e.g. `alazurealertlogic.onmicrosoft.com` - - `CUSTOMCONNSTR_APP_CLIENT_ID` - The GUID of your application that created the subscription. -You can obtain it from _Azure_ -> _AD_ -> _App registrations_ -> _Your app name_ - - `CUSTOMCONNSTR_APP_CLIENT_SECRET` - A secret key of your application from _App Registrations_. - - `CUSTOMCONNSTR_APP_CI_ACCESS_KEY_ID` - `access_key_id` returned from AIMs [above](#create_an_alert_logic_access_key). - - `CUSTOMCONNSTR_APP_CI_SECRET_KEY`- `secret_key` returned from AIMs [above](#create_an_alert_logic_access_key). - -1. Once deployment is finished go to `Resource groups` blade and select a resource group used for the deployment on step 3 above. -1. Select `Access Control (IAM)` and add `Website Contributor` role to AD application identity created above. + - `Name` - Any name + - `Storage Name` - Any Storage Account name (that does not currently exist) + - `Alertlogic Access Key Id` - `access_key_id` returned from AIMs [above](#create_an_alert_logic_access_key) + - `Alertlogic Secret Key` - `secret_key` returned from AIMs [above](#create_an_alert_logic_access_key) + - `Alertlogic API endpoint` - usually `api.global-services.global.alertlogic.com` + - `Alertlogic Data Residency` - usually `default` + - `Office365 Content Streams` - The list of streams you would like to collect. Valid values are: + - ["Audit.AzureActiveDirectory","Audit.Exchange","Audit.SharePoint","Audit.General", "DLP.All"] + - `Office365 Tenant Id` - The GUID of the tenant e.g. `alazurealertlogic.onmicrosoft.com` + - `Service Principal ID` - The `Object ID` of the application that created the subscription. + You can obtain it from _Azure_ -> _AD_ -> _App registrations_ -> _Your app name_ -> Link under +_Managed application in local directory_ -> _Properties_ -> _Object ID_ + - `App Client Id` - The GUID of your application that created the subscription. + You can obtain it from _Azure_ -> _AD_ -> _App registrations_ -> _Your app name_ + - `App Client Secret` - The secret key of your application from _App Registrations_ + - `Repository URL` - must be `https://github.com/alertlogic/azure-collector.git` + - `Repository Branch` - should usually be `master` ### Deploy via Azure CLI diff --git a/template.json b/template.json index d1b4352..c1d7642 100644 --- a/template.json +++ b/template.json @@ -37,6 +37,9 @@ "Office365 Tenant Id": { "type": "String" }, + "Service Principal ID": { + "type": "String" + }, "App Client Id": { "type": "String" }, @@ -56,7 +59,8 @@ "location": "[resourceGroup().location]", "resourceGroupName": "[resourceGroup().name]", "subscriptionId": "[split(subscription().id, '/')[2]]", - "tenantId": "[subscription().tenantId]" + "tenantId": "[subscription().tenantId]", + "contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]" }, "resources": [ { @@ -178,6 +182,16 @@ "properties": { "accountType": "Standard_LRS" } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "name": "DCE46385-7B6B-4E6B-87ED-F01128900999", + "apiVersion": "2015-07-01", + "properties": { + "roleDefinitionId": "[variables('contributor')]", + "principalId": "[parameters('Service Principal ID')]", + "scope": "[variables('resourceGroupId')]" + } } ] } From 779048bbf048f521054435b1f8bdf1b5f74f692c Mon Sep 17 00:00:00 2001 From: ikemsley Date: Fri, 22 Sep 2017 14:05:12 +0100 Subject: [PATCH 2/7] US63918 - Create RBAC role for app identity via ARM template --- template.json | 1 + 1 file changed, 1 insertion(+) diff --git a/template.json b/template.json index c1d7642..0ce1725 100644 --- a/template.json +++ b/template.json @@ -58,6 +58,7 @@ "variables": { "location": "[resourceGroup().location]", "resourceGroupName": "[resourceGroup().name]", + "resourceGroupId": "[resourceGroup().id]", "subscriptionId": "[split(subscription().id, '/')[2]]", "tenantId": "[subscription().tenantId]", "contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]" From 6e57cd9d66b28ddd4fea789454d8c3632a7da1ca Mon Sep 17 00:00:00 2001 From: ikemsley Date: Fri, 22 Sep 2017 14:09:53 +0100 Subject: [PATCH 3/7] US63918 - Create RBAC role for app identity via ARM template --- template.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/template.json b/template.json index 0ce1725..54dac88 100644 --- a/template.json +++ b/template.json @@ -37,7 +37,7 @@ "Office365 Tenant Id": { "type": "String" }, - "Service Principal ID": { + "Service Principal Id": { "type": "String" }, "App Client Id": { @@ -190,7 +190,7 @@ "apiVersion": "2015-07-01", "properties": { "roleDefinitionId": "[variables('contributor')]", - "principalId": "[parameters('Service Principal ID')]", + "principalId": "[parameters('Service Principal Id')]", "scope": "[variables('resourceGroupId')]" } } From 21208dbe66878b269ee62aa3e22c836d0caab8f1 Mon Sep 17 00:00:00 2001 From: ikemsley Date: Fri, 22 Sep 2017 15:03:00 +0100 Subject: [PATCH 4/7] US63918 - Create RBAC role for app identity via ARM template --- README.md | 6 +++--- template.json | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 599f3b5..fce4f29 100644 --- a/README.md +++ b/README.md @@ -40,8 +40,8 @@ In order to install O365 Log collector: 1. On `Required permissions` panel click `Required permissions` button and confirm the selection. **Note**, only AD tenant admin can grant permisions to an Azure AD application. 