Azure

Azure

Authentication

There are a number of ways to run Scout against an Azure tenant.

azure-cli

1. On most system, you can install azure-cli using pip install azure-cli.
2. Log into an account. The easiest way to do it it with az login(for more authentication method, you can refer to https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latest).
3. Run Scout with the --cli flag.

User Credentials

1. Run Scout using --user-account.
2. Scout will prompt you for your credentials.

Managed Service Identity

1. Configure your identity on the Azure portal (you can refer to https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/)
2. Run Scout with the --msi flag.

Service Principal

1. Set up a service principal on the Azure portal (you can refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal)
2. Run Scout with the --service-principal flag.
3. Scout will prompt you for the required information.

File-Based Authentication

1. Create a Service Principal for azure SDK. You can do this with azure-cli by running:

az ad sp create-for-rbac --sdk-auth > mycredentials.json

2. Run Scout while providing it with the credentials file using --azure-file-auth path/to/mycredentials.json.

Permissions

Scout will require the Reader role over all the resources to assess.

The easiest way is to authenticate with a principal that has this role over the target Subscription, as it will be inherited on all the resources.

MFA

To run Azure with an MFA-enabled account, you must use the Azure CLI. To do this, first install the cli: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest. Then, you can use az login to log the cli into your account. This will open a web browser and let you log in.

Once this is done, you can run Scout with the Azure --cli option.

Please note that there is currently no mechanism to login with MFA without a web browser.