Onboard an Azure Account

After InsightCloudSec is successfully installed, you're ready to start harvesting data from your Accounts, which requires configuring Microsoft Azure to "talk" with InsightCloudSec securely. As your inventory grows and your cloud accounts are fully visible, you can then begin to leverage the rest of InsightCloudSec, including Insights, Bots, Layered Context, and more.

This page and the functionality detailed here refer to the provider-specific Accounts capability available under Cloud > Cloud Accounts. If you are looking to onboard an Azure Organization instead, see Onboard an Azure Organization.

Opening the Cloud Account Onboarding Interface

Before you can begin the onboarding process, you'll need to navigate to the Cloud Account Onboarding interface, which provides a different experience depending on the type of user you are:

UserDescriptionExperience
First-time UserInsightCloudSec is freshly deployed and this will be the first time a Cloud Service Provider (CSP) has been onboarded.Platform Users:
Onboarding wizard launched from Platform Home by clicking the InsightCloudSec tile.

InsightCloudSec Only Users:
The onboarding wizard appears automatically after logging in using your unique InsightCloudSec URL.
Returning UserInsightCloudSec has one or more CSPs already onboarded and you would like to add a new account.Launched from within InsightCloudSec. Not a wizard.
Admin UserYou can login to the cloud provider and have the appropriate access to grant InsightCloudSec access to your account(s).As an admin, you will need to complete some specific tasks within your Cloud Service Provider's (CSP) console to generate details needed for onboarding that either you or a non-admin user can input to InsightCloudSec.
Non-Admin UserYou can interact with InsightCloudSec and would like to onboard an account(s) but do not have the appropriate CSP access to grant InsightCloudSec access to your account(s).You will need to copy and send a message to the admin asking them to complete specific tasks and provide you with the information you need to complete onboarding.

Onboarding an Azure Account

A couple methods for onboarding your Azure Accounts (subscriptions in Azure's parlance) are available depending on whether you're a non-admin or admin user.

Resuming cloud onboarding to InsightCloudSec

If you close the interface before completing Account onboarding, you can resume onboarding from the page you were on last.

Non-Admin User Instructions

Ask an admin for required information

As a non-admin user, you need to copy and send a message to the admin asking them to complete specific tasks and provide you with the information needed to complete onboarding.

First-time Users
  1. Login to InsightCloudSec using one of the methods below:
    • In the Insight Platform, click InsightCloudSec to launch the onboarding wizard.
    • Open a browser window to your unique InsightCloudSec URL and login. The onboarding wizard will appear automatically.
  2. On the Welcome screen, review key features and capabilities, then click Onboard a Cloud Account.
  3. On the Cloud Service Providers screen, select Microsoft Azure.
  4. Select No - Help me identify the details needed, then click Next.
  5. Click the Copy button in the Microsoft Azure Admin Instructions text box and share them with the admin.
Returning Users
  1. Login to InsightCloudSec using one of the methods below:
    • In the Insight Platform, click the InsightCloudSec tile.
    • Open a browser window to your unique InsightCloudSec URL and login.
  2. Navigate to Cloud > Cloud Accounts in the left-hand navigation menu.
  3. Click the + Add Cloud button in the top right corner.
  4. Click the Microsoft Azure button.
  5. Click Don't have admin access? in the bottom right corner of the window.
  6. Click the Copy button in the Microsoft Azure Admin Instructions text box and share them with the admin.

Connect the Account

When your admin has completed their steps and provided the information to you, you can now connect the Account.

