InsightCloudSec Docs

Welcome to the InsightCloudSec Docs!

InsightCloudSec by Rapid7 (formerly DivvyCloud) is a Cloud-Native Security Platform that provides real-time analysis and automated remediation for continuous security and compliance for your multi-cloud environment.

For questions reach out to us through [email protected].

Take Me to the Docs!    Release Notes

Azure Active Directory

Instructions for Configuration of Azure Active Directory as an Authentication Server with InsightCloudSec

Overview

InsightCloudSec supports using Azure Active Directory authentication as a valid authentication server. Because the authentication flow for Azure Active Directory is so different from typical LDAP and Active Directory implementations, changes must be made within the Azure Portal to configure the Azure Active Directory for use with external applications. Check out Active Directory for details on Microsoft Active Directory.

Prerequisites

Before getting started you will need to have the following

  • A functioning InsightCloudSec platform
  • Appropriate InsightCloudSec permissions (Domain Admin or Org Admin)
  • Administrative credentials to your Azure Portal

For questions or issues reach out to [email protected].

📘

Azure Active Directory & Just In-Time Provisioning

For instructions specific to setting up an Authentication Server for Azure Active Directory and enabling Just In-Time Provisioning refer to our Azure Active Directory - Just In-Time Provisioning page.

InsightCloudSec - Azure Active Directory Authentication Server Setup (Start)

Before you configure Azure Active Directory to work with InsightCloudSec, you'll first need to complete some initial setup within InsightCloudSec, including generating a redirect URL.

1. Login to your InsightCloudSec instance and navigate to "Administration --> Identity Management"

  • Click "Authentication Servers" at the top of the page.

2. Click "Add Server" to open the "Create Authentication Server" form.

Identity Management - Authentication ServerIdentity Management - Authentication Server

Identity Management - Authentication Server

3. Complete the top of the "Create the Authentication Server" from as follows:

  • Nickname: Enter a nickname
  • Select Server Type: Select "Azure Active Directory"
  • Global Scope Checkbox: Select the Global Scope checkbox if you want to use this server across all of your Organizations.
  • Authentication Type: Select API Key/Secret or Client Certification, based on your preference.

❗️

Redirect URL

Copy the provided redirect URL value and keep it on-hand for later.

Create New Azure Active Directory ServerCreate New Azure Active Directory Server

Create New Azure Active Directory Server

4. Leave InsightCloudSec open in a browser window and open a new tab.

Azure - New App Registration

This section assumes you want to create a new app registration within the Azure console.

Note: If you have an existing App Registration, and it is of the “Web app / API” type that you’d like to use, you can skip to Existing App Registration.

1. Select "New". This should bring you to the "Register an application" screen.

2. Complete the App Registration Form as follows:

  • Name: Enter something simple and descriptive for the name.
  • Supported account types: Select the default Accounts in this organizational directory only ((Default Directory) only Single tenant).
  • Redirect URI: Input the URL you copied from InsightCloudSec in the previous section.

3. Click "Register" to complete the App registration.

  • This should create a new App and open an overview screen of the application.

4. Copy the "Application ID" on this page and keep the information in a safe place. You will need the Application (client) ID for configuration later during this process.

Azure Creating an Application - Application IDAzure Creating an Application - Application ID

Azure Creating an Application - Application ID

5. On the left panel navigation under "Manage" select "Authentication".

6. Scroll down on the Authentication page and locate the "Implicit grant and hybrid flows" section.

  • Here you need to ensure you check/enable the "ID tokens (used for implicit and hybrid flows)" checkbox.
Azure Console Authentication Page - Select ID TokensAzure Console Authentication Page - Select ID Tokens

Azure Console Authentication Page - Select ID Tokens

7. From the left side navigation under "Managed", select "Certificates & secrets".

8. Under "Client Secrets" click on the "New client secret" button.

  • Provide a description, select an expiration interval, and click "Add" to complete.

9. Copy the value that you created for the secret. Store this information in a safe location.
- Note: You will not be able to return to this view.

