Azure Integration

StackGuardian offers two secure methods for connecting your Azure Service Principal, each tailored for different security and operational needs. To create a connector with StackGuardian, follow these steps:

1. Create StackGuardian App in Azure: Begin by registering your application in Microsoft Entra ID to establish its identity.

2. Create the Service Principal: After registering the app, configure the service principal using one of these methods:

   • Using a Client Secret - Employs a secret key for authentication.
   • Using Workload Identity - Leverages Azure’s identity federation for enhanced security.

Access Verification

After completing the app registration in your Microsoft Entra ID, ensure the application has read-access to your desired subscriptions and that correct credentials are provided to StackGuardian.

Create StackGuardian App in Azure

Step 1: Creating the App Registration

1. Under Microsoft Entra ID, navigate to App Registrations and click New registration.

2. Enter the following and click Register:

   • Name: StackGuardianAuth
   • Supported Account Types: Accounts in this organizational directory only

   

Step 2: Granting Appropriate Permissions to the Application

1. Navigate to Subscriptions through the search box or the left sidebar.

2. Click on the subscription you want to deploy into.

3. Select Access control (IAM) and click Add > Add role assignment:

   

4. Choose a suitable role under "Role":

   • "Contributor" provides read and write access.
   • "Reader" offers read-only access.

   Then, under "Select", choose the application created earlier and click "Review + assign".

   

5. Repeat this process for any additional subscriptions you want StackGuardian to manage.

Single Connector

The Single Connector approach is suitable for organizations managing a single Azure account. It simplifies the integration process with Azure.

1. Navigate to Orchestrator > Connectors tab in StackGuardian.
2. Click on Connect with Cloud Provider and proceed with the Azure configuration.

Completing the Azure Connector Setup

The following methods can be used to connect an Azure Service Principal, catering to different security and operational preferences:

Service Principal with Client Secret

To finalize the connector configuration in StackGuardian using a Client Secret:

1. Create a Client Secret in Microsoft Entra ID:

   • Navigate to Microsoft Entra ID in the Azure portal.
   • In App Registrations, select the application you created (e.g., StackGuardianAuth).
   • Under Manage > Certificates & Secrets, click New client secret.
   • Provide a Description, select an expiration period, and click Add.
   • Copy the client secret value immediately.

   

2. Use the Client Secret in StackGuardian’s Azure Connector:

   • Navigate to the Orchestrator tab in StackGuardian and click Connectors.
   • Select Azure and provide:
     • Azure Connector Name
     • Description
     • Tenant ID (Directory ID)
     • Subscription ID
     • Client ID (Application ID)
     • Client Secret Value
   • Enable Periodic Discovery Checks if required.
   • Click Create to finalize.

   

Service Principal with Workload Identity

Using Workload Identity via OpenID Connect (OIDC) avoids managing client secrets. It allows StackGuardian to authenticate with Azure using a trusted identity provider.

1. Create a new App Registration in Azure named sg-oidc-federation-test.

2. Go to Certificates & secrets > Federated credentials, and click Add credential.

   • Federated Credential Scenario: Select "Other issuer".
   • Issuer: https://api.app.stackguardian.io.
   • Subject Identifier: /orgs/<YOUR_SG_ORG>.
   • Name: An appropriate identifier.
   • Audience: https://api.app.stackguardian.io.

3. Finalize the Azure Connector configuration in StackGuardian:

   • Provide Tenant ID, Subscription ID, and Client ID.
   • Optionally, enable "Periodic Discovery Checks".
   • Click Create.

   

Group Connector

Group Connectors allow users to connect multiple Azure accounts, simplifying the onboarding process for organizations with multiple accounts.

How Group Connectors Work

1. Log in to StackGuardian and navigate to the Connectors tab.
2. Click on Connect with Cloud Provider.
3. In the modal, select "Connect Multiple Account (Preview)".
4. Enter a Connector Group Name and Description.
5. In Azure Portal:
   • Navigate to App Registrations and select the application.
   • Copy the Application ID and Directory ID.
   • Enter Tenant ID and Subscription ID.
6. Click Next to view "List of Subscriptions in Azure Tenants".
7. Choose accounts individually or select "Select All" to include Subscription IDs.
8. Click Next (Preview) and configure the Global Settings:
   • Tenant ID
   • Client ID
   • Client Secret Value
9. For each subscription, provide:
   • Azure Connector Name
   • Description
   • Tenant ID
   • Subscription ID
   • Client ID
   • Client Secret Value
10. Click Add All (Preview).

Enable "Periodic Discovery Checks" for monitoring if needed. Access and edit the Group Connector configuration as required.

Compliance and Security Best Practices

1. Use Role-Based Access Control (RBAC): Ensure roles and permissions are minimal and precise.
2. Monitor Resources: Enable continuous discovery checks for real-time monitoring of resources.
3. Use Workload Identity: Prefer this method for higher security, avoiding secret management.

Additional Information

For further details, visit:

• How to get subscription and tenant IDs in Azure portal
• Azure AD Managed Identities Documentation