# Azure Cloud ## Overview This guide explains what capabilities StrongDM can provide for managing command line access to the Azure cloud. It also provides setup and configuration instructions to add Azure as a resource in StrongDM and begin using StrongDM to control access for users who wish to access your cloud via the Azure CLI. StrongDM users are authenticated with Azure and granted the level of access that you configure on the Azure side. In addition to access control and auditing, Azure access through StrongDM can be a part of a variety of use cases and access control methodologies: * **Least Privilege**: For Azure clouds, least privilege can be accomplished by setting up multiple instances of the console as StrongDM resources. Each resource would connect to Azure using a different set of credentials with different permissions granted to it. * **Just-in-Time Access**: StrongDM users are able to use any access workflows you set up to request access to Azure, allowing you the choice between granting Just-in-Time (JIT) access with requests, or providing standing access to particular users or roles within your StrongDM organization. For more details, see the [Access Workflows](/admin/access/access-workflows.md) section. {% hint style="info" %} To avoid confusion during access requests, if there are multiple Azure cloud resources in StrongDM, it may be useful to name them in such a way that indicates the level of access, so that users know the name of the resource to request. {% endhint %} * **Context-Based Policy**: StrongDM policies that restrict or enable users' ability to connect to Azure cloud resources based on their context can be used to limit availability of your Azure CLI to users in particular geographic locations or with good device trust scores. Policies can also be used to provide an MFA challenge prior to connection, and help solve for many more use cases. For more details, see the [Policies](/admin/access/policies.md) section. {% hint style="info" %} Note that this is the method by which to set up your Azure cloud as a resource in StrongDM, and manage it with the Azure CLI utility. If you intend to connect to a specific Azure-hosted resource, that resource needs to be set up separately in the appropriate areas of the Admin UI. {% endhint %} ## Limitations The Azure driver does nothing to limit privilege escalation. It is the responsibility of the resource creator not to provide credentials that can be used to create more credentials. ## Azure Cloud Properties Azure resources support the Azure CLI (`az`). In StrongDM, there are two types of Azure cloud resources: **Azure**, which is configured to accept a password; and **AzureCertificate**, which is configured to accept a certificate file. Both **Azure** and **AzureCertificate** cloud types always bind to port 65113. ## Prerequisites * In StrongDM, you must have the Admin [permission level](/admin/access/permission-level.md). * You must have administrator access to your Azure cloud environment and be familiar with the Azure CLI (`az`). * Your Azure Active Directory account must have permission to create a service principal. * You must have the Azure CLI [downloaded and installed](https://docs.microsoft.com/en-us/cli/azure/). ## Resource Configuration in Azure ### Generate credentials 1. Log in to Azure (`az login`). 2. In the Azure CLI, create an Azure service principal with the `az ad sp create-for-rbac` command. 3. Decide which type of sign-in authentication the service principal should use (password-based or certificate-based authentication), and follow the instructions provided. #### **Create a service principal with a password** 1. Use the following command, being sure to replace the placeholders with the actual values: ```shell az ad sp create-for-rbac --name $ --role $ --scopes $SCOPES ``` For example, your command may look like this: ```shell az ad sp create-for-rbac --name ExampleName --role Contributor --scopes /subscriptions/jynb88ey-kqrd-8wqv-fh24-9m9sb05jmb9b ``` 2. From the output, copy the `appId`, `tenant`, and `password` values. You need them later when setting up the **Azure** cloud type in StrongDM. Note that you can reset the `password` key if you forget it, but you cannot retrieve it later. Your example output may look similar to this: ```json { "appId": "myAppId", "displayName": "myDisplayName", "name": "http://myName", "password": "generatedPassword", "tenant": "myTenantId" } ``` #### **Create a service principal with a self-signed certificate** 1. Use the following command with the `--create-cert` argument, being sure to replace the placeholders with the actual values: ```shell az ad sp create-for-rbac --name $ --role $ --create-cert ``` For example, your command may look like this: ```shell az ad sp create-for-rbac --name ExampleName --role Contributor --create-cert ``` 2. From the output, copy the `appId` and `tenant`. From the PEM file, copy the entirety of the file, which includes the private key and certificate values. You need them later when setting up the **AzureCertificate** cloud type in StrongDM. Your example output may look similar to this: ```json { "appId": "myAppId", "displayName": "myDisplayName", "name": "http://myName", "fileWithCertAndPrivateKey": "C:\\myPath\\myNewFile.pem", "password": null, "tenant": "myTenantId" } ``` Example contents of the new PEM file: ```shell -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD0l6E0MVSYnEXD... -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD0l6E0MVSYnEXD... -----END CERTIFICATE----- ``` ## Resource Configuration in StrongDM This section provides instructions for adding the resource in either the StrongDM Admin UI, CLI, Terraform provider, or SDKs. {% tabs %} {% tab title="Admin UI" %} **Set up and Manage With the Admin UI** If using the Admin UI to add the resource to StrongDM, use the following steps. 