Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Auto-Updater and UI feature update. #393

Open
wants to merge 38 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
38 commits
Select commit Hold shift + click to select a range
b220202
Added details related UI feature.
SINIKI Mar 9, 2021
964d594
Update doc with auto-updater changes
SINIKI Mar 9, 2021
17e243e
Updated package
SINIKI Mar 9, 2021
bbce7da
Update DeploymentFiles.zip
SINIKI Mar 9, 2021
4041979
Updated document
SINIKI Mar 10, 2021
8e5ddcf
Update Readme.md
SINIKI Mar 10, 2021
703fdf6
Update Readme.md
SINIKI Mar 10, 2021
a1abafc
Updated image.
SINIKI Mar 10, 2021
f44dd1b
Modify ConfigureWebUI PS script to remove MS AzTS Support Email
gvaradarajan-msft Mar 10, 2021
8ae644c
Updated service tree mapping
SINIKI Mar 11, 2021
9a5b642
Merge branch 'users/azts/featureupdate-ui' of https://github.com/azsk…
SINIKI Mar 11, 2021
601f6cb
Update Readme.md
SINIKI Mar 11, 2021
f428fc1
Update Readme.md
SINIKI Mar 11, 2021
198f21e
Updated comments related to UI
SINIKI Mar 11, 2021
d7cf166
Update Readme.md
SINIKI Mar 11, 2021
d7ed7d5
Update Readme.md
SINIKI Mar 11, 2021
f726c4f
Update image
SINIKI Mar 11, 2021
b156468
Updated description
SINIKI Mar 11, 2021
f8d9509
Updated readme based on review comments
SINIKI Mar 12, 2021
ce113de
Update Readme.md
SINIKI Mar 12, 2021
c883a39
Update Readme.md
SINIKI Mar 12, 2021
1dcc003
Update Readme.md
SINIKI Mar 15, 2021
f7bdfdb
Update Readme.md
SINIKI Mar 15, 2021
2a62389
Update Readme.md
SINIKI Mar 16, 2021
cd6b316
Updated ReadMe
SINIKI Mar 16, 2021
37c93e3
Update Readme.md
SINIKI Mar 16, 2021
62c1f43
Fix PBI Template, modify UI configuration scripts, remove '/' from AP…
gvaradarajan-msft Mar 19, 2021
d2e113d
Modify UI scripts
gvaradarajan-msft Mar 19, 2021
69218f1
Fix PowerBI Template
gvaradarajan-msft Mar 19, 2021
5069847
Updated template for reference
SINIKI Mar 19, 2021
ed00d98
Create DeployAzTS.ps1
SINIKI Mar 19, 2021
1960ecd
Updated deployment steps
SINIKI Apr 19, 2021
e708cd0
Update Readme.md
SINIKI Apr 19, 2021
f2f7aa6
Update DeploymentFiles.zip
SINIKI Apr 21, 2021
40d812a
Merge branch 'users/azts/featureupdate-ui' of https://github.com/azsk…
gvaradarajan-msft Apr 26, 2021
fd88b87
Fix UI scripts
gvaradarajan-msft Apr 26, 2021
57d1a2f
Updated setup script
SINIKI Apr 28, 2021
dd7a756
Updated file
SINIKI Apr 28, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
458 changes: 361 additions & 97 deletions 13-Tenant Security Solution Setup/Readme.md

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,15 @@ function PushOrgMappingEvents([string] $OrgMappingFilePath, [string] $LogAnaytic
$body = Get-Content $FilePath | ConvertFrom-Csv
$body | ForEach-Object {

$OrgMappingList+= @{ "BGName" = $_.BGName; "ServiceGroupName" = $_.ServiceGroupName; "SubscriptionId" =$_.SubscriptionId; "SubscriptionName" = $_.SubscriptionName; "IsActive" = $_.IsActive; "OwnerDetails" = $_.OwnerDetails }
$OrgMappingList+= @{
"OrganizationName" = $_.OrganizationName ;
"DivisionName" = $_.DivisionName ;
"ServiceGroupName" = $_.ServiceGroupName ;
"TeamGroupName" = $_.TeamGroupName ;
"ServiceName" = $_.ServiceName ;
"SubscriptionId" = $_.SubscriptionId ;
"SubscriptionName" = $_.SubscriptionName ;
}
}
$postbody = $OrgMappingList | ConvertTo-Json
$lawsBodyByteArray = ([System.Text.Encoding]::UTF8.GetBytes($postbody))
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,15 @@ function PushOrgMappingEvents([string] $OrgMappingFilePath, [string] $LogAnaytic
$body = Get-Content $FilePath | ConvertFrom-Csv
$body | ForEach-Object {

