Discover Azure Access Patterns with Teleport Identity Security
Identity Security streamlines and centralizes access management across your entire infrastructure. You can view access relationships in seconds, viewing unified, up-to-date relationships and policies between all users, groups, and computing resources.
Identity Security with Access Graph offers insights into access patterns within your Azure subscription. By scanning users, groups, service principals, and role definitions, it provides a visual representation and aids in enhancing the permission model within your Azure environment. This functionality enables you to address queries such as:
- What resources are accessible to Azure users and roles?
- Which groups belong to other groups and how does that impact resource access?
- How broad or narrow is scoping across the subscription when assigning roles to users and groups?
Utilizing the Access Graph to analyze permissions within an Azure subscription necessitates the setup of the Access Graph service, a Discovery Service, and integration with your Azure subscription.
Access Graph is a feature of the Teleport Identity Security product available to Teleport Enterprise edition customers.
To verify that Access Graph is set up correctly for your cluster, sign in to the Teleport Web UI, click the Policy sidebar button, and then the Browse menu item. Identities, resources, etc. should be listed.
How it works
Access Graph discovers Azure access patterns, synchronizes various Azure resources, including users, groups, service principals, and role definitions. These resources are then visualized using the graph representation detailed in the Identity Security usage page.
The importing process involves two primary steps:
Polling Cloud APIs
The Teleport Discovery Service continuously scans the configured Azure subscriptions. At configurable intervals as low as 15 minutes, it retrieves the following resources from your Azure account:
- Users
- Groups
- Service Principals
- Role Definitions
- Role Assignments
- Virtual Machines
Once all the necessary resources are fetched, the Teleport Discovery Service pushes them to Access Graph, ensuring that it remains updated with the latest information from your Azure environment.
Importing resources
Identity Security’s Access Graph feature visualizes the resources retrieved from your Azure subscription.
Prerequisites
- A running Teleport Enterprise cluster v17.2.1 or later.
- Identity Security enabled for your account.
- For self-hosted clusters:
- Ensure that an up-to-date
license.pemis used in the Auth Service configuration. - A running Access Graph node v1.27.0 or later. Check the Identity Security page for details on how to set up Access Graph.
- The node running the Access Graph service must be reachable from the Teleport Auth Service.
- Ensure that an up-to-date
If you have a cloud-hosted Teleport Enterprise cluster, you can disregard this step, as cloud-hosted Teleport Enterprise already operates a properly configured Discovery Service within your cluster.
Installing the Discovery Service
If you plan on running the Discovery Service on a host that is already running another Teleport service (Auth or Proxy, for example), you can skip this step.
Install Teleport on an Azure virtual machine that will run the Discovery Service. This allows for a managed identity attached to the VM to be assigned the correct permissions to fetch the required Azure sources. Alternatively, Teleport can be installed in other environments as long it is attached to a Auth service configured with an Azure OIDC integration. Two options are given below for either 1) using an Azure virtual machine or 2) using Azure OIDC credentials via Entra ID integration.
To install a Teleport Agent on your Linux server:
The easiest installation method, for Teleport versions 17.3 and above, is the cluster install script. It will use the best version, edition, and installation mode for your cluster.
-
Assign teleport.example.com:443 to your Teleport cluster hostname and port, but not the scheme (https://).
-
Run your cluster's install script:
curl "https://teleport.example.com:443/scripts/install.sh" | sudo bash
On older Teleport versions:
-
Assign edition to one of the following, depending on your Teleport edition:
Edition Value Teleport Enterprise Cloud cloudTeleport Enterprise (Self-Hosted) enterpriseTeleport Community Edition oss -
Get the version of Teleport to install. If you have automatic agent updates enabled in your cluster, query the latest Teleport version that is compatible with the updater:
TELEPORT_DOMAIN=example.teleport.com:443TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/automaticupgrades/channel/default/version | sed 's/v//')"Otherwise, get the version of your Teleport cluster:
TELEPORT_DOMAIN=example.teleport.com:443TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/ping | jq -r '.server_version')" -
Install Teleport on your Linux server:
curl https://cdn.teleport.dev/install.sh | bash -s ${TELEPORT_VERSION} editionThe installation script detects the package manager on your Linux server and uses it to install Teleport binaries. To customize your installation, learn about the Teleport package repositories in the installation guide.