1. Log in to the Admin UI and go to **Resources** > **Managed Resources**. 2. Click **Add Resource**. 3. For **Resource Type**, set either **Azure (Password)** (if you are using password-based authentication) or **Azure (Certificate)** (if you are using certificate-based authentication). 4. Set all other required [resource properties](#resource-properties). 5. Click **create** to save the resource. 6. Click the resource name to view status, diagnostic information, and setting details. After the server is created, the Admin UI displays that resource as unhealthy until the health checks run successfully. When the resource is ready, the **Health** icon indicates a positive, green status. {% endtab %} {% tab title="CLI" %} **Set up and Manage With the CLI** This section provides general steps on how to configure and manage the resource using the StrongDM CLI. For more information and examples, please see the [CLI Reference](https://docs.strongdm.com/references/cli) documentation. 1. In your terminal or Command Prompt, log in to StrongDM: ```sh sdm login ``` 2. Run `sdm admin clouds add azure --help` or `sdm admin clouds add azurecert --help` to view the help text for the command, which shows you how to use the command and what options (properties) are available. Note which [properties](#resource-properties) are required and collect the values for them. ``` $ sdm admin clouds add azure --help NAME: sdm admin clouds add azure - create Azure (Password) cloud USAGE: sdm admin clouds add azure [command options] OPTIONS: --app-id value the application ID to authenticate with (required, secret) --bind-interface value IP address on which to listen for connections to this resource on clients. Specify "default", "loopback", or "vnm" to automatically allocate an available address from the corresponding IP range configured in the organization. (default: "default") --egress-filter value apply filter to select egress nodes e.g. 'field:name tag:key=value ...' --password value service principal password (required, secret) --port-override value Port on which to listen for connections to this resource on clients. Specify "-1" to automatically allocate an available port. (default: -1) --proxy-cluster-id value proxy cluster id --secret-store-id value secret store id --subdomain value, --bind-subdomain value DNS subdomain through which this resource may be accessed on clients (e.g. "app-prod" allows the resource to be accessed as "app-prod.."). Only applicable to HTTP-based resources or resources using virtual networking mode. --tags value tags e.g. 'key=value,...' --template, -t display a JSON template --tenant-id value the tenant ID to authenticate to (required, secret) --timeout value set time limit for command $ sdm admin clouds add azurecert --help NAME: sdm admin clouds add azurecert - create Azure (Certificate) cloud USAGE: sdm admin clouds add azurecert [command options] OPTIONS: --app-id value the application ID to authenticate with (required, secret) --bind-interface value IP address on which to listen for connections to this resource on clients. Specify "default", "loopback", or "vnm" to automatically allocate an available address from the corresponding IP range configured in the organization. (default: "default") --certificate value service Principal certificate file, both private and public key (required, secret) --egress-filter value apply filter to select egress nodes e.g. 'field:name tag:key=value ...' --port-override value Port on which to listen for connections to this resource on clients. Specify "-1" to automatically allocate an available port. (default: -1) --proxy-cluster-id value proxy cluster id --secret-store-id value secret store id --subdomain value, --bind-subdomain value DNS subdomain through which this resource may be accessed on clients (e.g. "app-prod" allows the resource to be accessed as "app-prod.."). Only applicable to HTTP-based resources or resources using virtual networking mode. --tags value tags e.g. 