Microsoft Azure Application Keys

This topic describes the Microsoft Azure Application Keys plugin.

Support

Target devices

The CPM supports remote account management for Azure application keys accounts on the following target devices:

Microsoft Azure

Accounts

The CPM supports account management for the following accounts:

Azure AD Application Keys

Platforms

In the PVWA Platform Management page, make sure that the following target account platform is displayed:

Microsoft Azure Application Keys Management

Connection Methods

This plugin supports the following connection methods to the remote machine:

Rest API

Actions

The following table lists the supported key management actions for this platform:

Action	Supported	Permissions
Verify	Yes	No permissions required.
Change	Yes	If you have a logon account, see Logon Accounts and Application Accounts permissions section. If not, the application that the target key belongs to should have the following permissions: Application.ReadWrite.OwnedBy Application.ReadWrite.All
Reconcile	Yes Reconcile also supports populate.	See Reconcile Accounts and Application Accounts permissions section.

Action

Supported

Permissions

Verify

Yes

No permissions required.

Change

Yes

If you have a logon account, see Logon Accounts and Application Accounts permissions section.

If not, the application that the target key belongs to should have the following permissions:

Application.ReadWrite.OwnedBy
Application.ReadWrite.All

Reconcile

Yes

Reconcile also supports populate.

See Reconcile Accounts and Application Accounts permissions section.

Logon Accounts

Action	Supported	Required	Platform	Permissions
Logon and change	Yes	No	Microsoft Azure Password Management Microsoft Azure Application Key Note: Use the Microsoft Azure Application Key platform if you configured Azure to enforce MFA for users. Otherwise, you can use either platform. Caution: If the application has MFA, then do not use a platform that enforces MFA for the logon or reconcile accounts.	If you are using the Microsoft Azure Password Management platform, the logon account must have one of the following roles: Owner on the app or Global Administrator The application must have permissions for the Graph API Under "Windows Azure Active Directory", the application must have "Access the directory as the signed-in user" permissions. If you are using the Microsoft Azure Application Key platform, the logon account must have one of the following roles: If managing a user who is a Global Administrator, the account must have the Company Administrator role If not managing a user who is a Global Administrator, the account must have the User Account Administrator role

Action

Supported

Required

Platform

Permissions

Logon and change

Yes

Microsoft Azure Password Management
Microsoft Azure Application Key

Note: Use the Microsoft Azure Application Key platform if you configured Azure to enforce MFA for users. Otherwise, you can use either platform.

Caution: If the application has MFA, then do not use a platform that enforces MFA for the logon or reconcile accounts.

If you are using the Microsoft Azure Password Management platform, the logon account must have one of the following roles:
- Owner on the app
or
- Global Administrator
  - The application must have permissions for the Graph API
  - Under "Windows Azure Active Directory", the application must have "Access the directory as the signed-in user" permissions.
If you are using the Microsoft Azure Application Key platform, the logon account must have one of the following roles:
- If managing a user who is a Global Administrator, the account must have the Company Administrator role
- If not managing a user who is a Global Administrator, the account must have the User Account Administrator role

ApplicationID must be set for logon accounts at the account level.

Application Accounts

Action	Supported	Required	Platform	Permissions
Change and reconcile	Yes	No	Microsoft Azure Keys Management	Owner on the app or Global Administrator The application must have permissions for the Graph API Under "Windows Azure Active Directory", the application must have "Access the directory as the signed-in user" permissions.

Action

Supported

Required

Platform

Permissions

Change and reconcile

Yes

Microsoft Azure Keys Management

Owner on the app

Global Administrator
- The application must have permissions for the Graph API
- Under "Windows Azure Active Directory", the application must have "Access the directory as the signed-in user" permissions.