Azure Console - Create and copy a new Client SecretAzure Console - Create and copy a new Client Secret

Azure Console - Create and copy a new Client Secret

10. Navigate to API Permissions, select "Add Permissions".

Azure Console - Add API PermissionsAzure Console - Add API Permissions

Azure Console - Add API Permissions

11. Click on "Microsoft Graph" and then select "Application permissions".

  • Scroll to "GroupMember" and click the checkbox next to GroupMember.ReadAll, click "Add Permission"

12. Repeat steps 13 & 14 to add one additional permission.

  • Click on "Add a permission", select "Microsoft Graph" and then select "Application permissions"
  • Scroll to "User" and click the checkbox next to User.ReadAll, click "Add Permission"
Azure Console - Adding API Permissions (Example permission)Azure Console - Adding API Permissions (Example permission)

Azure Console - Adding API Permissions (Example permission)

At this point, the Azure Active Directory should be configured for use within InsightCloudSec. You may now return to the browser window containing InsightCloudSec and finish the setup. Continue to this section for details.

Azure - Existing App Registration

This section assumes you have an existing app of the “Web app / API” type that you’d like to use with InsightCloudSec.

To modify an existing app registration the steps are as follows:

1. In the Azure Portal, locate the App registrations page and select the application you want to modify. Click to open the overview page.

2. This section should already contain one Redirect URI with the URL you supplied when you created the App Registration. You will need to click "Add URI" to create new a new field, and add the the redirect URL you copied from InsightCloudSec in the first section.

3. Click "Save" in the top-left corner of the page.

📘

Existing Keys

You can use an existing key if you already have created one and know its secret, but creating a new secret for InsightCloudSec is recommended.

4. From the left side navigation under "Managed", select "Certificates & secrets".

5. Under "Client Secrets" click on the "New client secret" button.

  • Provide a description, select an expiration interval, and click "Add" to complete.

6. Copy the value that you created for the secret. Store this information in a safe location.
- Note: You will not be able to return to this view.

At this point, the Azure Active Directory should be configured for use within InsightCloudSec. You may now return to the browser window containing InsightCloudSec and finish the setup. Continue to the next section.

InsightCloudSec - Azure Active Directory Authentication Server Setup (Finish)

This section assumes that you have set up your Azure Active Directory to function with InsightCloudSec. If you have not done so, or need assistance, refer to one of the sections above (creating a new App, or updating an existing App) or reach out to us at [email protected].

Follow the steps below to finish setting up an Azure Active Directory Authentication Server:

1. Finish the Create Authentication Server form.

  • Tenant: Provide the domain name associated with the Azure Active Directory instance you are authenticating against.
  • Authority Server Hostname/IP: Unless you have a private Azure instance from Microsoft, you probably want to leave the Authority Host URL set to https://login.microsoftonline.com.
    • If you are using a private Azure instance, the Authority Host URL should be the authoritative login URL for that private instance.
  • Application ID: Provide the "Application ID" you saved from your Azure App Registration.

2-a. If you selected "API Key/Secret" for your Authentication Type provide the API Key.

  • Use the secret key value that we created in the earlier steps. If that key is not available, create a new one as per the instructions.

2-b. If you selected "Client Certificate" for your Authentication Type provide:

  • the PEM Certificate
  • the Certificate thumbprint

3. The options that appear after the authentication fields (e.g. Enable periodic user provisioning using graph API, etc.) are specific to configuring an Azure AD Authentication server, the steps are identical up until this point but JIT includes different capabilities.

4. Click "Submit" to finalize your authentication server and enable the system to verify that the values you entered are correct. If an error message appears, check that the values you entered are correct for the Active Directory instance for which you are trying to configure authentication.

Note: Because the Azure Active Directory instance uses an oAuth mechanism for authentication, you won’t be able to assign usernames to users authenticating against the Azure Active Directory system. Instead, you must use the email address for that user as it is in the Azure Active Directory for both the name and email values when creating users for this Authentication Server.

Updated 4 days ago

Azure Active Directory


Instructions for Configuration of Azure Active Directory as an Authentication Server with InsightCloudSec

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.