$OrgMappingList+= @{ "BGName" = $_.BGName; "ServiceGroupName" = $_.ServiceGroupName; "SubscriptionId" =$_.SubscriptionId; "SubscriptionName" = $_.SubscriptionName; "IsActive" = $_.IsActive; "OwnerDetails" = $_.OwnerDetails }
$OrgMappingList+= @{
"OrganizationName" = $_.OrganizationName ;
"DivisionName" = $_.DivisionName ;
"ServiceGroupName" = $_.ServiceGroupName ;
"TeamGroupName" = $_.TeamGroupName ;
"ServiceName" = $_.ServiceName ;
"SubscriptionId" = $_.SubscriptionId ;
"SubscriptionName" = $_.SubscriptionName ;
}
}
$postbody = $OrgMappingList | ConvertTo-Json
$lawsBodyByteArray = ([System.Text.Encoding]::UTF8.GetBytes($postbody))
Expand Down
180 changes: 126 additions & 54 deletions 13-Tenant Security Solution Setup/Scripts/ExecutionScript.ps1
Original file line number Diff line number Diff line change
@@ -1,56 +1,20 @@

#****************** Prerequisite *****************

# *** 1. Validate prerequisites on machine
# *** 1 of 6. Validate prerequisites on machine
#Ensure that you are using Windows OS and have PowerShell version 5.0 or higher

$PSVersionTable

# *** 2. Installing Az Modules
# *** 2 of 6. Installing Az Modules
# Install Az Modules
Install-Module -Name Az.Accounts -AllowClobber -Scope CurrentUser -repository PSGallery
Install-Module -Name Az.Resources -AllowClobber -Scope CurrentUser -repository PSGallery
Install-Module -Name Az.Storage -AllowClobber -Scope CurrentUser -repository PSGallery
Install-Module -Name Az.ManagedServiceIdentity -AllowClobber -Scope CurrentUser -repository PSGallery
Install-Module -Name Az.Monitor -AllowClobber -Scope CurrentUser -repository PSGallery

# *** 3. Setting up scanning identity
#Before creating user-assigned managed identity, please connect to AzureAD and AzAccount with the tenant Id where you want to use AzTS solution.
Connect-AzAccount -Tenant <TenantId>
Connect-AzureAD -TenantId <TenantId>

# i) You can create user-assigned managed identity with below PowerShell command
# Step 1: Set context to subscription where user-assigned managed identity needs to be created
Set-AzContext -SubscriptionId "<MIHostingSubId>"

# Step 2: Create resource group where user-assigned MI resource will be created.
New-AzResourceGroup -Name "<MIHostingRGName>" -Location "<Location>"

# Step 3: Create user-assigned managed identity
$UserAssignedIdentity = New-AzUserAssignedIdentity -ResourceGroupName "<MIHostingRGName>" -Name "<USER ASSIGNED IDENTITY NAME>"

# Step 4: Save resource id generated for user identity using below command. This will be used in AzTS Soln installation.

$UserAssignedIdentity.Id

# ii) Assign reader access to user-assigned managed identity on target subscriptions to be scanned.

# Add target subscriptionds in place of <SubIdx>
$TargetSubscriptionIds = @("<SubId1>","<SubId2>","<SubId3>")

$TargetSubscriptionIds | % {
New-AzRoleAssignment -ApplicationId $UserAssignedIdentity.ClientId -Scope "/subscriptions/$_" -RoleDefinitionName "Reader"
}


# *** 3. Set context and validate you have 'Owner' access on subscrption where solution needs to be installed ****

# Set the context to hosting subscription
$HostSubscriptionId = "<HostSubscriptionId>"

Set-AzContext -SubscriptionId $HostSubscriptionId


# **** 4. Download and extract deployment template
# **** 3 of 6. Download and extract deployment template

# i) Download deployment package zip from link (https://aka.ms/DevOpsKit/AzTS/DeploymentTemplate) to your local machine.

Expand All @@ -74,20 +38,128 @@

. ".\AzTSSetup.ps1"

# *** 4 of 6. Setting up scanning identity
#Before creating user-assigned managed identity, please connect to AzureAD and AzAccount with the tenant Id where you want to use AzTS solution.

