Setup Custom Role in Azure
This document will guide you through creating a new App Registration with client credentials inside of the Azure Portal.
The credentials will be used by Aikido to make the necessary API requests to scan your Virtual Machines. Access to scan your Virtual Machines will be granted to the App Registration using a custom role.
These permissions are limited to the minimum required for Virtual Machine scanning:
Use the following steps to create
Log into your Azure Portal and navigate to the Microsoft Entra ID service.
Click on Add and select App registration
Give the application a meaningful name, we need this name later.
Leave the Supported account types default: Accounts in this organizational directory only.
Click on Register.
You get redirected to the detail page of the newly created application. Here you can find and copy the Application (client) ID and the Directory (tenant) ID
At the client credentials field, click "Add a certificate or secret"
Click the "New client secret"-button, give a description for the secret and set the expiration date to 2 years (730 days / 24 months)
Copy the Secret's Value
You now have all the required values to configure VM scanning in Aikido, once the application setup is complete in Azure Portal. Next, we need to make sure we grant the application access for VM scanning.
Navigate to Subscriptions, find the relevant Subscription for your Virtual Machines
Click on "Access Control (IAM)".
Click on the "Add" button.
Select "Add custom role"
Go to the "JSON" tab and open the editor by clicking on "Edit"
Copy generated JSON config from the Aikido setup screen, paste it into the editor
Click "Save"
At the bottom, click "Review + assign", then "Create"
Now that the custom role is created, we can assign it to the App Registration we created at the start.
Navigate to Subscriptions, find the relevant Subscription for your Virtual Machines
Click on "Access Control (IAM)".
Go to the Role assignments tab & Click on "Add", then "Add role assignment".
In the "Role" tab, search and select the custom role you created (”Aikido VM Scanner”) & Click "Next".
Leave the "Assign access to" default value.
Click on "Select Members", search for the name of the app registration (e.g. "AikidoSecurity") you created and select it.
Click "Select"
Click "Review + assign" twice
The App Registration now has the required permissions to scan your Azure Virtual Machines.