First-time Users
  1. Return to InsightCloudSec using one of the methods below:
    • In the Insight Platform, click InsightCloudSec to launch the onboarding wizard.
    • Open a browser window to your unique InsightCloudSec URL and login. The onboarding wizard will appear automatically.
  2. The wizard should automatically return you to the Microsoft Azure Admin Instructions page.
  3. Enter the following information (provided by your admin):
    1. Select the Azure partition (Commercial, Government, China) in which the Account is located.
    2. Copy/paste the Nickname for the Account. This is a unique value that will be used to search Accounts across the system based on an identifiable label.
    3. Copy/paste the Application (Client) ID and Directory (Tenant) ID.
    4. Select the authentication type.
      • If you chose API/Secret, copy/paste the Secret Key Value.
      • If you chose Client Certificate, copy/paste the PEM Certificate and Certificate Thumbprint.
    5. Copy/paste the Subscription ID.
  4. Click Connect Account.
Returning Users
  1. Login to InsightCloudSec using one of the methods below:
    • In the Insight Platform, click the InsightCloudSec tile.
    • Open a browser window to your unique InsightCloudSec URL and login.
  2. Navigate to Cloud > Cloud Accounts in the left-hand navigation menu.
  3. Click the + Add Cloud button in the top right-hand corner.
  4. Click the Microsoft Azure button.
  5. Click Don't have admin access? in the bottom right-hand corner of the window.
  6. Enter the following information (provided by your admin):
    1. Select the Azure partition (Commercial, Government, China) in which the Account is located.
    2. Copy/paste the Nickname for the Account. This is a unique value that will be used to search Accounts across the system based on an identifiable label.
    3. Copy/paste the Application (Client) ID and Directory (Tenant) ID.
    4. Select the authentication type.
      • If you chose API/Secret, copy/paste the Secret Key Value.
      • If you chose Client Certificate, copy/paste the PEM Certificate and Certificate Thumbprint.
    5. Copy/paste the Subscription ID.
  7. Click Connect Account.
Admin User Instructions

As an admin, you must prepare your Account(s) for the connection with InsightCloudSec by creating a new application registration & creating and assigning custom roles within Azure. For more information on the custom roles that InsightCloudSec provides, review Azure Overview & Support.

Providing details to a non-admin user?

If you are providing details to a non-admin user to onboard the Account, ensure that the credentials you share with the non-admin user will include the appropriate access and enable them to connect your Azure subscription with InsightCloudSec successfully. We recommend using a secure file sharing system to provide credentials to your non-admin user.

Azure Admin Onboarding Prerequisites

InsightCloudSec offers some features that require additional permissions/roles within Azure. It is easiest to perform this configuration while onboarding an account/organization. Review the links below to determine which features you'd like to use and we'll provide a reminder to select the relevant options later.

Prepare Azure for Onboarding

To onboard a single subscription for Azure you need to complete one of the following set of instructions:

Manual Onboarding using the Azure console
Step 1: Create a new Microsoft Entra ID Application Registration

The Azure subscription that contains data you want to harvest for InsightCloudSec will need an Application Registration associated with it. By creating a specific InsightCloudSec app, you are then able to monitor all actions taken by InsightCloudSec. This facilitates troubleshooting, helping you understand what InsightCloudSec is doing versus what other apps are doing.

Multiple Browser Tabs/Windows Recommended

InsightCloudSec onboarding can proceed much more quickly and easily if you have both your InsightCloudSec instance and the Azure console open side-by-side in your preferred browser's windows/tabs.

  1. Login to your InsightCloudSec instance and open the Cloud Onboarding interface.
    • First-time Users:
      1. On the Welcome screen, review key features and capabilities, then click Onboard a Cloud Account.
      2. On the Cloud Service Providers screen, select Microsoft Azure.
      3. Select Yes - I have permissions to create roles, then click Next.
      4. For your connection journey, click Manual Steps, then click Next.
    • Returning Users:
      1. Navigate to Cloud > Cloud Accounts in the left navigation menu.
      2. Click the + Add Cloud button in the top right corner.
      3. Click the Microsoft Azure button.
      4. For your connection journey, click Manual Steps.
  2. In a separate browser tab or window, login as an Admin to the Azure Console for the subscription you want to harvest.

