Azure

Sysdig supports Microsoft Azure. Prepare your environment, then follow the wizard’s prompts to install agentless Cloud Security Posture Management (CSPM), Cloud Detection and Response (CDR) and Vulnerability Host Scanning on Azure. You can connect single subscriptions or tenants using Terraform. Azure coverage includes threat detection for Micosoft Entra ID.

You can install Agentless CSPM and/or Agentless CDR.

Prerequisites

  • Sysdig Secure SaaS with Admin permissions.

  • Terraform v. 1.3.1+ installed on the machine from which you will deploy the installation.

  • The Azure CLI installed on the same machine.

    For more information, see How to install the Azure CLI.

  • Azure requirements for roles, permissions, and environment, as described in Prepare Your Environment.

Review Azure Roles and Permissions

Review these concepts before preparing your environment and running the installation wizard.

Involved Security principals

Connecting an Azure enrivonment involves two different Security principals:

  • Installer: The primary security principal involved. It can be a human user performing the installation or the service principal used by your CI/CD. Sometimes this principal may encompass multiple people in an organization. Installers need specific Entra ID and Azure role-based access control (RBAC) roles to perform the cloud account onboarding.
  • Sysdig: The onboarding process creates a “robot user” in the form of a Service Principal. It has different, less permissive roles that are used by Sysdig.

Azure Role Types

Azure has two types of Roles that must be correctly assigned for you to onboard:

  • Entra ID roles that are applied to the entire Tenant and control what actions you can take in that tenant.

    For details, see the Azure documentation on Entra ID (formerly Active Directory) roles.

  • Azure RBAC roles that are applied to the Subscription or Management Group and control what actions you can take on that subscription/management group.

    For details, see the Azure documentation on Azure Role-Based Access Control and Assigning Azure Roles in the Azure Portal.

Permissions Required to Install

Entra ID

To perform the installation, the installer principal needs to have the following Entra ID roles:

  • Application Administrator and Privileged Role Administrator

    • Application Administrator is required to create a Service Principal associated with a Sysdig-owned application.

    • Privileged Role Administrator is required to assign the Directory Reader Entra ID role to the created Service Principal.

Or

Azure RBAC

The installer must have the following permission to assign Azure RBAC roles:

  • Microsoft.Authorization/roleAssignments/write
    • This permission is used to assign the Service Principal permission on the specified Subscriptions. The permissions assigned are documented below.

Common roles that contain this permission are:

  • User Access Administrator
  • Owner

Permissions Granted to Sysdig

The installation creates a Service Principal that Sysdig can access. This Service Principal is granted the following roles:

Entra ID:

  • Directory Readers - this role is used to allow Sysdig to list Users and Service Principals for CSPM.

Azure RBAC:

  • Reader - this role is used to allow Sysdig to list resources within your subscriptions for CSPM.
  • Custom Role - this is a custom role used to give Sysdig permissions to collect the AuthSettings object required for CSPM.

Prepare Your Environment

Preparation of your Azure environment, roles, and permissions is the key to a seamless connection between your Azure cloud accounts and Sysdig. When preparation is complete, the installation itself is a simple, wizard-guided process from the Sysdig Secure UI.

Use the following steps to prepare for onboarding.

Step 1: Provide User with Appropriate Roles

Log in to Azure and ensure that the principal you log in with has all the necessary roles and permissions required to install.

You can:

  • Use an existing principal who meets the permissions requirements
  • Create a new principal and set up permissions
  • Add permissions to an existing principal

To begin:

  1. Log in to Azure and check your Entra ID roles.

    • Navigate to the Entra ID console and select Roles and Administrators.

    • Click on Your Role.

      Entra ID is displayed with associated roles.

    • Add any missing Entra ID roles. See Permissions Required to Install.

  2. Check your Azure RBAC Roles.

    • For Single Subscriptions:

      • Navigate to Subscriptions.

      • Click the target subscription and go to Access Control (IAM).

      • Click Role Assignments.

      • Ensure that the required Azure role is assigned to your user. See Permissions Required to Install.

