Azure Cloud Connections¶

This page covers how to create and (when needed) delete Azure Cloud connections.

Create an Azure Cloud Connection¶

Navigate to Cloud Connections Page¶

To run an Azure Cloud Pentest, you'll first need to create an Azure connection. You can do so through the NodeZero Portal's Cloud Connections page.

The Cloud Connections link is in the Pentests nav menu in the navigation bar.

Open the Create Azure Connection Form¶

Click the + Connection button. From the resulting modal, select Azure.

The Add Connection Button is in the page header. When in the Choose Cloud Connection modal, click the "Add Azure" button.

Fill out the form with your Azure tenant information. This includes naming your tenant so you can easily recognize the tenant in NodeZero, as well as providing the tenant ID and one or more subscription IDs. Once you submit the form, you will be redirected to Azure in order to grant admin consent.

Set Up Role¶

Once admin consent is granted, you will be redirected back to the NodeZero Portal. You will be offered a PowerShell script to run that will add "Horizon3 Cloud Connector Custom Role" as a role in your subscriptions.

Shell script in the Create Azure Connection with a Copy button.

In Azure, open up the Cloud Shell and run the script to add the role. Once finished, go back to the NodeZero Portal and click Next.

Accessing PowerShell

You'll need to run the script in PowerShell. If this is your first time setting up Azure Cloud Shell, make sure to select PowerShell. If already set up and using bash, make sure to switch your session to PowerShell.

Switch to PowerShell action in actions bar above shell session in Azure Cloud Shell.

Verify Connection¶

You'll now see the tenant ID as well as the verification status for your new tenant. Once permissions have been verified, you're now ready to run an Azure Cloud Pentest!

You can also select Add Another Tenant if you need to create multiple connections.

Azure Connection Status modal when connected.

Delete a Connection¶

Delete an Azure connection through the Actions () menu:

The Actions button opens the menu that includes the Delete action.

When deleting an Azure Cloud connection, you'll need to clean up a few things on Azure's side:

Remove Role¶

Once deleted, you'll see a shell script to remove the custom role added for testing. Run this in the Azure Cloud Shell to remove the role.

Delete Enterprise App¶

In order to fully delete an Azure connection, you must also delete the enterprise app in Azure. To do so:

Navigate to the Enterprise applications page and click on the Horizon3 Cloud Connector app.
In the left nav, expand the Manage section and click Properties.
In the command bar near the top of the page, click Delete.