Azure Key Vault Cross-Subscription Access

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Key vault, and choose Apply to list only the Azure key vaults available in the selected subscription.

05 Click on the name (link) of the Azure key vault that you want to examine.

06 In the navigation panel, choose Access control (IAM).

07 Select the Role assignments tab, choose the All tab, and select This resource from the Scope : All scopes filter box, to list all role assignments for the selected key vault, showing which users, groups, or service principals have been assigned what roles at the key vault level.

08 Select the role assignment that you want to examine and identify the subscription associated with the selected identity, i.e. /subscriptions/\<subscription-id\>/resourcegroups/\<resource-group-name\>/providers/Microsoft.ManagedIdentity/\<identity-type\>/\<identity-name\>, where \<subscription-id\> is the ID of the Azure subscription that manages the selected identity. If the identity's subscription differs from the key vault subscription chosen in step 3, cross-subscription access is configured for the selected Azure key vault. Perform this step for every role assignment listed on the Access control (IAM) page.

09 Sign in to your Trend Cloud One™ – Conformity account, access Azure Key Vault Cross-Subscription Access conformity rule settings, and compare the \<subscription-id\> of each associated identity against each Azure subscription ID defined in the rule configuration. If one or more subscription IDs are not included in the list of trusted Azure subscriptions available in the rule settings, the cross-subscription access configuration available for the selected Azure key vault is not compliant.

10 Repeat steps no. 5 – 9 for each Azure key vault available in the selected subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the subscriptions available in your Azure account:

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd",
]

03 Run keyvault list command (Windows/macOS/Linux) with custom output filters to list the IDs of the key vault instances available within the current Azure subscription:

az keyvault list
  --subscription "abcdabcd-1234-abcd-1234-abcdabcdabcd"
  --query '[*].id'

04 The command output should return the requested Azure key vault IDs:

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-key-vault",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-data-warehouse-vault"
]

05 Run role assignment list command (Windows/macOS/Linux) with the name of the Azure key vault that you want to examine as the identifier parameter and custom output filters to list the principal ID of each role assignment, defined for the selected key vault:

az role assignment list
  --scope "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-key-vault"
  --query '[*].principalId'

06 The command output should return the principal ID(s):

[
	"abcd1234-abcd-1234-abcd-1234abcd1234"
]

07 Run role assignment list command (Windows/macOS/Linux) to describe the Microsoft Azure subscription associated with the specified principal:

az role assignment list
  --assignee "abcd1234-abcd-1234-abcd-1234abcd1234"
  --query '[*].scope'

08 The command output should return the ID of associated subscription, i.e. /subscriptions/\<subscription-id\>, where \<subscription-id\> is the ID of the Azure subscription that manages the selected principal. If the principal's subscription differs from the key vault subscription selected in step 3, cross-subscription access is configured for the selected Azure key vault:

[
	"/subscriptions/12341234-abcd-1234-abcd-123412341234"
]

09 Sign in to your Trend Cloud One™ – Conformity account, access Azure Key Vault Cross-Subscription Access conformity rule settings, and compare the \<subscription-id\> of each associated principal against each Azure subscription ID defined in the rule configuration. If one or more subscription IDs are not included in the list of trusted Azure subscriptions available in the rule settings, the cross-subscription access configuration available for the selected Azure key vault is not compliant.

10 Repeat steps no. 5 – 9 for each Microsoft Azure key vault available in the current subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Key vault, and choose Apply to list only the Azure key vaults available in the selected subscription.

05 Click on the name (link) of the Azure key vault that you want to configure.

06 In the navigation panel, choose Access control (IAM).

07 Select the Role assignments tab, choose the All tab, and select This resource from the Scope : All scopes filter box, to list all role assignments for the selected key vault, showing which users, groups, or service principals have been assigned what roles at the key vault level.

08 Select the non-compliant role assignment that you want to remove and choose Delete.

09 Inside the Remove role assignments confirmation box, choose Yes to remove the selected role assignment.

10 Repeat steps no. 5 – 9 for each Azure key vault that you want to configure, available in the selected subscription.

11 Repeat steps no. 3 – 10 for each subscription created within your Microsoft Azure cloud account.

01 Run role assignment list command (Windows/macOS/Linux) with the name of the Azure key vault that you want to configure as the identifier parameter and custom output filters to list the full ID of each role assignment, defined for the selected key vault:

az role assignment list
  --scope "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-key-vault"
  --query '[*].id'

02 The command output should return the role assignment ID(s):

[
	"/subscriptions/12341234-abcd-1234-abcd-123412341234/resourceGroups/cloud-shell-storage-westeurope2/providers/Microsoft.KeyVault/vaults/cc-production-key-vault/providers/Microsoft.Authorization/roleAssignments/abcdabcd-abcd-1234-abcd-abcdabcdabcd"
]

03 Run role assignment delete command (Windows/macOS/Linux) to remove the non-compliant role assignment from the associated Microsoft Azure key vault in order to protect the key vault resources from unauthorized cross-subscription access (the command does not produce an output):

az role assignment delete
  --ids "/subscriptions/12341234-abcd-1234-abcd-123412341234/resourceGroups/cloud-shell-storage-westeurope2/providers/Microsoft.KeyVault/vaults/cc-production-key-vault/providers/Microsoft.Authorization/roleAssignments/abcdabcd-abcd-1234-abcd-abcdabcdabcd"

04 Repeat steps no. 1 – 3 for each Microsoft Azure key vault that you want to configure, available in the selected subscription.

05 Repeat steps no. 1 – 4 for each subscription created in your Microsoft Azure cloud account.