Skip to content

Azure Managed Identity lab

Overview

Create an attack and defense lab for managed identity with one Azure Virtual Machine. An Azure VM is configured with a user assigned managed identity and optional system assigned identity. An Azure AD user is also created. Generates terraform format HCL files for managed_identity.tf, providers.tf, and mi_user.tf.

Important Note

This generator lives in the generators/managed_identity directory. Navigate into this directory first.

cd generators/managed_identity

Usage Examples

Example 1: Windows 10 Endpoint with a User Assigned Identity (Reader Role)

python3 managed_identity.py -u rtcfingroup.com -ua reader

Description:

This will generate terraform HCL files for a managed identity attack and defense lab. The following options are enabled:

-u rtcfingroup.com: Specify a UPN suffix or default domain for the one Azure AD user that is created.

-ua reader: Create a user assigned identity with a Reader role on the subscription, and attach it to the created Azure VM.

Default Options:

Default Administrator: A default local Administrator account on the VM is MIAdmin.

Default Password: A default local Administrator password is automatically generated and used for the VM and Azure AD user.

Default Name: A default name for resources and resource group is automatically generated by terraform.

Default Azure User: An Azure AD user is randomly generated with the upn suffix domain specified above. A role of Virtual Machine Contributor is assigned to the user by default.

Example 2: Windows 10 Endpoint with a User Assigned Identity (Contributor Role)

python3 managed_identity.py -u rtcfingroup.com -ua contributor

Description:

Same scenario as above except it will set the Contributor role (scoped to Subscription) to the user assigned identity attached to the Azure VM.

Example 3: Windows 10 Endpoint with a User Assigned Identity (Owner Role) + System Assigned Identity

python3 managed_identity.py -u rtcfingroup.com -n rtcfin -l eastus -a RTCAdmin -p MyPassword012345 -ua owner -sa

Description:

Same scenario as above except it will set the Owner role to the user assigned identity attached to the Azure VM. Extra options enabled include:

-n rtcfin: Specify a friendly name of rtcfin for the Resource Group and some of the Azure resources created.

-l eastus: Specify an Azure location of eastus for the Azure resources.

-a RTCAdmin: Specify the local Administrator username of RTCAdmin on the Azure VM.

-p MyPassword012345: Specify a password for the VM local admin as well as the Azure AD user.

-sa: Enable a System Assigned identity for the Azure VM.

Details

All Resources Created

  • One Azure AD User with a configurable Role Assignment (Default: Virtual Machine Contributor)
  • One Azure VM with a Managed Identity configured (Default: User Assigned Identity with Reader on the Subscription)
  • Azure Storage Account (1)
  • Azure Containers (3) The containers have three different access levels (Blob, Container, Private)
  • Azure Blobs (3). All three are uploaded to all three containers.
  • Azure Shares (2)
  • Two files are uploaded to the two shares
  • Azure Key Vault
  • Secrets (3)
  • Private Keys (1)
  • Certificates (1)

All Options Available

-u <UPN_SUFFIX>: Mandatory. Specify the correct UPN Suffix for your tenant. Needed for creating the Azure AD user.

-a <ADMIN_USERNAME>: Specify the local Administrator Username for the Windows 10 Pro Azure VM. (Default: MIAdmin)

-p <PASSWORD>: Specify the password for the local Administrator account on the VM as well as the Azure AD user (Default: Auto-generated)

-sa: Enables the System Assigned Identity for the Azure VM (Note: both user assigned and system assigned can be enabled)

-ua reader|contributor|owner: Enables the User Assigned Identity for the Azure VM with possible values of reader, contributor, owner (Default: reader)

-n <NAME>: Specify a resource group name and name for other resources

-l <LOCATION>: Specify a different location (Default: centralus)

Other Variables in Script

This is the configuration for protecting access to the Azure VM. By default it will get your public IP address of the workstation running terraform. You can comment out as appropriate to allow all IP addresses or a specific IP address as shown below.

# This is the src_ip for white listing Azure NSGs
locals {
  src_ip = chomp(data.http.firewall_allowed.response_body)
  #src_ip = "0.0.0.0/0"
}

The role of the user assigned managed identity by default is scoped to the subscription but can be customized as shown below:

# Assign the reader role on the Key vault to the Managed Identity
resource "azurerm_role_assignment" "uai" {
  #Scope to the key vault in line below
  #scope                = azurerm_key_vault.example.id
  #Scope to the subscription in line below
  scope                = data.azurerm_subscription.mi.id
  role_definition_name = "ROLE_DEFINITION_NAME"
  principal_id         = azurerm_user_assigned_identity.uai.principal_id
}

The role of the Azure AD user

# The role scoped to subscription for AAD user
# uncomment as needed
variable "user_role" {
  default = "Virtual Machine Contributor"
  #default = "Contributor"
  #default = "Reader"
  #default = "Owner"
}

Demo

A video demonstration of building a managed identity lab with options and illustrations.

Managed Identity Demo