In the Azure Console:

  1. Add a New Application Registration.
    • Navigate to the Microsoft Entra ID home page.
    • Click App registrations, located under the Manage menu.
    • Click New registration.
  2. Describe the New App Registration.
    • Enter a Name to denote that this app is used for InsightCloudSec, e.g., InsightCloudSec Azure Application.
    • Select the supported account type. We recommend using the Single Tenant option.
    • Optionally, enter a Redirect URI using the specified URL format. This may be required later for authentication.
    • Click Register to create the app registration.
  3. Once you have registered your app, a preview panel opens. This panel shows an overview of your newly created app and displays both the Application (Client) ID and the Directory (Tenant) ID. Copy both of these IDs to a safe location; you will need to use these values later.
  4. From the new application's Overview page, click Certificates & secrets from the Manage menu on the left side.
  5. Create and save a certificate or secret for this Application.
    • To use a Certificate:
      • Generate a certificate (public key) locally and save it to a secure location.
      • From the Certificates & secrets page in Azure, click the Certificates tab.
      • Click Upload certificate.
      • Click Select a file and navigate to the certificate on your computer.
      • Click Open.
      • Optionally, provide a description.
      • Click Add. Your certificate's thumbprint will be displayed.
      • Copy the certificate value and thumbprint to a secure location; you will need to use this later.
    • To use a Client secret:
      • From the Certificates & secrets page in Azure, click the Client secrets tab.
      • Click New client secret.
      • Give your client secret a description.
      • Set an expiration period for your secret.
      • Click Add. Your new client secret's values will be displayed.
      • Copy the generated client secret key value to a safe location; you will need to use this value later. This is the only opportunity you have to copy this secret key value. If you leave this page without copying the secret key value, you will not be able to access the value and you'll need to delete the key and create another one.
  6. Set up permissions for this App Registration.
    • From the application's Overview page, click API permissions from the Manage menu on the left side.
    • Click Add a permission.
    • Click Microsoft Graph.
  7. Select Application Permissions.
    • Search for Directory.Read.All under the Directory section.
      • The Directory.Read.All permission contains the Application.Read.All permission, which is required to harvest the Azure Application Credentials resource. Review the Resource Matrix for more information and contact the support team through the Customer Support Portal for any questions or assistance.
    • Check the box next to the permission and click Add permissions.
    • Search for AuditLog.Read.All under the "AuditLog" section.
    • Check the box next to the permission and click Add permissions.
  8. Click Grant admin consent for Default Directory, then confirm the selection.

In the InsightCloudSec Cloud Onboarding interface:

  1. For 1. Authentication:
    1. Select the Azure partition (Commercial, Government, China) in which the subscription is located.
    2. Copy/paste the Application (Client) ID and the Directory (Tenant) ID values.
    3. Select the authentication type you configured within the Azure console.
      • If you chose API/Secret, copy/paste the Secret Key Value.
      • If you chose Client Certificate, copy/paste the PEM Certificate and Certificate Thumbprint.
    4. Click Next.
Step 2: Create custom role(s)

To ensure that the new InsightCloudSec-associated Application Registration you created in the previous section is securely and appropriately accessing your Azure account data (and providing resource visibility), you'll need to create the appropriate IAM role; InsightCloudSec offers a few.

Using a standard role?

If you are planning on using a standard Azure role (e.g., not one of the InsightCloudSec-provided custom roles), skip to Step 3. If you wish to enable any of the additional Azure-related InsightCloudSec features, you should cross-reference the features' requirements with the standard roles to determine any permissions that will need to be added manually.

Adding a Custom Role for Resource Visibility

In the Azure Console:

  1. Navigate to Subscriptions and select the subscription you want to onboard.

  2. On the Overview page, copy the Subscription ID. You will need this ID for connecting the subscription.

  3. From the menu panel on the left, select Access control (IAM).

  4. From the Access control (IAM) page, click Add > Add custom role.

  5. Provide the Basics.

    1. Provide a custom role name.
    2. Optionally, provide a description for the role.
    3. Select Start from scratch.

  6. Update the generated JSON file for the correct permissions.

    1. Click the JSON tab.
    2. Click Edit.
    3. Download one of the roles discussed on the Azure Overview & Support page. The roles are also available inside the Cloud Onboarding interface in InsightCloudSec.
    4. Return to the Azure Console and replace the JSON object with the one you just copied.
    5. Update the placeholder Subscription ID for the ID associated with the subscription you're onboarding to InsightCloudSec.
    6. Click Save.

    Additional Azure-related InsightCloudSec Features

    At this point in the process, it would be easiest to update the newly-created harvesting role with permissions for any additional Azure-related InsightCloudSec features.

  7. Click Review + create.

    • The JSON will be validated. If successful, verify everything looks correct.
    • Click Create.