Configuring the Discovery Service
To activate the Teleport Discovery Service, add a top level discovery_service section to the teleport.yaml
config file. This service monitors dynamic discovery_config resources that are set up
with the discovery_group matching.
discovery-group.
discovery_service:
enabled: true
discovery_group: discovery-group
Notice that if you already operate a Discovery Service within your cluster, it's possible to reuse it as long as the following requirements are met:
- On step 2, you match the
discovery_groupwith the existing Discovery Service'sdiscovery_group. - Access Graph service is reachable from the machine where Discovery Service runs.
Once the Auth Service is configured, add the following to the Discovery Service configuration file to enable it for fetching Azure resources:
discovery_service:
access_graph:
azure:
- subscription_id: azure-subscription-id
The Discovery Service will now periodically fetch resources from your Azure subscription.
Activating the Discovery Service
To activate the Discovery Service for fetching Azure resources, you'll need to authorize the identity running the Discovery service. Two options for authorization are available.
- Option 1 - Authorize VM With Managed Identity
- Option 2 - Authorize OIDC Via EntraID Integration
Authorizing an Azure VM for running the Discovery service is the simplest option. The Azure VM can be assigned a
Managed Identity, and thus the Discovery service running on it can utilize the permissions associated with
that identity. The steps below show how to configure a Managed Identity for an Azure VM. In later steps, the
Managed Identity's ID is then assigned a role to the identity using the
./teleport integration configure access-graph azure command.
- Manually create identity
- ARM Template
Create a custom role
Enter the name of your Azure resource group in the Azure Portal search box and visit the page for that resource group. On the left navigation sidebar, click the Access control (IAM) tab. In the row of buttons at the top of the Access control (IAM) panel, click Add > Add custom role.
In the Custom role name field, enter teleport-read-vm.
Click the Permissions tab, then within the Permissions view, click +Add permissions.
Enter Microsoft.Compute/virtualMachines/read in the search box. Click the
Microsoft Compute box, then enable Read: Get Virtual Machine. Click
Add.
Click Review + create, then Create.
Create an Azure managed identity
Visit the Managed Identities view in Azure Portal.
Click Create.
Under Subscription, Resource group, and Region, choose the ones that your VM belongs to.
In the Name field, enter teleport-azure.
Click Review + create, then Create.
Once creation finishes, click Go to resource. On the page for the new identity, copy the value for the Client ID so you can use it later in this guide.
Assign the teleport-read-vm role to the teleport-azure identity
Enter the name of your Azure resource group in the Azure Portal search box and visit the page for that resource group. On the left navigation sidebar, click the Access control (IAM) tab. In the row of buttons at the top of the Access control (IAM) panel, click Add > Add role assignment.
Within the Add role assignment screen, click teleport-read-vm.
Scroll to the bottom of the screen and click Next.
Within the Members tab, in the Assign access to field, choose Managed identity. Click Select members.
On the right sidebar, find the Managed identity dropdown menu and select
User-assigned managed identity. Choose the teleport-azure identity you
created earlier.
Click Select, then Review + assign.
Verify that your Role is teleport-read-vm, the Scope matches your
chosen resource group, and the Members field includes the teleport-azure
managed identity you created earlier.
Click Review + assign again.
Attach an identity to your Azure VM
In the Virtual machines view of Azure Portal, click on the name of the VM you are using to host the Teleport Service.
On the right side panel, click the Security/Identity tab, then within the
Identity view, click the User assigned tab. Click +Add, then select
the teleport-azure identity. Click Add.
Navigate back to Identity tab in the page for your Azure VM. You should see the new identity listed in the User assigned sub-tab:
As part of authentication, Teleport will be able to do anything allowed by the identity. If you use a managed identity other than the one created in this guide, we strongly recommend limiting its permissions and scope.