# Clear existing login, if any
Disconnect-AzAccount
Disconnect-AzureAD

# **** 5. Run Setup Command
# Set the context to hosting subscription
Set-AzContext -SubscriptionId "<HostingSubId>"

# Connect to AzureAD and AzAccount
Connect-AzAccount -Tenant <TenantId>
Connect-AzureAD -TenantId <TenantId>

# Provide resource group name where resources will be created
$ScanHostRGName = "<ResourceGroupName>" #RG name where
$Location = "<ResourceLocation>" # eg. EastUS2
# i) You can create user-assigned managed identity (MI) with below PowerShell command

# Subscription id in which scanner MI needs to be created.
$MIHostingSubId = "<MIHostingSubId>"

# Resource group name in which scanner MI needs to be created.
$MIHostingRGName = "<MIHostingRGName>"

# Location in which scanner MI needs to be created.
# Note: For better performance, we recommend hosting the MI and resources setup using AzTS Soln installation command in one location.
$Location = "<Location>"

# Name of the scanner MI.
$MIName = "<USER ASSIGNED IDENTITY NAME>"

# List of target subscription(s) that needs to be scanned by AzTS.
# This command assigns 'Reader' access to user-assigned managed identity on target subscriptions. Add target subscriptionds in place of <SubIdx>
$TargetSubscriptionIds = @("<SubId1>","<SubId2>","<SubId3>")

# Step 1: Create user-assigned managed identity
$UserAssignedIdentity = Set-AzSKTenantSecuritySolutionScannerIdentity -SubscriptionId $MIHostingSubId `
-ResourceGroupName $MIHostingRGName `
-Location $Location `
-UserAssignedIdentityName $MIName `
-TargetSubscriptionIds $TargetSubscriptionIds

# Step 2: Save resource id and principal Id generated for user identity using below command. This will be used in AzTS Soln installation.

$UserAssignedIdentity.Id
$UserAssignedIdentity.PrincipalId

# ii) Grant user-assigned managed identity read access to Privileged Identity Management APIs for Azure resources.

# Grant Graph Permission to the user-assigned managed identity.
# NOTE: This step requires admin consent. Therefore, the signed-in user must be a member of one of the following administrator roles:
# Required Permission: Global Administrator, Privileged Role Administrator, Application Administrator or Cloud Application Administrator.
Grant-AzSKGraphPermissionToUserAssignedIdentity -ScanIdentityObjectId $UserAssignedIdentity.PrincipalId -AppPermissionsRequired @("PrivilegedAccess.Read.AzureResources", "Directory.Read.All")

# If you do not have the permission required to complete this step, please contact your administrator.
# To proceed without this step, set the value of "-ScanIdentityHasGraphPermission" parameter to false in AzTS installation command. Example: -ScanIdentityHasGraphPermission:$false.
# By setting '-ScanIdentityHasGraphPermission' to $false, you are choosing to disable features dependent on Graph API.
# Read more about this under the section "Step 4 of 6. Setting up scanning identity" in GitHub doc.

# *** 5 of 6. Setup Azure AD application for AzTS UI and API

# Step 1: Setup AD application for AzTS UI and API

# OPTION 1: Use following command to use an existing AD application or provide a custom name for Azure AD application.
# Name of the Azure AD application to be used by AzTS API
$WebAPIAzureADAppName = "<WebAPIAzureADAppName>"

# Name of the Azure AD application to be used by AzTS UI
$UIAzureADAppName = "<UIAzureADAppName>"

$ADApplicationDetails = Set-AzSKTenantSecurityADApplication -WebAPIAzureADAppName $WebAPIAzureADAppName -UIAzureADAppName $UIAzureADAppName


# OPTION 2: Use the default naming convention.
# Subscription id in which Azure Tenant Security Solution needs to be installed.
$HostSubscriptionId = "<HostSubscriptionId>"

# Resource group name in which Azure Tenant Security Solution needs to be installed.
$HostResourceGroupName = "<HostResourceGroupName>"

$ADApplicationDetails = Set-AzSKTenantSecurityADApplication -SubscriptionId $HostSubscriptionId -ScanHostRGName $HostResourceGroupName

# Step 2: Save WebAPIAzureADAppId and UIAzureADAppId generated for Azure AD application using below command. This will be used in AzTS Soln installation.

