# Azure cloud deployment instructions This page includes instructions on managing the BAS Azure infrastructure for the BAS Azure cloud deployment. By deploying BAS Azure infrastructure, you will be able to execute Azure-specific plays that expand coverage of your detective control testing to include your Azure environment. ## Requirements NetSPI recommends using *at least* two Azure subscriptions for the BAS deployment. One subscription should be dedicated to hosting the BAS cloud deployment infrastructure and at least one other to be used as the target subscription for the actions the BAS plays perform. !!! Azure permissions Your Azure account will require the following permissions to successfully deploy the BAS infrastructure: - Automation Contributor - Storage Account Contributor - Role Based Access Control Administrator - Condition: Allow all except the following privileged roles: - Owner - Contributor - Role Based Access Control Administrator - Access Review Operator Service Role - Azure File Sync Administrator - Azure IoT Operations Onboarding - Reservations Administrator - Service Group Administrator - User Access Administrator - User Access Administrator - Condition: Allow all except the following privileged roles: - Access Review Operator Service Role - Azure IoT Operations Onboarding - Azure File Sync Administrator - Reservations Administrator - Role Based Access Control Administrator - Service Group Contributor !!! You will need to provide the following information to configure the deployment: - `Azure Tenant`: Tenant ID that BAS plays will target - `Subscription`: Subscription ID that BAS plays will target within the given tenant - `Resource Group`: Name of the resource group that BAS plays will target within the given subscription - `Location`: Azure location of the provided resource group The values provided will be the default settings for plays run with the cloud deployment you are setting up. !!! Note Some plays allow additional configuration to target infrastructure outside of the defaults provided here. For example, a play such as `Privilege Escalation - Subscription Role Assignment - Any Role` allows you to optionally target a role in a *different* subscription than the one the play itself is executing in. !!! ## Deployment You can deploy as many instances of infrastructure into your environment as you'd like. It is a common pattern to deploy a set of infrastructure for each subscription you intend to test. 1. Navigate to BAS -> Agents and Deployments in the NetSPI Platform's left navigation. ![Agent navigation](/static/bas/agent/linux/agent_nav.png "Agent and deployment navigation") This displays the Agents and Deployments page. ![Agent Page](/static/bas/agent/linux/agent_page_linux.png "Agent and deployment page") 2. Select the Cloud Deployment drop-down list and then **Deploy to Azure**. ![Azure deployment](/static/bas/agent/azure/azure_deployment_selection.png "Azure deployment selection") 3. Configure the Azure Cloud Deployment by providing the [required settings](#requirements): - Target Tenant - Target Subscription - Target Resource Group - Target Location ![Azure deployment settings](/static/bas/agent/azure/azure_deployment_settings.png "Azure deployment settings") 4. Select **Deploy to Azure** and follow the remaining instructions in your tenant. ### Additional configuration #### Optional: Enable Full Functionality with Microsoft Graph Plays To enable the full capabilities of the platform, specifically support for Microsoft Graph-based plays, an optional one-time PowerShell script must be run. This step grants permissions required for Graph API access for the Automation Account's managed identity used by the BAS Azure infrastructure. !!! Note: Why this is needed We are unable to configure Microsoft Graph API permissions during initial deployment. The script will configure the Graph API permissions so that our managed identity will be able to manage permissions. !!! 1. Open an Azure Cloud Shell (Powershell) 2. Execute the following: ```Powershell Invoke-WebRequest -Uri "https://dev01-bas-platform-public-resources.s3.ap-south-1.amazonaws.com/Add-BasGraphPermissions.ps1" -OutFile "$Env:HOME/Add-BasGraphPermissions.ps1" & "$Env:HOME/Add-BasGraphPermissions.ps1" ``` Required permissions to execute Graph API plays will be applied. ## Removal The Azure Cloud Deployment is persistent infrastructure deployed into your Azure tenant. When the infrastructure is no longer necessary, you can remove it through the NetSPI Platform. 1. Navigate to BAS -> Agents and Deployments in the NetSPI Platform's left navigation. 2. Select **Edit** on the Azure Cloud Deployment tile for the deployment you want to remove. A slide-out panel displays. ![Azure deployment edit](/static/bas/agent/azure/azure_deployment_edit.png "Azure deployment edit") 3. Select **Clean up** at the bottom of the Cloud Deployment Settings slide-out panel. !!!warning Due to limitations in Azure APIs, we cannot *fully* clean-up a deployment and some permissions will remain. We recommend that you delete the `resource group` containing the NetSPI Azure cloud deployment infrastructure *after* following the above steps to guarantee everything is removed. !!!