Azure - Onboarding Overview
Onboarding Overview for an Azure Account or Accounts with InsightCloudSec
After InsightCloudSec is successfully installed, you're ready to start harvesting resources from your target accounts. This documentation provides details on configuring Azure to "talk" with InsightCloudSec securely for both admin and non-admin users and explains the different onboarding workflows you can expect for new and returning users.
Getting Started with Onboarding Azure
Before you can begin the Azure onboarding process, you'll need to login to InsightCloudSec and open the Cloud Account Onboarding Wizard, which provides a different experience depending on the type of user you are:
- First-time User: InsightCloudSec is freshly deployed and this will be the first time a Cloud Service Provider (CSP) has been onboarded.
- Returning User: InsightCloudSec has one or more CSPs already onboarded and you would like to add a new Azure account.
- Admin User: You can login to the Azure portal and have the appropriate access to grant InsightCloudSec access to your account(s).
- Non-Admin User: You can interact with InsightCloudSec and would like to onboard an Azure account(s) but do not have the appropriate Azure access to grant InsightCloudSec access to your account(s).
In addition, we also provide instructions for:
- Existing Cloud Accounts: For information about modifying an existing Azure account, check out the Cloud Account Setup & Management page.
Need Support?
We are here to help! If you have questions or concerns reach out to us through the Customer Support Portal.
Configuration Information for Azure Cloud
Azure Cloud Details
There are several steps that must be taken within the Azure Cloud console to enable InsightCloudSec to get access to an account, and this page provides those steps.
Additional Resources on Azure include:
All Azure roles that provide appropriate permissions to InsightCloudSec are contained on Azure Custom Roles.
Additional Azure-related InsightCloudSec Features
InsightCloudSec offers some features that require additional permissions/roles within Azure. It is easiest to perform this configuration while onboarding a subscription/management group. Review the links below to determine which features you'd like to use and we'll provide a reminder to perform the additional configuration during the instructions below.
Roles
Custom Reader User Role
This role grants InsightCloudSec read-only permissions to supported resources so data is harvested and available for reporting, but this means the role must be manually updated with each new Azure service that InsightCloudSec supports.
The role JSON can be obtained from our public S3 bucket. Note: The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.
Azure Reader Plus User Role
The Reader Plus role is similar to the built-in Azure Reader role but offers read-only permissions to all resources instead of only the resources that InsightCloudSec supports. Because of the wildcard usage, the role is more easily maintained. In addition, the following permissions are explicitly granted:
"Microsoft.Web/sites/config/list/Action""Microsoft.Web/sites/slots/config/list/Action"
For the permissions above, the config/list/Action permission provides visibility to determine if Web Apps are configured to require authentication and for Serverless Functions to determine if the function is enabled/disabled. The caveat is that those permissions also provide access to any environment variables configured for WebApps, which may contain sensitive information.
The role JSON can be obtained from our public S3 bucket. Note: The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.
Azure Power User Role
The InsightCloudSec Azure Power User role will grant InsightCloudSec all permissions to supported resources so it can act upon cloud resources in addition to monitoring and reporting on them, but this means the role must be manually updated with each new Azure service that InsightCloudSec supports.
The role JSON can be obtained from our public S3 bucket. Note: The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.
Azure Support
Review Azure Overview & Support for a full list supported Azure services.
Unique Naming
Unique names should be used when defining network rules in Azure resources. This will avoid duplicate rules being discarded during Harvesting Strategies.
Non-Admin Onboarding for Azure
If you've determined that you're not an Admin user or you're not sure, you will need to provide an Admin within your organization with the "Microsoft Azure Admin Instructions". Once the Admin has completed the instructions, they should be able to provide you with answers and/or content for the following required fields:
- An Azure Cloud Environment (Commercial, Government, China)
- A Nickname
- An Application ID
- A Tenant ID
- An authentication type and credentials
Steps for Non-Admin Onboarding
The steps to complete this process for both First-time Users and Returning Users are provided below. Step 2a and 2b provide specifics for the two user types.
1. Log in to your InsightCloudSec installation.
2-a. For first-time users a successful log in should launch the Onboard a Cloud Account workflow. You will need to select "Microsoft Azure" as your Cloud Service Provider, and then select "No - Help me identify the details needed". Click "Next" to start the onboarding process.
2-b. For returning users navigate to "Cloud --> Cloud Accounts" and select "Add Cloud". *You will need to select "Microsoft Azure" as your Cloud Service Provider, and then select the "Don't have admin access?" option at the bottom right of the window.
3. Copy the details from "Microsoft Azure Admin Instructions" and share them with your Admin.
4. Once your Admin has completed the setup, they can provide you with the required information to complete the configuration.
5. Return to the onboarding workflow, provide input to the required fields to finalize your Azure onboarding setup and click "Connect".