In the InsightCloudSec Cloud Onboarding interface:

  1. For 2. Roles:
    1. Select Subscription.
    2. Copy/paste the Subscription ID.
    3. Click Next.
Step 3: Assign the role(s)

Standard and custom roles alike must be assigned to a Subscription so it can be harvested properly and securely. You'll need to add the IAM role (e.g., Reader, Reader Plus, etc.) assignment.

Assigning the IAM Role

In the Azure Console:

  1. From the desired subscription's menu panel on the left, select Access control (IAM).
  2. From the Access control (IAM) panel, click Add > Add role assignment.
  3. Select the role you wish to assign, then click Next.
  4. Add the Application Registration as a member.
    1. Leave the Assign access to field as the default value (User, group, or service principal).
    2. Next to Members, click + Select members.
    3. In the Select panel, begin typing the name of the application you created earlier. Select that application once it appears, then click Select.
    4. Click Review + assign to add the role.

Manual Onboarding instructions complete!

After completing these steps, you have completed the manual onboarding instructions for Azure. Jump to the Connect the Account in InsightCloudSec instructions.

Automated Onboarding using Azure Cloud Shell

The Azure subscription that contains data you want to harvest for InsightCloudSec will need an Application Registration associated with it. By creating a specific InsightCloudSec app, you are then able to monitor all actions taken by InsightCloudSec. This facilitates troubleshooting, helping you understand what InsightCloudSec is doing versus what other apps are doing. All of this can be completed in an automated fashion using the InsightCloudSec Azure Onboarding script in the Azure Cloud Shell.

Multiple Browser Tabs/Windows Recommended

InsightCloudSec onboarding can proceed much more quickly and easily if you have both your InsightCloudSec instance and the Azure console open side-by-side in your preferred browser's windows/tabs.

  1. Login to your InsightCloudSec instance and open the Cloud Onboarding interface.
    • First-time Users:
      1. On the Welcome screen, review key features and capabilities, then click Onboard a Cloud Account.
      2. On the Cloud Service Providers screen, select Microsoft Azure.
      3. Select Yes - I have permissions to create roles, then click Next.
      4. For your connection journey, click Microsoft Azure Script, then click Next.
    • Returning Users:
      1. Navigate to Cloud > Cloud Accounts in the left navigation menu.
      2. Click the + Add Cloud button in the top right corner.
      3. Click the Microsoft Azure button.
      4. For your connection journey, click Script.
  2. In a separate browser tab or window, login as an Admin to the Azure Console for the primary subscription you want to harvest.

In the InsightCloudSec Cloud Onboarding interface:

  1. Select the Azure partition (Commercial, Government, China) in which the subscription is located.
  2. Select Subscription.
  3. Select the desired authentication type.
  4. Click Generate & Download Script.

In the Azure Console:

  1. In the top bar, click the Cloud Shell icon to open the Cloud Shell. If this is your first time using the Cloud Shell, you'll be prompted to select the type of shell and storage within a subscription to persist files between sessions. Review the Azure Documentation for more information.

  2. Click the Upload/Download Files icon, then click Upload and select the onboarding script from its downloaded location. The file will be uploaded to /home/<username> by default.

  3. Run the script (python onboard.py) and follow the prompts to create everything needed to onboard the Account. If you uploaded the onboarding script to somewhere other than the default, you'll need to include the directory location with the command.

    • Provide an Application Registration name (or press Enter to use the default).
    • Provide the subscription ID for the Account you wish to onboard (or press Enter to use the current Subscription).
    • Provide a number corresponding to the role you wish to use for harvesting (or press Enter to use the default). Review Azure Overview & Support for more information.
    • The configuration is complete. The necessary values are displayed.

    Additional Azure-related InsightCloudSec Features

    At this point in the process, it would be easiest to update the newly-created harvesting role with permissions for any additional Azure-related InsightCloudSec features.

  4. Copy the necessary configuration information (Tenant ID, Subscription ID, Application Registration name, Application Registration ID, Application Registration password a.k.a. Secret Key Value) to a secure location.