$ADApplicationDetails.WebAPIAzureADAppId
$ADApplicationDetails.UIAzureADAppId


# *** 6 of 6. Set context and validate you have 'Owner' access on subscrption where solution needs to be installed ****

# Run Setup Command
# i) Set the context to hosting subscription
$HostSubscriptionId = "<HostSubscriptionId>"

Set-AzContext -SubscriptionId $HostSubscriptionId

# Provide resource group name where resources will be created
$ScanHostRGName = "<ResourceGroupName>" #RG name where solution needs to be installed
$Location = "<ResourceLocation>" # eg. EastUS2
$EmailIds = @('<EmailId1>', '<EmailId2>', '<EmailId3>') # Comma-separated list of user email ids who should be sent the monitoring email.

# ii) Run install solution command
$DeploymentResult = Install-AzSKTenantSecuritySolution `
-SubscriptionId $HostSubscriptionId `
-ScanHostRGName $ScanHostRGName `
-ScanIdentityId $UserAssignedIdentity.Id `
-Location $Location `
-WebAPIAzureADAppId $ADApplicationDetails.WebAPIAzureADAppId `
-UIAzureADAppId $ADApplicationDetails.UIAzureADAppId `
-SendUsageTelemetry:$true `
-ScanIdentityHasGraphPermission:$false `
-SendAlertNotificationToEmailIds $EmailIds `
-Verbose

# iii) Save internal user-assigned managed identity name generated using below command. This will be used to grant Graph permission to internal MI.
$InternalIdentityName = $DeploymentResult.Outputs.internalMIName.Value

# iv) Grant internal MI 'User.Read.All' permission.

# **Note:** To complete this step, signed-in user must be a member of one of the following administrator roles: </br>
# Required Permission: Global Administrator, Privileged Role Administrator, Application Administrator or Cloud Application Administrator.
# If you do not have the required permission, please contact your administrator.
# Read more about this under the section "Step 6 of 6. Run Setup Command" in GitHub doc.

Grant-AzSKGraphPermissionToUserAssignedIdentity `
-SubscriptionId $HostSubscriptionId `
-ResourceGroupName $ScanHostRGName `
-IdentityName $InternalIdentityName `
-AppPermissionsRequired @('User.Read.All')

# Run install solution command
Install-AzSKTenantSecuritySolution `
-SubscriptionId $HostSubscriptionId `
-ScanHostRGName $ScanHostRGName `
-ScanIdentityId $UserAssignedIdentity.Id `
-Location $Location `
-Verbose
Binary file not shown.
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
BGName,ServiceGroupName,SubscriptionId,SubscriptionName,IsActive,OwnerDetails
BGName1,Sg1,SubId1,SubName1,Y,[email protected];[email protected]
OrganizationName,DivisionName,ServiceGroupName,TeamGroupName,ServiceName,SubscriptionId,SubscriptionName
OrgName1,DivisionName1,ServiceGroupName1,TeamGroupName1,ServiceName1,SubscriptionId1,SubscriptionName1
OrgName2,DivisionName2,ServiceGroupName2,TeamGroupName2,ServiceName2,SubscriptionId2,SubscriptionName2
Binary file not shown.
Binary file added Images/12_TSS_Processor_WebJobs_1.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added Images/12_TSS_ProgressBar1.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added Images/12_TSS_ProgressBar2.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added Images/12_TSS_ProgressBar3.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added Images/12_TSS_Resource_Group_1.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added Images/12_TSS_Resource_Group_2.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added Images/13_TSS_OrgMappingCSV.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added Images/13_TSS_UIOverview.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added Images/13_TSS_UIUrlPrintMessageInPSOutput.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.