1. On the `Settings` panel of the application and select `Keys`. 1. Enter key `Description` and `Duration` and click `Save`. **Note**, please save the key value, it is needed later during template deployment. -1. Save the `Application ID` and `Service Principal ID` for use below. To get the `Service Principal ID`, navigate to the `Registered App` blade, -click on the link under `Managed application in local directory`. Then click `Properties`. The `Service Principal ID` +1. Save the `Application ID` and `Service Principal Id` for use below. To get the `Service Principal Id`, navigate to the `Registered App` blade, +click on the link under `Managed application in local directory`. Then click `Properties`. The `Service Principal Id` is labled `Object ID` on the properties page. **Caution** This is not the same `Object ID` listed in the `Properties` blade reached by clicking `Settings` or `All Settings` from the `Registered app`. It is also not the `Object ID` shown on the `Registered app` blade itself. @@ -100,7 +100,7 @@ curl -X POST -H "x-aims-auth-token: " https://api.global-services.global. - `Office365 Content Streams` - The list of streams you would like to collect. Valid values are: - ["Audit.AzureActiveDirectory","Audit.Exchange","Audit.SharePoint","Audit.General", "DLP.All"] - `Office365 Tenant Id` - The GUID of the tenant e.g. `alazurealertlogic.onmicrosoft.com` - - `Service Principal ID` - The `Object ID` of the application that created the subscription. + - `Service Principal Id` - The `Object ID` of the application that created the subscription. You can obtain it from _Azure_ -> _AD_ -> _App registrations_ -> _Your app name_ -> Link under _Managed application in local directory_ -> _Properties_ -> _Object ID_ - `App Client Id` - The GUID of your application that created the subscription. diff --git a/template.json b/template.json index 54dac88..24678ea 100644 --- a/template.json +++ b/template.json @@ -59,6 +59,7 @@ "location": "[resourceGroup().location]", "resourceGroupName": "[resourceGroup().name]", "resourceGroupId": "[resourceGroup().id]", + "roleAssignmentId": "[split(resourceGroup().id, '/')[2]]", "subscriptionId": "[split(subscription().id, '/')[2]]", "tenantId": "[subscription().tenantId]", "contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]" @@ -186,7 +187,7 @@ }, { "type": "Microsoft.Authorization/roleAssignments", - "name": "DCE46385-7B6B-4E6B-87ED-F01128900999", + "name": "[variables('roleAssignmentId')]", "apiVersion": "2015-07-01", "properties": { "roleDefinitionId": "[variables('contributor')]", From 042d7c3bb4bc5078f4d345ce51b6d369d0356774 Mon Sep 17 00:00:00 2001 From: ikemsley Date: Fri, 22 Sep 2017 15:23:06 +0100 Subject: [PATCH 5/7] US63918 - Create RBAC role for app identity via ARM template --- template.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template.json b/template.json index 24678ea..65c8d7c 100644 --- a/template.json +++ b/template.json @@ -59,7 +59,7 @@ "location": "[resourceGroup().location]", "resourceGroupName": "[resourceGroup().name]", "resourceGroupId": "[resourceGroup().id]", - "roleAssignmentId": "[split(resourceGroup().id, '/')[2]]", + "roleAssignmentId": "[guid(subscription().subscriptionId)]", "subscriptionId": "[split(subscription().id, '/')[2]]", "tenantId": "[subscription().tenantId]", "contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]" From 2ac34a16adf694b726c09efa7851ccf9401087db Mon Sep 17 00:00:00 2001 From: ikemsley Date: Fri, 22 Sep 2017 15:55:29 +0100 Subject: [PATCH 6/7] US63918 - Create RBAC role for app identity via ARM template --- template.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template.json b/template.json index 65c8d7c..54d8382 100644 --- a/template.json +++ b/template.json @@ -59,7 +59,7 @@ "location": "[resourceGroup().location]", "resourceGroupName": "[resourceGroup().name]", "resourceGroupId": "[resourceGroup().id]", - "roleAssignmentId": "[guid(subscription().subscriptionId)]", + "roleAssignmentId": "[guid(uniqueString( resourceGroup().id, deployment().name ))]", "subscriptionId": "[split(subscription().id, '/')[2]]", "tenantId": "[subscription().tenantId]", "contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]" From 7d1820b0cba895d3a14a27261aae9db90a6d9d74 Mon Sep 17 00:00:00 2001 From: ikemsley Date: Mon, 2 Oct 2017 10:07:48 +0100 Subject: [PATCH 7/7] Bump package.json version to 1.0.4 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 6d5dc43..c49e123 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "azure_collector", - "version": "1.0.3", + "version": "1.0.4", "dependencies": { "async": "*", "azure": "^2.0.0-preview",