In the InsightCloudSec Cloud Onboarding interface:

  1. Copy/paste the Application (Client) ID and the Directory (Tenant) ID values.
  2. Copy/paste the relevant authentication value(s).
    • If you chose API/Secret, copy/paste the Secret Key Value.
    • If you chose Client Certificate, copy/paste the PEM Certificate and Certificate Thumbprint.
  3. Copy/paste the Subscription ID.

Cloud Shell Onboarding instructions complete!

After completing these steps, you have completed the automated onboarding instructions for Azure Cloud Shell. Jump to the Connect the Account in InsightCloudSec instructions.

Automated Onboarding using Azure CLI

The Azure subscription that contains data you want to harvest for InsightCloudSec will need an Application Registration associated with it. By creating a specific InsightCloudSec app, you are then able to monitor all actions taken by InsightCloudSec. This facilitates troubleshooting, helping you understand what InsightCloudSec is doing versus what other apps are doing. All of this can be completed in an automated fashion using the InsightCloudSec Azure Onboarding script in the Azure CLI.

Prerequisites

These instructions and prerequisites have only been tested on a Unix-based system.

  1. Login to your InsightCloudSec instance and open the Cloud Onboarding interface.
    • First-time Users:
      1. On the Welcome screen, review key features and capabilities, then click Onboard a Cloud Account.
      2. On the Cloud Service Providers screen, select Microsoft Azure.
      3. Select Yes - I have permissions to create roles, then click Next.
      4. For your connection journey, click Microsoft Azure Script, then click Next.
    • Returning Users:
      1. Navigate to Cloud > Cloud Accounts in the left navigation menu.
      2. Click the + Add Cloud button in the top right corner.
      3. Click the Microsoft Azure button.
      4. For your connection journey, click Script.
  2. In a separate browser tab or window, login as an Admin to the Azure Console for the primary subscription you want to harvest.

In the InsightCloudSec Cloud Onboarding interface:

  1. Select the Azure partition (Commercial, Government, China) in which the subscription is located.
  2. Select Subscription.
  3. Select the desired authentication type.
  4. Click Generate & Download Script.

In a local terminal window:

  1. Login to the Azure CLI: az login

  2. Run the script (python onboard.py) and follow the prompts to create everything needed to onboard the Account. If you're not currently in the location of the onboarding script, you'll need to include the directory location with the command.

    • Provide an Application Registration name (or press Enter to use the default).
    • Provide the subscription ID for the Account you wish to onboard (or press Enter to use the current Subscription).
    • Provide a number corresponding to the role you wish to use for harvesting (or press Enter to use the default). Review Azure Overview & Support for more information.
    • The configuration is complete. The necessary values are displayed.

    Additional Azure-related InsightCloudSec Features

    At this point in the process, it would be easiest to update the newly-created harvesting role with permissions for any additional Azure-related InsightCloudSec features.

  3. Copy the necessary configuration information (Tenant ID, Subscription ID, Application Registration name, Application Registration ID, Application Registration password a.k.a. Secret Key Value) to a secure location.

In the InsightCloudSec Cloud Onboarding interface:

  1. Copy/paste the Application (Client) ID and the Directory (Tenant) ID values.
  2. Copy/paste the relevant authentication value(s).
    • If you chose API/Secret, copy/paste the Secret Key Value.
    • If you chose Client Certificate, copy/paste the PEM Certificate and Certificate Thumbprint.
  3. Copy/paste the Subscription ID.

Azure CLI Onboarding instructions complete!

After completing these steps, you have completed the automated onboarding instructions for Azure CLI. Jump to the Connect the Account in InsightCloudSec instructions.

Connect the Account in InsightCloudSec

The Azure onboarding process is nearly complete; all that remains is to setup an account nickname in InsightCloudSec and verify the account connection.

In the InsightCloudSec Cloud Onboarding interface:

  1. Provide the Nickname for the Account. This is a unique value that will be used to search Accounts across the system based on an identifiable label.
  2. Click Connect Account.

Success! You onboarded an Account

Congratulations on successfully onboarding an Azure Account! InsightCloudSec will now detect the following:

  • If there are any missing permissions that could cause impaired visibility into your Account
  • For information about modifying an existing onboarded account, check out the Cloud Account Setup & Management page.