'key=value,...' --template, -t display a JSON template --tenant-id value the tenant ID to authenticate to (required, secret) --timeout value set time limit for command ``` 3. Then run `sdm admin clouds add azure|azurecert ` and set all required properties with their values. For example: ``` # Add an Azure (Password) cloud $ sdm admin clouds add azure "azure-cloud-prod" --app-id "6d3e9e32-2b7c-4ac8-bd61-6f1a0b123abc" --tenant-id "72f988bf-86f1-41af-91ab-2d7cd011db47" --password "SuperSecretServicePrincipalPassword!" --bind-interface "default" --port-override -1 --egress-filter 'field:name tag:env=prod tag:region=us-east' --proxy-cluster-id "plc_abcdef1234567890" --secret-store-id "ss_abcdef0123456789" --subdomain "azure-cloud-prod01" --tags "env=prod,cloud=azure,auth=service-principal,team=platform" --timeout 30 # Add an Azure (certificate) cloud $ sdm admin clouds add azurecert "azure-cert-prod" --app-id "d10b2c41-5e32-4a89-98f6-45c11f123abc" --tenant-id "72f988bf-86f1-41af-91ab-2d7cd011db47" --certificate "/etc/strongdm/certs/azure_sp_cert.pfx" --bind-interface "default" --port-override -1 --egress-filter 'field:name tag:env=prod tag:region=us-east' --proxy-cluster-id "plc_abcdef1234567890" --secret-store-id "ss_abcdef0123456789" --subdomain "azure-cert-prod01" --tags "env=prod,cloud=azure,auth=certificate,team=platform" --timeout 30 ``` 4. Check that the resource has been added. The output of the following command should show the resource's name: ```sh sdm admin clouds list ``` {% endtab %} {% tab title="Terraform" %} **Set up and Manage With Terraform** This section provides an example of how to configure and manage the resource using the Terraform provider. For more information and examples, please see the [Terraform provider](https://github.com/strongdm/terraform-provider-sdm) documentation. ```hcl # Install StrongDM provider terraform { required_providers { sdm = { source = "strongdm/sdm" version = "16.5.0" } } } # Configure StrongDM provider provider "sdm" { # Add API access key and secret key from the Admin UI api_access_key = "njjSn...5hM" api_secret_key = "ziG...=" } # Create Azure (Password) cloud resource "sdm_resource" "azure_cloud_prod" { azure { # Required name = "azure-cloud-prod" # app_id = "6d3e9e32-2b7c-4ac8-bd61-6f1a0b123abc" # --app-id (Service Principal Application/Client ID) tenant_id = "72f988bf-86f1-41af-91ab-2d7cd011db47" # --tenant-id (Directory/Tenant ID) password = "SuperSecretServicePrincipalPassword!" # --password (use secret store in production) # Common networking options bind_interface = "default" # --bind-interface ("default" | "loopback" | "vnm") port_override = -1 # --port-override (-1 = auto-allocate) egress_filter = "field:name tag:env=prod tag:region=us-east" # --egress-filter subdomain = "azure-cloud-prod01" # --subdomain / --bind-subdomain (optional, VN/HTTP-only) # Optional integrations proxy_cluster_id = "plc_abcdef1234567890" # --proxy-cluster-id secret_store_id = "ss_abcdef0123456789" # --secret-store-id (recommended for secrets) # Tags tags = { # --tags env = "prod" cloud = "azure" auth = "service-principal" team = "platform" } } } # Create Azure (Certificate) cloud resource "sdm_resource" "azure_cert_cloud_prod" { azure_cert { # Required name = "azure-cert-prod" # app_id = "d10b2c41-5e32-4a89-98f6-45c11f123abc" # --app-id tenant_id = "72f988bf-86f1-41af-91ab-2d7cd011db47" # --tenant-id certificate = file("/etc/strongdm/certs/azure_sp_cert.pfx") # --certificate (private + public key) # Common networking options bind_interface = "default" # --bind-interface port_override = -1 # --port-override egress_filter = "field:name tag:env=prod tag:region=us-east" # --egress-filter subdomain = "azure-cert-prod01" # --subdomain / --bind-subdomain (optional) # Optional integrations proxy_cluster_id = "plc_abcdef1234567890" # --proxy-cluster-id secret_store_id = "ss_abcdef0123456789" # --secret-store-id (recommended for certs) # Tags tags = { env = "prod" cloud = "azure" auth = "certificate" team = "platform" } } } ``` {% endtab %} {% tab title="SDKs" %} **Set up and Manage With SDKs** In addition to the Admin UI, CLI, and Terraform, you may configure and manage your resource with any of the following SDK options: Go, Java, Python, and Ruby. Please see the following references for more information and examples. | Go | ​[pkg.go.dev](https://pkg.go.dev/github.com/strongdm/strongdm-sdk-go/v17)​ | ​[strongdm-sdk-go](https://github.com/strongdm/strongdm-sdk-go)​ | ​[Go SDK Examples](https://github.com/strongdm/strongdm-sdk-go-examples)​ | | ------------- | -------------------------------------------------------------------------- | ------------------------------------------------------------------------ | --------------------------------------------------------------------------------- | | Java | ​[javadoc](https://strongdm.github.io/strongdm-sdk-java-docs/)​ | ​[strongdm-sdk-java](https://github.com/strongdm/strongdm-sdk-java)​ | ​[Java SDK Examples](https://github.com/strongdm/strongdm-sdk-java-examples)​ | | Python | ​[pdocs](https://strongdm.github.io/strongdm-sdk-python-docs/)​ | ​[strongdm-sdk-python](https://github.com/strongdm/strongdm-sdk-python)​ | ​[Python SDK Examples](https://github.com/strongdm/strongdm-sdk-python-examples)​ | | Ruby | ​[RubyDoc](https://www.rubydoc.info/gems/strongdm)​ | ​[strongdm-sdk-ruby](https://github.com/strongdm/strongdm-sdk-ruby)​ | ​[Ruby SDK Examples](https://github.com/strongdm/strongdm-sdk-ruby-examples)​ | | {% endtab %} | | | | | {% endtabs %} | | | | ## Resource Properties {% tabs %} {% tab title="Azure (Password)" %} The **Azure (Password)** cloud type has the following properties. | Property | Requirement | Description | | --------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Display Name** | Required | Enter a meaningful name for this resource; this name displays throughout StrongDM; do not include special characters like quotes (") or angle brackets (< or >) | | **Resource Type** | Required | **Azure (Password)** | | **Proxy Cluster** | Required | Defaults to "None (use gateways)"; if using [proxy clusters](/admin/networking/proxy-clusters.md), select the appropriate cluster to proxy traffic to this resource | | **Connectivity Mode** | Required | Select either **Virtual Networking Mode**, which lets users connect to the resource with a software-defined, IP-based network; or **Loopback Mode**, which allows users to connect to the resource using the local loopback adapter in their operating system; this field is shown if [Virtual Networking Mode](/admin/clients/client-networking/virtual-networking-mode.md) enabled for your organization | | **IP Address** | Optional | If **Virtual Networking Mode** is the selected connectivity mode, an IP address value in the configured Virtual Networking Mode subnet in the organization network settings; if **Loopback Mode** is the selected connectivity mode, an IP address value in the configured Loopback IP range in the organization network settings (by default, `127.0.0.1`); if not specified, an available IP address in the configured IP address space for the selected connectivity mode will be automatically assigned; this field is shown if [Virtual Networking Mode](/admin/clients/client-networking/virtual-networking-mode.md) and/or [multi-loopback mode](/admin/clients/client-networking/loopback-ip-ranges.md) is enabled for your organization | | **Port Override** | Optional | If **Virtual Networking Mode** is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource with the same IP address; if **Loopback Mode** is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource with the same IP address; when left empty with Virtual Networking Mode, the system assigns the default port to this resource; when left empty for Loopback Mode, an available port that is not already in use by another resource is assigned; preferred port also can be modified later from the [Port Overrides settings](/admin/resources/port-overrides.md) | | **DNS** | Optional | If Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource's human-readable DNS name (for example, `k8s.my-organization-name`) instead of the bind address that includes IP address and port (for example, `100.64.100.100:5432`) | | **Secret Store** | Optional | Credential store location; defaults to none (credentials are stored in StrongDM resource configuration) | | **App ID** | Required | Set the `appID` copied from the password-based service principal output | | **Password** | Required | Set the `password` key copied from the password-based service principal output | | **TenantID** | Required | Set the `tenant` copied from the service principal output | | {% endtab %} | | | {% tab title="Azure (Certificate)" %} The **Azure (Certificate)** cloud type has the following properties. | Property | Requirement | Description | | --------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Display Name** | Required | Enter a meaningful name for this resource; this name displays throughout StrongDM; do not include special characters like quotes (") or angle brackets (< or >) | | **Resource Type** | Required | **Azure (Certificate)** | | **Proxy Cluster** | Required | Defaults to "None (use gateways)"; if using [proxy clusters](/admin/networking/proxy-clusters.md), select the appropriate cluster to proxy traffic to this resource | | **Connectivity Mode** | Required | Select either **Virtual Networking Mode**, which lets users connect to the resource with a software-defined, IP-based network; or **Loopback Mode**, which allows users to connect to the resource using the local loopback adapter in their operating system; this field is shown if [Virtual Networking Mode](/admin/clients/client-networking/virtual-networking-mode.md) enabled for your organization | | **IP Address** | Optional | If **Virtual Networking Mode** is the selected connectivity mode, an IP address value in the configured Virtual Networking Mode subnet in the organization network settings; if **Loopback Mode** is the selected connectivity mode, an IP address value in the configured Loopback IP range in the organization network settings (by default, `127.0.0.1`); if not specified, an available IP address in the configured IP address space for the selected connectivity mode will be automatically assigned; this field is shown if [Virtual Networking Mode](/admin/clients/client-networking/virtual-networking-mode.md) and/or [multi-loopback mode](/admin/clients/client-networking/loopback-ip-ranges.md) is enabled for your organization | | **Port Override** | Optional | If **Virtual Networking Mode** is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource with the same IP address; if **Loopback Mode** is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource with the same IP address; when left empty with Virtual Networking Mode, the system assigns