How to do AssumeRole in Azure

How to do AssumeRole in Azure

Today I would like to give you a solution that will allow you to control one Azure account from another.

Let’s start from the basics. AWS AssumeRole is used for cross-account access in AWS. It allows the user in one AWS account to manage resources in a completely different AWS account. It is a well-known feature and the are a lot of resources on this topic.

In Azure Microsoft Cloud it is possible to achieve the same result but using a different method. Microsoft Azure has a notion of Applications. Application has a broad meaning in connection to Azure. In this article, I will only be interested in the fact that it is possible to allow access from an application on another AWS account.

Let’s say you have a Main account and a Second account that you want to control.

Configure the Main account.

Basically, it is very simple. You need to create an application that will have access to the Second account in the next stage. Here is how you can create Application:

  1. Sign in to the Azure portal using your Azure account.
  2. Select Azure Active Directory > App registrations > New registration.
  3. Provide a name for the application.
  4. Select the appropriate Supported account types.
  5. Under Redirect URI, select Web as the application type, and (optionally) specify a redirect URI if your application requires it.
  6. After setting the values, select Register. The application registration is created and the Overview page is presented.
  7. Copy the Application ID for use in your application code. This value is also referred to as the Client ID.

You can get the same results using the following command:

az ad app create --display-name MyApp1 --homepage https://my-website.com --identifier-uris https://my-website.com --password password123

In case you used web console you need to configure application password. Here is a command to do this in the command line:

az ad app update --id uuid-client-app-id --password password123

Configure Second account

The configuration is very simple. I will show how I do this in the command line as it is more easy for me:

Get tenant id and we will use it in the last step as uuid-tenant-id:

az account show --output=json | jq '.tenantId'

You will need to service the principal account that will grant access to the application we create in the Main account. This command will return “object-id“. We will use uuid-sp-object-id bellow

az ad sp create --id uuid-client-app-id

Next step will be to add a role to this service principle account. You can create a new role or assign a role from one of the existing. For example:

  • Reader acdd72a7-3385-48ef-bd42-f606fba81ae7
  • Contributor b24988ac-6180-42a0-ab88-20f7382dd24c
  • Virtual Machine Contributor d73bb868-a0df-4d4d-bd69-98a00b01fccb
  • Virtual Network Contributor b34d265f-36f7-4a0d-a4d4-e158ca92e90f
  • Storage Account Contributor 86e8f5dc-a6e9-4c67-9d15-de283e8eac25
  • Website Contributor de139f84-1756-47ae-9be6-808fbbe84772
  • Web Plan Contributor 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b
  • SQL Server Contributor 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437
  • SQL DB Contributor 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec

You probably know that Microsoft allows you to be very specific creating role, but for this project, I will use the Contributor role. Use the next command to assign the role to service principal account created:

az role assignment create -g my-group-name --assignee-object-id uuid-sp-object-id --role b24988ac-6180-42a0-ab88-20f7382dd24c 

Final step

Now everything is configured. You will need to open a fresh terminal and make sure you are not connected to the cloud.

You can do this command to logout from Azure:

az logout

Now you can simply log in to the Second cloud with the password configured in the application.

az login --service-principal --username uuid-client-app-id --tenant uuid-tenant-id 

You are now logged in the Second account and you can run commands you want. For example to create a new VM:

az vm create -n MyVm -g my-group-name --image UbuntuLTS

Hope this solution helps you. leave your comments.

Reverting / deleting access

az ad sp delete --id 874e7f32-xxxx-xxxx-xxxx-f000483b4302

ERROR: Can’t find associated application id from ‘874e7f32-xxxx-xxxx-xxxx-f000483b4302’

The Azure AD service does allow deleting ServicePrincipal objects. Until the bug is resolved in the CLI, the approach above will not work, but in the meantime, you have several options:

About the author

Yuli Stremovsky
Yuli StremovskyParanoid Security Guy
For the past 15 years I’ve been leading the evolution of startups and enterprises to achieve the highest level of security and compliance. Throughout my career I’ve been a Cyber Security expert and advanced solutions architect with many years of hands on experience both on offensive and defensive side. Knowledgeable at the highest level in application development, networking, data and databases, web applications, large scale Software as a Service solutions, cloud security and blockchain technologies.

I’ve been working with CISO’s of international enterprises, helping them set Information Security strategy, and overseeing the implementation of these recommendations. As part of these projects, I’ve been assisting companies to achieve compliance in GDPR, PCI, HIPAA and SOX.

Among my credits, I was a founder of a database security company GreenSQL/Hexatier which was acquired by Huawei and I’ve co-founded Kesem.io, Secure multi-signature Crypto wallet.

Specialties: Software and cloud architecture, Compliance (GDPR, HIPAA, PCI, SOX), blockchain technologies, software development, secure architectures, project management and low level research.