To automate user password rotation in Azure using the Azure CLI, follow the steps below.
1. Necessary Requirements
Before proceeding, make sure the following requirements are met:
-
Unix/Linux device configured.
-
Azure CLI installation on the Linux device.
-
Tenant ID, Client ID and Secret ID of an Enterprise Application with the “Password Administrator” permission.
2. Creating the Enterprise Application in Azure
To correctly configure the Azure Enterprise Application, follow the guide below and adjust it to the organization’s needs.
Note: Other security configurations may be required according to the organization’s policies.
3. Configuration in Senhasegura
-
Create a Linux Device in senhasegura.
-
Clone Azure Credentials to the new Linux device.
- Configure the relationship between parent and child credentials in the system.
4. Creating the Password Change Template
Now, the password change template will be configured:.
set-new-line-mode unix
set-read-timeout 45
set-connect-timeout 30
set-ssh-version 2
# Define english as default language
expect-regex "/[$|#|>]/"
exec "export LC_ALL=C"
# Ensure no account is connected
expect-regex "/[$|#|>]/"
exec "az logout"
# Connect to Azure AD
expect-regex "/[$|#|>]/"
exec "az login --service-principal --allow-no-subscriptions --username 'CLIENT_ID' --password 'SECRET_ID' --tenant 'TENANT_ID'"
# Change user password
expect-regex "/[$|#|>]/"
exec "az ad user update --id '[#USERNAME#]' --password '[#NEW_PASSWORD#]' --force-change-password-next-sign-in false --verbose"
# Ensure change password success (status HTTP 204)
expect "*Response status: 204*"
Replace the following values in the script:
-
CLIENT_ID: Enterprise Application Identifier.
-
SECRET_ID: Secret password generated for authentication in Azure.
-
TENANT_ID: Tenant ID in Azure.
-
[username#] and [#NEW_PASSWORD#] will be dynamically filled in by senhasegura.
5. Configuring Password Rotation Execution
-
Configure the automatic execution of password rotation by senhasegura, linking the template above to the correct credential.
-
Make sure that Senhasegura can access the configured Linux device.
6. Validation
After implementation, run a test to confirm that password rotation occurs correctly.
Conclusion
With this configuration, the rotation of Azure user passwords through the Azure CLI will be automated, ensuring compliance and security in access.