Skip to main content

Microsoft Azure NSG

Overview

This integration isallows designedfor IP addresses to managebe nameddynamically locationsmanaged in Microsoftwithin Azure ConditionalNetwork AccessSecurity policiesGroups via(NSGs), which are used by default as the Microsoftinner Graphfirewalls API.protecting Itvirtual allowsmachines. usersOther toAzure add, delete, or flush named locations related to specific IP addresses. This system can also be used to directly limit access to servicesassets (eg:PaaS outlooketc) versusare teamsmanaged versususing portal)separate through various conditional access policies, as opposed to a blanked policy over Microsoft 365 as a whole, which helps reduce exposure in the event of credential or token loss.Knocs.

An example of a user's experience can be found below:

  1. User attempts to access Microsoft 365 services:

    image.png

  2. User must authenticate with knocknoc and will see their granted ACL on the right hand side:

    image.pngimage.png

     

  3. User can now access Microsoft 365 services:

    image.png

Prerequisites

BeforeThis running this script, ensure that you haveutilizes the followingAzure prerequisitesCLI binary, which must be installed andon configured:the Agent machine.

  • Powershell - Install the LATEST version of PowerShell on your system. You can check the latest version and instructions for your architecture here: https://github.com/PowerShell/PowerShell/releases/latest 

    For Debian, follow these steps: 
    # Update the list of packages
sudo apt-get update

# Install pre-requisite packages.
sudo apt-get install -y wgetazure-cli

# DownloadUpdate it.
# If the PowerShellversion packageis filesignificantly wgetbehind, you may need to install from Microsoft (see below)
az upgrade

# If you have any errors running, you may need to install from Azure directly
# do this if you get warnings or errors
#
#sudo apt remove azure-cli
#rm -rf ~/.azure
#curl -sL https://github.com/PowerShell/PowerShell/releases/download/v{latest-version}/powershell_7{latest-version}.deb_amd64.debaka.ms/InstallAzureCLIDeb ###################################
# Install the PowerShell package| sudo dpkgbash

-i powershell_{latest-version}.deb_amd64.deb

# Resolve missing dependencies and finish the install (if necessary)
sudo apt-get install -f

# Delete the downloaded package file
rm powershell_{latest-version}.deb_amd64.deb

Permissions in Azure

To interact with the Azure EnterpriseNSG Application:- Anvia enterprisethe applicationAPI must- beyou createdneed to allow knocknoc to authenticate and change conditional access policies and named locations. Create an enterprise application,first create a clientservice secret,principal and copyassign the application'slimited client id, azure tenant id and secret. You'll need these later.
Note: If you are also using Entrapermissions, as yourshown IdP,below:

make

Create surea thiscustom isrole clearly(for definedlimited inNSG theedit nameaccess)

of
    your
  1. enterprise

    Go applications.to ForAzure example,Portal: yourhttps://portal.azure.com

    IdP app might be called "knocknoc-saml", and your ACL app might be called "knocknoc-conditionalaccess."

  2. MicrosoftSearch Graphfor API“Subscriptions” Permissions:and Ensureselect thatyour subscription.

  3. In the applicationleft hasmenu, click “Access control (IAM)”.

  4. Go to the necessary“Roles” tab and click + Add > Add custom role.

  5. Basics tab:

    • Name: Knocknoc NSG Edit

    • Description: Can read and edit rules in a Network Security Group.

  6. Permissions tab:

    • Click + Add permissions

      to

    • In the search box, type: networkSecurityGroups

    • Add these permissions:

      • Microsoft.Network/networkSecurityGroups/read

      • Microsoft.Network/networkSecurityGroups/securityRules/read

      • Microsoft.Network/networkSecurityGroups/securityRules/write

      • Microsoft.Network/networkSecurityGroups/securityRules/delete

    • Click Add

  7. Assignable scopes tab:

    • Click + Add assignable scope

    • Select your resource group, or subscription if broader access theis Microsoft Graph API. For knocknoc to work as intended, two graph API permission are required:

      fine.

  • Review

    +

    Keeping these permissions as restrictive as possible reduces your attack surface significantly, and prevents a major breach increate the eventcustom thatrole.

    your
    • application is compromised. Do not reuse/share another application for use with knocknoc.

    Create a dedicatedService applicationPrincipal andin setAzure ofPortal

    credentials.

    1. Go to the Azure Portal

    More

    2. Search for “App registrations”

    • In the top search bar, type App registrations and select it.

    3. ConditionalClick Access“+ Policy/Policies:New registration”

    • Name: knocknoc-nsg-updater (or anything you prefer)
    • Supported account types: Leave as "Single tenant" Knocknoc(default)
      • needs
    • Redirect URI: Leave blank (not needed for non-interactive apps)

    Click Register

      4. Go to “Certificates & secrets”

    • Click + New client secret
    • Give it a name like nsg-automation
    • Set expiration (e.g., 6 or 12 months)
    • Click Add

    Copy the generated secret value immediately — you won’t be able to distinguish between policiesretrieve it canlater.

    amend

    5. andFind policiesApplication it(client) cannot.ID

    Therefore,
      knocknoc
    • looks

      In forthe aOverview prepending "knocknoc_" aheadtab of theyour nameapp ofregistration:

      • Copy the ACL.Application (client) ForID

        example,
        • a
      • conditional

        Also access policy might be named "knocknoc_financedepartment" with specific rules around applications and services that group can access. These must be created PRIOR to configuring anything incopy the knocknocDirectory admin(tenant) portal.ID



    6. Assign the Custom Role (Knocknoc NSG Edit)

    1. Go to your Resource Group (or subscription) where the NSG lives.

    2. Click Access control (IAM).

    3. Click + Add > Add role assignment

    4. Choose:

      • Role: Knocknoc NSG Edit (or your custom role name)

      • CredentialsAssign Fileaccess to: EnsureUser, thatgroup, aor credentialsservice file is present (it is installed by default when the knocknoc-agent is first installed) at /opt/knocknoc-agent/etc/entra-credentials.shprincipal with the following content:

        entra_clientid=""
        • entra_tenantid="" entra_clientsecret=""

      • YouSelect: willFind needand to input the necessary ClientID forselect your registered Azureapp Enterprise Application, your Azure Tenant ID and your application's client secret. (nsg-updater)

      Admin Portal Configuration

      To get this integration working in your knocknoc admin portal, there are a few simple steps to follow:

      1. Create a new backend for Microsoft 365. This is how knocknoc interacts with the scripts to make changes to conditional access policies. The shell script is located at /opt/knocknoc-agent/scripts/update-entra-acl.sh by default:

        image.png

      2. Create one or more ACLs in knocknoc. These correspond to your various "knocknoc_acl" conditional access policies you made in entra earlier. You can add as many of these as you want, but make sure they are unique!

        You also want to make sure your description is clear in showing the user what they are being given access to. For example, if this particular ACL is controlling access to the admin portal, you might have a description such as "Microsoft 365 Admin Portal." You must also place a URL, where they will be redirected to if they click on the ACL in their user portal. This should also be relevant to the service in which the ACL is granting access to. 

        image.png


      3. The final step is to assign the ACL and relevant users to a group:

        image.png


      AndClick you're done! This is all that is required to enable integration between knocknoc and Microsoft 365 for conditional access policies. If you get stuck, reach out and we will gladly assist. Save

    Back to top