# Azure cloud deployment instructions

This page includes instructions on managing the BAS Azure infrastructure for the BAS Azure cloud deployment. By deploying BAS Azure infrastructure, you will be able to execute Azure-specific plays that expand coverage of your detective control testing to include your Azure environment.

# Requirements

NetSPI recommends using at least two Azure subscriptions for the BAS deployment. One subscription should be dedicated to hosting the BAS cloud deployment infrastructure and at least one other to be used as the target subscription for the actions the BAS plays perform.

Azure permissions

Your Azure account will require the following permissions to successfully deploy the BAS infrastructure:

Automation Contributor
Storage Account Contributor
Role Based Access Control Administrator
- Condition: Allow all except the following privileged roles:
  - Owner
  - Contributor
  - Role Based Access Control Administrator
  - Access Review Operator Service Role
  - Azure File Sync Administrator
  - Azure IoT Operations Onboarding
  - Reservations Administrator
  - Service Group Administrator
  - User Access Administrator
User Access Administrator
- Condition: Allow all except the following privileged roles:
  - Access Review Operator Service Role
  - Azure IoT Operations Onboarding
  - Azure File Sync Administrator
  - Reservations Administrator
  - Role Based Access Control Administrator
  - Service Group Contributor

You will need to provide the following information to configure the deployment:

Azure Tenant: Tenant ID that BAS plays will target
Subscription: Subscription ID that BAS plays will target within the given tenant
Resource Group: Name of the resource group that BAS plays will target within the given subscription
Location: Azure location of the provided resource group

The values provided will be the default settings for plays run with the cloud deployment you are setting up.

Note

Some plays allow additional configuration to target infrastructure outside of the defaults provided here. For example, a play such as Privilege Escalation - Subscription Role Assignment - Any Role allows you to optionally target a role in a different subscription than the one the play itself is executing in.

# Deployment

You can deploy as many instances of infrastructure into your environment as you'd like. It is a common pattern to deploy a set of infrastructure for each subscription you intend to test.

Navigate to BAS -> Agents and Deployments in the NetSPI Platform's left navigation.

This displays the Agents and Deployments page.
Select the Cloud Deployment drop-down list and then Deploy to Azure.
Configure the Azure Cloud Deployment by providing the required settings:
- Target Tenant
- Target Subscription
- Target Resource Group
- Target Location
Select Deploy to Azure and follow the remaining instructions in your tenant.

# Additional configuration

# Optional: Enable Full Functionality with Microsoft Graph Plays

To enable the full capabilities of the platform, specifically support for Microsoft Graph-based plays, an optional one-time PowerShell script must be run. This step grants permissions required for Graph API access for the Automation Account's managed identity used by the BAS Azure infrastructure.

Note: Why this is needed

We are unable to configure Microsoft Graph API permissions during initial deployment. The script will configure the Graph API permissions so that our managed identity will be able to manage permissions.

Open an Azure Cloud Shell (Powershell)
Execute the following:

Invoke-WebRequest
    -Uri "https://dev01-bas-platform-public-resources.s3.ap-south-1.amazonaws.com/Add-BasGraphPermissions.ps1"
    -OutFile "$Env:HOME/Add-BasGraphPermissions.ps1" & "$Env:HOME/Add-BasGraphPermissions.ps1"

Required permissions to execute Graph API plays will be applied.

# Removal

The Azure Cloud Deployment is persistent infrastructure deployed into your Azure tenant. When the infrastructure is no longer necessary, you can remove it through the NetSPI Platform.

Navigate to BAS -> Agents and Deployments in the NetSPI Platform's left navigation.
Select Edit on the Azure Cloud Deployment tile for the deployment you want to remove. A slide-out panel displays.
Select Clean up at the bottom of the Cloud Deployment Settings slide-out panel.

Due to limitations in Azure APIs, we cannot fully clean-up a deployment and some permissions will remain. We recommend that you delete the resource group containing the NetSPI Azure cloud deployment infrastructure after following the above steps to guarantee everything is removed.