Azure subscription management

Access the Onboarding wizard

Do the following:

1. In the CloudFlow Settings area, click ONBOARDING.

   On the Onboarding Managment page that opens, click +Onboard.

2. If you are onboarding your first account, click the New Cloud Account button on the welcome page.

3. Otherwise, click the Microsoft Azure button and click Next.

   The Azure Onboarding wizard appears.

   

4. Select your preferred method to onboard using the Select Onboarding Method dropdown.

   *Automatically syncs changes to subscriptions, management groups, and tenant root groups from Azure to CloudFlow after onboarding.

   Onboarding Method	Description	Automatic sync*
   With script	Uses scripts to onboard Azure resources	Yes
   No script	Onboard Azure resources without using scripts	Yes
   API (single account)	Onboard a single subscription via API	No
   Terraform	Onboard Azure resources using Terraform	Yes

5. Onboard Azure resources using your preferred method:

   To onboard Azure resources | With script

   Do the following:

   1. In the Onboarding wizard for Azure, from the Select Onboarding Method dropdown, select With script to select the onboarding method using scripts.

   2. Select which level of permissions are required for the role in Azure: Read or Read/Write. For details, see Permissions required for Azure roles.

      Note about permissions: Read access to the account is the minimum permission required to manage Azure Network Security Groups (NSGs). This enables CloudFlow visibility for Vnets, subnets, Azure VMs, network flow logs, tags, and routing tables.

   3. Select the Azure resource type:

      Important: To run the script, the user must possess the necessary permissions for creating a service principal on the selected resource.

      

   4. Enter the Subscription ID or Management Group of the Azure resource to onboard.

      Note: When Tenant Root Group is the Azure resource type, no additional information is required.

      The Cloud Shell command field is automatically populated based on the resource type and ID / Name.

   5. Complete the onboarding using one of the following methods:

      1. To open a Cloud Shell session directly from the CloudFlow interface, click .

         Note: The Cloud Shell link is copied automatically to you clipboard.

         The Azure editor opens in a new browser tab.

         1. From the dropdown menu select Bash.

            

         2. Paste the Cloud Shell script from your clipboard and then press Enter.

            The subscription(s) is onboarded into CloudFlow.

      2. (Alternative method) If you don't want to open a Cloud Shell session directly from the CloudFlow interface, you can run bash locally using a proxy:

         1. Click Copy to copy the Cloud Shell command.

            

            Note: The command generates an unreadable script. Expand the example below to see the readable version of the script:

            Example of CloudFlare script

            Copy

            #!/bin/bash
            
            #Algosec's multi-tenant application
            APP_ID='<ALGOSEC_ONBOARDING_APP_ID>'
            
            #Algosec's onboarding URL
            CF_ONBOARDING_URL='https://<HOST>/cloudflow/api/admin/v1/onboarding/azure'
            
            #Target resource
            TARGET_RESOURCE='<AZURE_TARGET_RESOURCE>'
            
            out=$(az account show)
            az_tenant=$(echo "$out" | jq -r '.tenantId')
            
            echo "Preparing to onboard the target resource [$TARGET_RESOURCE] of [$az_tenant] tenant"
            
            echo "Onboard Algosec AZ-AD Application"
            out=$(az ad sp create --id $APP_ID 2>/dev/null)
            
            #Roles
            roles=(<AZURE_ROLES>)
            
            for role in "${roles[@]}"; do
            echo "Assign a role to the [$TARGET_RESOURCE]: [$role]"
            out=$(az role assignment create --role "$role" --assignee $APP_ID --scope $TARGET_RESOURCE)
            if [ $? -ne 0 ]; then
            echo "ERROR: The target resource [$TARGET_RESOURCE] wasn't found or the user has no permission to work with it"
            echo "The onboarding process has failed — please ensure you have the required permissions"
            exit 1
            fi
            done
            
            response=$(curl -X POST "$CF_ONBOARDING_URL" \
            -H "Content-Type: application/json" \
            -H "Accept: application/json" \
            -H "Authorization: $TOKEN" \
            --silent \
            -d '{ "azure_tenant":"'$az_tenant'" }')
            
            status=$(echo $response | jq -r '.status')
            message=$(echo $response | jq -r '.message')
            if [ "$status" == 200 ]; then
            echo "The onboarding process is finished: $message"
            echo "Press CTRL+D to close the terminal session"
            else
            echo "ERROR: The onboarding process has failed: $message"
            fi
                                                                

         2. Paste and run the script in your alternative shell to complete onboarding the subscription(s).

   6. In CloudFlow, click Close to close the onboarding wizard.

   Note: It may take up to an hour for Azure to sync with CloudFlow.

   To onboard Azure resources | No script

   You can onboard Azure subscriptions, managed groups, or tenant root groups without using a script if your system does not support using scripts.

   Do the following:

   1. Make sure you can access the Azure console as a user with Application Administrator OR Application Developer role.

   2. From the Azure CLI, create an Azure service principal based on the CloudFlow Azure multi-tenant application. You can do this with the following command:

      az ad sp create --id 'f1764d38-8bca-497f-94ae-2ccec598107d'

      The Azure service principal is created.

      The next steps explain how to grant access permission to the service principal to a subscription or management group.

   3. Navigate to the Azure console and select either the subscription or management group you want to assign role permissions.