the default port to this resource; when left empty for Loopback Mode, an available port that is not already in use by another resource is assigned; preferred port also can be modified later from the [Port Overrides settings](/admin/resources/port-overrides.md) | | **DNS** | Optional | If Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource's human-readable DNS name (for example, `k8s.my-organization-name`) instead of the bind address that includes IP address and port (for example, `100.64.100.100:5432`) | | **Secret Store** | Optional | Credential store location; defaults to none (credentials are stored in StrongDM resource configuration) | | **App ID** | Required | Set the `appID` copied from the password-based service principal output | | **Certificate** | Required | Paste the entirety of the PEM file of the service principal with a self-signed certificate, which contains the private key and certificate values | | **TenantID** | Required | Set the `tenant` copied from the service principal output | | {% endtab %} | | | | {% endtabs %} | | | ## Logs For logs of access to an Azure cloud resource, in the **Cloud logs** section of the Admin UI (**Logs** > **Cloud**), you can find all of the activities of users connected through StrongDM. Note that StrongDM makes an attempt to drop the Authorization header of logs for display in the Admin UI. Note that any secrets displayed in the cloud logs are placeholder values. No actual keys or secrets are ever exposed in plaintext in the Admin UI. ## CLI Usage When the resource is created and configured, you are ready for users to connect to the resource. In order for your organization's users to access the Azure cloud resource via StrongDM, users need to install the following: * The StrongDM Desktop application * The latest version of the StrongDM CLI. If the CLI is already installed, you can run `sdm update` in the CLI to update it. Alternatively, if any updates are available, you can open the desktop app and click the **Upgrade** button. * The `gcloud` command-line tool After installation, users must exit and restart the desktop app, and then select the Azure cloud resource to connect to. Click to connect to the resource in the desktop app, or run `sdm connect ` in the CLI. Once connected, users can use the Azure CLI through StrongDM at their terminal, with the base syntax of `sdm az cli` or `sdm azure cli`. You can use `sdm az --help` (or `sdm azure --help`) to view example usage and command options: ```shell NAME: sdm azure - azure commands USAGE: sdm azure command [command options] [arguments...] COMMANDS: cli Execute an Azure CLI Command. env Print environment variables required to access an Azure resource. run Execute an external command with environment variables configured to access an Azure resource. OPTIONS: --name value The name of the Azure resource to access. By default if there is only one connected Azure resource, that resource is used. [$SDM_AZURE_NAME] --help, -h show help ``` ### az cli The `az cli` command is followed by an Azure CLI command that you wish to run against your connected Azure resource. For more information about Azure CLI commands, see the [Azure CLI documentation](https://learn.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest). ### az env The `az env` command outputs the environment variables that are required in order to access a Azure resource. This output is a similar format of the output of the standard `env` command, but only contains the relevant environment variables for connecting to Azure. ### az run The `az run` command is followed by a command that you wish to run against the connected resource, which is sent along with the necessary environment variables. An example of a use for `az run` would be if you have a pre-existing script for managing Azure resources that uses `az` commands. Instead of altering the script to work with StrongDM, you could use `az run shellscript.sh` and run the script. ### --name If your organization has multiple Azure cloud resources, and you are connected to more than one at once, you may specify a `--name` value in commands in order to specify which you intend to execute the command on. For example, `sdm az --name cli`. The flag must come before the `cli` portion of the command in order to preserve the ability to use the command as normal with a single Azure cloud resource connected. ### Configuration directories You should use a unique configuration directory for each Azure resource (`$SDM_HOME/azure-config/` instead of `$SDM_HOME/azure-config`), to isolate the configuration for different resources (and the default configuration), allowing commands against different resources to be safely run concurrently. ## Error Cases Should you attempt to use a cloud resource when you are not connected to it, StrongDM's CLI commands warn you. You can get around this warning in some contexts (for example, by setting environment variables in your terminal). In these cases, you may encounter SSL errors, and nothing happens when you run commands. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/resources/clouds/azure.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.