    • For Management Groups:

      • Navigate to Management Groups.

      • Click the target Management Group and go to Access Control (IAM).

      • Click Role Assignments.

      • Ensure that the required Azure role is assigned to your user.

      • Add any missing Azure RBAC Role assignments. See Permissions Required to Install.

Extra Step for the Service Principal Installer

This step is required only when you select the Cloud Logs feature, unless you want to disable Entra logs.

Set Entra ID > Properties > Access management for Azure resources to Yes.

Entra CDR creates Diagnostic Settings at the Entra level. So, the Service Principal needs to read and write at the Entra level. As of May 6, 2024, you cannot assign Azure RBAC roles at the Entra level through the Azure Portal. However, you can assign these permissions through the API or the CLI as follows:

az role assignment create --assignee-principal-type ServicePrincipal --assignee-object-id <OBJECT_ID> --scope "/providers/Microsoft.aadiam" --role Contributor

<OBJECT_ID> is the Object-ID of the Enterprise Application of your Service Principal (not the Object-ID of your application).

Note: You must have a Global Admin Role to assign that role. See Permissions Required to Install.

Step 2: Configure Your Subscriptions

Register the resource provider Microsoft.ManagedService in each subscription to be onboarded.

For further guidance, see Azure’s registration instructions.

Step 3: Authenticate and Configure Terraform

Configure your environment from your local machine, preparing to apply Terraform.

  1. Ensure the prerequisites are met:

    • Terraform v.1.3.1+ installed
    • Azure CLI installed

  2. Authenticate your user and configure Terraform to use these credentials.

    A common way to do this is:

    1. Ensure you are logged in to the correct Tenant.

      Log in using the Azure CLI:

      az login --tenant "TENANT_ID_OR_DOMAIN"

      You will be presented with a web page to select your user account. Be sure to log in as the user you configured in Step 1.

    2. Confirm you are logged in as the correct user, by running:

      az ad signed-in-user show

      For alternative ways to authenticate Terraform, see the Terraform documentation: Authenticating to Azure Active Directory and Authenticating to Azure.

Install using Wizard

To install agentless CSPM and/or CDR, follow the Wizard Quick Start.

  1. Log in and authenticate in Azure, per the Preparation steps above.

  2. Log in to Sysdig Secure as admin, select Integrations > Cloud Accounts | Azure, and click +Add Azure Account.

  3. It is possible to install agentless CDR only.

  4. In all other cases, all agentless Azure installations include CSPM.
    All features are included by default. Deselect individual features if desired:

    • Cloud Detection and Response (CDR)

    • Vulnerability Host Scanning

    and click Next.

  5. Select which installation method matches your enterprise and click Next.

    • Tenant Multi-Subscription: Configure Azure for a tenant.
    • Single Subscription: Configure Azure for a single subscription.

  6. The Installation screen appears. Specify the following in the wizard:

    • Subscription ID: The ID of the Azure subscription where Sysdig resources will be created.
    • Tenant ID: The ID of the Azure Active Directory Tenant you want to connect.
    • Management Groups: To onboard your entire Tenant, enter your Root Management Group ID. To onboard a subset, enter the Management Group IDs in a comma separated list. Check your groups using the wizard link, if needed.

    The wizard will auto-populate a code snippet, along with autodetected Sysdig Secure endpoint and Sysdig Secure API token information.

  7. Create a file called main.tf.

  8. Copy the code snippet from the Wizard into the file and run terraform init && terraform apply

  9. Return to the wizard and click Complete.

Validate

Log in to Sysdig Secure and check that each module you deployed is functioning. Events may take 10 minutes or so to collect and display. To validate the successful connection of each of the chosen features:

  1. In Sysdig Secure, select Integrations > Cloud Accounts > Azure.
  2. The Status column shows the overall connection status (Connected/Partial Error/Error/Unknown).

Check Overall Connection Status

Data Sources: Select Integrations > Data Sources | Cloud Accounts to see all connected cloud accounts.

Check CSPM

Inventory: Select the Inventory module and filter for subscription =. Check for your Azure cloud account in the drop-down.