      

   4. Click Access control (IAM) from the left menu, and then click +Add.

   5. From the dropdown, select Add role assignment.

      The Add role assignment page appears.

      

   6. Choose the role (permission) you want to grant to the service principal to work with the subscription:

      • Reader: Enable read access only

      • Contributor: Enable read/write access

   7. (Optional) To allow CloudFlow to collect NSG Flow logs, grant the service principal the additional roles:

      • Network Contributor

      • Storage Account Contributor

   8. Click Next.

      The Member tab appears.

      

   9. Click Select members. From the Select members popup search for and select CloudFlow Onboarding - prod.

      CloudFlow Onboarding - prod will move to the Selected members section of the popup.

      

   10. Click Select.

       The Service Principal is assigned to the specific subscription and role.

       

   11. Click Review + assign.

       The Review + assign screen appears where the user can review the assignment.

   12. Click Review + assign once more to finalize the assignment and allow CloudFlow to access the Azure subscription.

   13. Navigate to Azure Active Directory > Properties > Tenant ID

       

   14. Click on the copy icon to copy Tenant ID associated with the subscription or management group.

   15. From the CloudFlow Azure Onboarding wizard, from the Select Onboarding Method, select No script.

       

   16. Paste the ID into the Azure Tenant ID field.

   17. Click Onboard to complete the onboarding process.

   To onboard Azure resources | API (for single account)

   You can use API calls to add a single Azure subscription to CloudFlow.

   Note: Any changes to a subscription after onboarding are not synced with CloudFlow. To delete one or more subscriptions, see Delete manually configured subscriptions .

   Do the following:

   1. Go to the page Add a cloud account.

   2. Click on the tab For an Azure subscription.

      

      The instructions for onboarding an Azure subscription using API appears.

   3. Follow the instructions on the page.

   To onboard Azure resources | Terraform

   You can leverage Terraform, the infrastructure-as-code solution, as another option for onboarding your Azure subscriptions into CloudFlow.

   Do the following:

   Integrate the code below into your Terraform toolkit. Make the following parameter value replacements in the Locals section:

   Parameter	Description	Notes
   cf_auth_url	URL to authorize CloudFlow	For US use: https://app.algosec.com/api/algosaas/auth/v1/access-keys/login For EMEA use: https://api.platform.eu.app.algosec.com/api/algosaas/auth/v1/access-keys/login For ANZ use: https://api.platform.anz.app.algosec.com/api/algosaas/auth/v1/access-keys/login
   cf_url	URL to onboard Azure	For US use: https://api.cloudflow.us.app.algosec.com/cloudflow/api/admin/v1/onboarding/azure For EMEA use: https://api.cloudflow.eu.app.algosec.com/cloudflow/api/admin/v1/onboarding/azure For ANZ use: https://api.cloudflow.anz.app.algosec.com/cloudflow/api/admin/v1/onboarding/azure
   tenantId	Your CloudFlow Tenant ID
   clientId	Client ID	This is part of Access Key details. In CloudFlow, go to Access Management > API ACCESS tab. Create a new API Access Key or use an existing one. See here.
   clientSecret	Client Secret of the API Access Key	This is part of Access Key details. In CloudFlow, go to Access Management > API ACCESS tab. Create a new API Access Key or use an existing one. See here.

   Copy

   provider "azurerm" {
     features {}
   }
   
   locals {
     cf_auth_url  = "https://app.algosec.com/api/algosaas/auth/v1/access-keys/login"
     cf_url       = "https://api.cloudflow.us.app.algosec.com/cloudflow/api/admin/v1/onboarding/azure"
     tenantId    = "XXXXXXXXXXXXXXXX"
     clientId    = "XXXXXXXXXXXXXXXXX"
     clientSecret    = "XXXXXXXXXXX"
   }
   
   data "azurerm_client_config" "current" {
   }
   resource "azuread_service_principal" "example" {
     application_id               = "f1764d38-8bca-497f-94ae-2ccec598107d"
     app_role_assignment_required = false
     owners                       = [data.azurerm_client_config.current.object_id]
   }
   
   resource "azuread_application" "example" {
     name = "Algosec CloudFLow Onboarding"
   }
   
   data "http" "cf_auth" {
     url    = local.cf_auth_url
     method = "POST"
     # Optional request headers
     request_headers = {
       Accept = "application/json"
     }
     request_body = jsonencode({ tenantId : local.cf_tenant, clientId : local.cf_client_id, clientSecret : local.cf_secret })
     lifecycle {
       postcondition {
         condition     = contains([200, 201, 204], self.status_code)
         error_message = "Authorization failed"
   
       }
     }
   }
   
   locals {
     auth_response = jsondecode(data.http.cf_auth.response_body)
     auth_token    = local.auth_response.access_token
   }
   
   data "http" "cf_onboard_account" {
     url    = local.cf_url
     method = "POST"
     # Optional request headers
     request_headers = {
       Accept        = "application/json"
       Authorization = "Bearer ${local.auth_token}"
     }
     request_body = jsonencode({
       azure_tenant : data.azurerm_client_config.current.tenant_id
     })
     lifecycle {
       postcondition {
         condition     = contains([200, 201, 204], self.status_code)
         error_message = "Authorization failed"
       }
     }
   }
   
   ######################################################################
   # Print the created data to console
   
   output "onboard_status" {
     value = data.http.cf_onboard_account.status_code
   }