Admin Onboarding for Azure
For administrative users, the documentation includes step-by-step instructions for the configuration required in both the Azure portal and the InsightCloudSec Onboarding Wizard to onboard an Azure account (or accounts). Choose one of the options below by clicking the associated link to jump to the relevant instructions. There are three options for Admin onboarding:
- Manual Onboarding (Azure Console) -- Onboard an Azure subscription or management group manually using the Azure Console
- Automated Onboarding (Azure Cloud Shell) -- Onboard an Azure subscription or management group by uploading a Python script to the Azure Cloud Shell
- Automated Onboarding (Azure CLI) -- Onboard an Azure subscription or management group by running a Python script on your local machine with the Azure CLI
Organization Post-Onboarding Information
If you followed one of the sections above and onboarded an Azure Organization, you should have at least your Management Account with full visibility in InsightCloudSec. Review the following sections for more information on augmenting your Organization onboarding experience or managing the Organization within InsightCloudSec.
Enabling Account Discovery
Once a Management Account is onboarded to InsightCloudSec, we automatically detect the Organization and prompt you to enable Account Discovery. If you clicked the "Enable Auto Discovery" button within the onboarding wizard, you'll be taken to the Edit Organization Config window for the new Organization.
1. From the Edit Organization Config window, select the "Auto-Sync Subscriptions" checkbox.
2. Click "UPDATE".
Once enabled, Accounts are discovered via the API dynamically and configured with defaults you provide.
Modifying an Organization
After onboarding an Azure Organization, you can edit configuration information at any time.
1. From InsightCloudSec, click expand "CLOUD", then click "Cloud Accounts -> Organizations".
2. Next to the desired Organization, click the options button (hamburger icon), then click "Edit Organization".
3. Adjust the nickname or credentials values as necessary.
4. Adjust the scope/badging options as necessary:
- "Subscriptions to Skip" -- Enter details for subscriptions (ID’s or Names) to be skipped (e.g., you have a group of development subscriptions you are not interested in tracking)
- "Auto-Sync Subscriptions" (checkbox) -- Select this box to add all subscriptions associated with the tenant. Note: If not checked, each subscription must be added manually
- "Auto-remove disabled subscriptions" (checkbox) -- Select this box to automatically remove suspended Azure subscriptions from InsightCloudSec. As soon as this checkbox is enabled, a background process will begin running and remove the subscriptions automatically as they are found
- "Auto-Badge Subscriptions" (checkbox) -- Select this box to allow InsightCloudSec to automatically badge your incoming accounts based on Azure subscription tags
- “Limit import scope” (checkbox) -- Select this box and provide Management Group ID(s) to only include the given group(s) and anything underneath it
5. Click "UPDATE".
Auto-badging
As an enhancement to support for provider-based organizations, InsightCloudSec includes auto badging capabilities. The purpose of auto badging is to create a 1:1 map of labels to Badges in InsightCloudSec. This allows Clouds to be scoped to a badge that maps to the account tag.
Note: Once the tags and labels are harvested into InsightCloudSec as badges - you cannot delete them in InsightCloudSec - they must be deleted in Azure and the changes will propagate to InsightCloudSec.
Auto badging takes place in two stages:
-
Periodically a process retrieves tags/labels from each subscription and compares them with ResourceTags associated with the corresponding cloud in the InsightCloudSec database.
- If there are any changes detected, the ResourceTags in the database are overwritten with the values from the account/project. This means that Cloud Account tags should not be locally modified since any local changes will be overwritten the next time the process runs. Additionally any local changes that are made to Cloud Account tags are not pushed back up to the cloud provider.
-
Periodically a process retrieves all ResourceTags from the local database that are associated with the accounts managed by an organization. For each cloud the list of tags for that cloud is compared with the current list of Badges and for each Key/Value pair of tags:
- Existing Badges with a Key prefix of
system.are skipped. - If the corresponding Badge with the Key/Value pair for that cloud does not already exist, it is created.
- If a tag Value changes, the Badge with the corresponding Key will be updated to that value.
- If a Badge no longer has a tag with a corresponding Key, it will be deleted.
- All Badges that have a corresponding tag will have their
autogeneratedcolumn set to "true" even if they were previously set to "false".
- Existing Badges with a Key prefix of
Microsoft Key Vault Harvesting
As mentioned above, if you used a recommended role during setup, you cannot harvest Microsoft Key Vault key rotation policies because of a limitation with Azure management group-scoped roles and dataActions permissions. Unfortunately, the only workaround currently is to add a custom role with the permission to each subscription within the Management Group. The InsightCloudSec documentation discusses this in the manual onboarding instructions. Reach out to us through the Customer Support Portal for more information.
Updated 4 months ago