Create a file named teleport-create-identity.json and copy the following into
it:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.5.6.12127",
"templateHash": "2227781763411200690"
}
},
"parameters": {
"roleName": {
"type": "string",
"defaultValue": "teleport-read-vm",
"metadata": {
"description": "Friendly name of the role definition"
}
},
"identityName": {
"type": "string",
"defaultValue": "teleport-azure",
"metadata": {
"description": "Name of the managed identity"
}
}
},
"variables": {
"roleDefName": "[guid(resourceGroup().id, string('Microsoft.Compute/virtualMachines/read'))]"
},
"resources": [
{
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2022-04-01",
"name": "[variables('roleDefName')]",
"properties": {
"roleName": "[parameters('roleName')]",
"description": "A role to allow reading information about Virtual Machines, to be used for Teleport.",
"type": "customRole",
"permissions": [
{
"actions": [
"Microsoft.Compute/virtualMachines/read"
],
"notActions": []
}
],
"assignableScopes": [
"[resourceGroup().id]"
]
}
},
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[parameters('identityName')]",
"apiVersion": "2018-11-30",
"location": "[resourceGroup().location]"
}
],
"outputs": {
"principalID": {
"type": "string",
"value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))).principalId]"
},
"clientID": {
"type": "string",
"value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))).clientId]"
},
"roleName": {
"type": "string",
"value": "[variables('roleDefName')]"
}
}
}
Then run the following commands to create the custom role and managed identity:
DEPLOY_OUTPUT=$(az deployment group create \--resource-group <your-resource-group> \--template-file teleport-create-identity.json)PRINCIPAL_ID=$(echo $DEPLOY_OUTPUT | jq -r '.properties.outputs.principalID.value')CLIENT_ID=$(echo $DEPLOY_OUTPUT | jq -r '.properties.outputs.principalID.value')ROLE_NAME=$(echo $DEPLOY_OUTPUT | jq -r '.properties.outputs.roleName.value')
Details
Getting a "command not found" error?
This command requiresjq to be installed on your workstation, which you can do
via the jq download page.Next, create another file named teleport-assign-identity.json and copy the
following into it:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.5.6.12127",
"templateHash": "2227781763411200690"
}
},
"parameters": {
"identityName": {
"type": "string",
"defaultValue": "teleport-azure"
},
"principalId": {
"type": "string"
},
"roleName": {
"type": "string"
},
"vmNames": {
"type": "array"
}
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[guid(resourceGroup().id)]",
"properties": {
"roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', parameters('roleName'))]",
"principalId": "[parameters('principalId')]"
}
},
{
"apiVersion": "2018-06-01",
"type": "Microsoft.Compute/virtualMachines",
"name": "[parameters('vmNames')[copyIndex('vmcopy')]]",
"location": "[resourceGroup().location]",
"identity": {
"type": "userAssigned",
"userAssignedIdentities": {
"[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',parameters('identityName'))]": {}
}
},
"copy": {
"name": "vmcopy",
"count": "[length(parameters('vmNames'))]"
}
}
]
}
Run the following command to assign your custom role to your managed identity and assign the identity to your virtual machines:
az deployment group create \--resource-group <your-resource-group> \--template-file teleport-assign-identity.json \-- parameters principalId="$PRINCIPAL_ID" roleName="$ROLE_NAME" \vmNames='<list-of-vm-names>'
Use the value of CLIENT_ID in Step 3.
Use the Managed Identity ID from this option as the principal ID in step 2 of integration command.
This option is for running the Discovery service outside of Azure. This requires that Entra OIDC credentials
are configured via the Entra ID integration. Once the Entra ID integration is configured, the
Azure Application is then assigned a role using the
./teleport integration configure access-graph azure command.
Use the application object ID as the principal ID in step 2 of the integration command.
Lastly, add the name of the integration to the configuration, typically this is entra-id:
discovery_service:
access_graph:
azure:
- subscription_id: azure-subscription-id
- integration: azure-integration
Step 2/2. Set up Access Graph Azure Sync
To configure the Teleport Discovery Service, the Azure managed identity running the Discovery Service within
Azure must be given the right permissions to fetch Azure resources. Within the
Azure Cloud Shell, download the
Teleport binary in .tar.gz format and use it to run the integration
command.
You'll need to specify the following in the commands/configuration below:
- teleport-version - The version of Teleport to run the integration command
- azure-subscription-id - The ID of the Azure subscription to fetch resources from
- azure-principal-id - The managed identity (for VM-assigned credentials) or application object ID (for OIDC credentials) that will run the Discovery service
- azure-discovery-role - The name of the new role to create and attach to the above principal (managed identity or application) for permissions to fetch Azure resources
Download and extract the Teleport binary:
curl -L https://cdn.teleport.dev/teleport-vteleport-version-linux-amd64-bin.tar.gz | tar xz
Run the integration command:
./teleport integration configure access-graph azure --principal-id azure-principal-id --role-name azure-discovery-role --subscription-id azure-subscription-id