Reconcile Accounts

Action	Supported	Required	Platform	Permissions
Reconcile	Yes	Yes	Microsoft Azure Password Management Microsoft Azure Application Key Note: Use the Microsoft Azure Application Key platform if you configured Azure to enforce MFA for users. Otherwise, you can use either platform. Caution: If the application has MFA, then do not use a platform that enforces MFA for the logon or reconcile accounts.	If you are using the Microsoft Azure Password Management platform, the logon account must have one of the following roles: Owner on the app or Global Administrator The application must have permissions for the Graph API XXX Under "Windows Azure Active Directory", the application must have "Access the directory as the signed-in user" permissions. If you are using the Microsoft Azure Password Management platform, the logon account must have one of the following roles: Owner on the app or Global Administrator The application must have permissions for the Graph API XXX Under "Windows Azure Active Directory", the application must have "Access the directory as the signed-in user" permissions. If you are using the Microsoft Azure Application Key platform, the logon account must have one of the following roles: If managing a user who is a Global Administrator, the account must have the Company Administrator role If not managing a user who is a Global Administrator, the account must have the User Account Administrator role

Action

Supported

Required

Platform

Permissions

Reconcile

Yes

Microsoft Azure Password Management
Microsoft Azure Application Key

Note: Use the Microsoft Azure Application Key platform if you configured Azure to enforce MFA for users. Otherwise, you can use either platform.

Caution: If the application has MFA, then do not use a platform that enforces MFA for the logon or reconcile accounts.

If you are using the Microsoft Azure Password Management platform, the logon account must have one of the following roles:

Owner on the app

Global Administrator
- The application must have permissions for the Graph API XXX
- Under "Windows Azure Active Directory", the application must have "Access the directory as the signed-in user" permissions.

If you are using the Microsoft Azure Password Management platform, the logon account must have one of the following roles:
- Owner on the app
or
- Global Administrator
  - The application must have permissions for the Graph API XXX
  - Under "Windows Azure Active Directory", the application must have "Access the directory as the signed-in user" permissions.
If you are using the Microsoft Azure Application Key platform, the logon account must have one of the following roles:
- If managing a user who is a Global Administrator, the account must have the Company Administrator role
- If not managing a user who is a Global Administrator, the account must have the User Account Administrator role

ApplicationID must be set for reconcile accounts at the account level.

Configuration

Prerequisites

This plugin requires .NET Framework 4.8. If you are using an older version of the CPM, .NET Framework 4.8 must be installed on the CPM machine as well.

Import platform

This procedure is relevant if the platform is not included in installation.

Add the following file categories, if they do not already exist.

ActiveDirectoryID
Type	Text
Required	No
ApplicationID
Type	Text
Required	No
ApplicationObjectID
Type	Text
Required	No
KeyDescription
Type	Text
Required	No
KeyID
Type	Text
Required	Yes
Duration
Type	Numeric
Required	No
PopulateIfNotExist
Type	List
Required	No
Valid values	Yes/No

Import the platform.

Platform Parameters

Parameter	Description	Acceptable Values	Default Value
ActiveDirectoryID	Azure Active Directory tenant id	Valid Tenant ID	-
Duration	Number of days the key will be valid for	1 - 999	365
PopulateKeyIfNotExist	Indication whether to populate the key if it doesn't exist on reconcile	Yes, No	No

Account Parameters

Required

Parameter

Description

Acceptable
Values

Default
Value

ApplicationID

Azure Active Directory Application Client ID

Valid ID

ApplicationObjectID

Azure Active Directory Application Object ID

Valid ID

KeyDescription

The key description. This description will be used to locate the relevant keys of the application that you want to manage.

The KeyDescription is used to locate keys when the KeyID is not found.
When KeyDescription is used, all keys that match the entered description are changed.
New keys are created with the KeyDescription that you define.

String up to 16 characters

KeyID

The key ID. This is used to locate the relevant keys of the application that you want to manage.

If the KeyID is not found, the KeyDescription is used to locate keys.

Valid ID

Optional

Parameter	Description	Acceptable Values	Default Value
ActiveDirectoryID	Azure Active Directory Tenant ID	Valid Tenant ID	-
Duration	Number of days for which the key will be valid	1 - 999	365
PopulateIfNotExist	Indication whether to populate the key if it doesn't exist on reconcile	Yes, No	No
Address	This parameter is not in use by this plugin	-	-
Username	This parameter is not in use by this plugin	-	-

Reduce excessive cloud IAM permissions

Implement CyberArk Cloud Entitlements Manager to detect excessive permissions and generate recommendations to remediate risky access on your cloud platform. Only risky permissions are removed, resulting in least privilege for all human and machine identities while maintaining valid access for Cloud and DevOps teams.

CEM also detects unmanaged credentials for cloud entities with administrative access, enabling organizations to on-board cloud admin and Shadow Admin to PAM - Self-Hosted