# Azure cloud deployment instructions

This page includes instructions on managing the BAS Azure infrastructure for the BAS Azure cloud deployment. By deploying BAS Azure infrastructure, you will be able to execute Azure-specific plays that expand coverage of your detective control testing to include your Azure environment.

# Requirements

NetSPI recommends using at least two Azure subscriptions for the BAS deployment. One subscription should be dedicated to hosting the BAS cloud deployment infrastructure and at least one other to be used as the target subscription for the actions the BAS plays perform.

You will need to provide the following information to configure the deployment:

Azure Tenant: Tenant ID that BAS plays will target
Subscription: Subscription ID that BAS plays will target within the given tenant
Resource Group: Name of the resource group that BAS plays will target within the given subscription
Location: Azure location of the provided resource group

The values provided will be the default settings for plays run with the cloud deployment you are setting up.

Note

Some plays allow additional configuration to target infrastructure outside of the defaults provided here. For example, a play such as Privilege Escalation - Subscription Role Assignment - Any Role allows you to optionally target a role in a different subscription than the one the play itself is executing in.

# Deployment

You can deploy as many instances of infrastructure into your environment as you'd like. It is a common pattern to deploy a set of infrastructure for each subscription you intend to test.

Navigate to BAS -> Agents and Deployments in the NetSPI Platform's left navigation.

This displays the Agents and Deployments page.
Select the Cloud Deployment drop-down list and then Deploy to Azure.
Configure the Azure Cloud Deployment by providing the required settings:
- Target Tenant
- Target Subscription
- Target Resource Group
- Target Location
Select Deploy to Azure and follow the remaining instructions in your tenant.

# Additional Configuration

TBD Script goes here with permission explanation.

# Removal

The Azure Cloud Deployment is persistent infrastructure deployed into your Azure tenant. When the infrastructure is no longer necessary, you can remove it through the NetSPI Platform.

Navigate to BAS -> Agents and Deployments in the NetSPI Platform's left navigation.
Select 'Edit' on the Azure Cloud Deployment tile for the deployment you want to remove. A slide-out panel will be displayed.
Select 'Clean up' at the bottom of the Cloud Deployment Settings slide-out panel.

Due to limitations in Azure APIs, we cannot fully clean-up a deployment and some permissions would remain. We recommend that you delete the resource group containing the NetSPI Azure cloud deployment infrastructure after following the above steps to guarantee everything is removed.