Azure - Onboarding

Instructions for Onboarding an Azure Account or Accounts with InsightCloudSec

After InsightCloudSec is successfully installed, you're ready to start harvesting resources from your target accounts. This documentation provides details on configuring Azure to "talk" with InsightCloudSec securely for both admin and non-admin users and explains the different onboarding workflows you can expect for new and returning users.

Getting Started with Onboarding Azure

Before you can begin the Azure onboarding process, you'll need to login to InsightCloudSec and open the Cloud Account Onboarding Wizard, which provides a different experience depending on the type of user you are:

  • First-time User: InsightCloudSec is freshly deployed and this will be the first time a Cloud Service Provider (CSP) has been onboarded.
  • Returning User: InsightCloudSec has one or more CSPs already onboarded and you would like to add a new Azure account.
  • Admin User: You can login to the Azure portal and have the appropriate access to grant InsightCloudSec access to your account(s).
  • Non-Admin User: You can interact with InsightCloudSec and would like to onboard an Azure account(s) but do not have the appropriate Azure access to grant InsightCloudSec access to your account(s).

In addition, we also provide instructions for:

📘

Need Support?

We are here to help! If you have questions or concerns reach out to us through the Customer Support Portal.

Configuration Information for Azure Cloud

Azure Cloud Details

There are several steps that must be taken within the Azure Cloud console to enable InsightCloudSec to get access to an account, and this page provides those steps.

Additional Resources on Azure include:

All Azure roles that provide appropriate permissions to InsightCloudSec are contained on Azure Custom Roles.

👍

Additional Azure-related InsightCloudSec Features

InsightCloudSec offers some features that require additional permissions/roles within Azure. It is easiest to perform this configuration while onboarding a subscription/management group. Review the links below to determine which features you'd like to use and we'll provide a reminder to perform the additional configuration during the instructions below.

Roles

Custom Reader User Role

This role grants InsightCloudSec read-only permissions to supported resources so data is harvested and available for reporting, but this means the role must be manually updated with each new Azure service that InsightCloudSec supports.

The role JSON can be obtained from our public S3 bucket. Note: The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.

Azure Reader Plus User Role

The Reader Plus role is similar to the built-in Azure Reader role but offers read-only permissions to all resources instead of only the resources that InsightCloudSec supports. Because of the wildcard usage, the role is more easily maintained. In addition, the following permissions are explicitly granted:

  • "Microsoft.Web/sites/config/list/Action"
  • "Microsoft.Web/sites/slots/config/list/Action"


For the permissions above, the config/list/Action permission provides visibility to determine if Web Apps are configured to require authentication and for Serverless Functions to determine if the function is enabled/disabled. The caveat is that those permissions also provide access to any environment variables configured for WebApps, which may contain sensitive information.

The role JSON can be obtained from our public S3 bucket. Note: The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.

Azure Power User Role

The InsightCloudSec Azure Power User role will grant InsightCloudSec all permissions to supported resources so it can act upon cloud resources in addition to monitoring and reporting on them, but this means the role must be manually updated with each new Azure service that InsightCloudSec supports.

The role JSON can be obtained from our public S3 bucket. Note: The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.

Non-Admin Onboarding for Azure

If you've determined that you're not an Admin user or you're not sure, you will need to provide an Admin within your organization with the "Microsoft Azure Admin Instructions". Once the Admin has completed the instructions, they should be able to provide you with answers and/or content for the following required fields:

  • An Azure Cloud Environment (Commercial, Government, China)
  • A Nickname
  • An Application ID
  • A Tenant ID
  • An authentication type and credentials

Steps for Non-Admin Onboarding

The steps to complete this process for both First-time Users and Returning Users are provided below. Step 2a and 2b provide specifics for the two user types.

1. Log in to your InsightCloudSec installation.

2-a. For first-time users a successful log in should launch the Onboard a Cloud Account workflow. You will need to select "Microsoft Azure" as your Cloud Service Provider, and then select "No - Help me identify the details needed". Click "Next" to start the onboarding process.

2-b. For returning users navigate to "Cloud --> Cloud Accounts" and select "Add Cloud". *You will need to select "Microsoft Azure" as your Cloud Service Provider, and then select the "Don't have admin access?" option at the bottom right of the window.

3. Copy the details from "Microsoft Azure Admin Instructions" and share them with your Admin.

4. Once your Admin has completed the setup, they can provide you with the required information to complete the configuration.

5. Return to the onboarding workflow, provide input to the required fields to finalize your Azure onboarding setup and click "Connect".

Admin Onboarding for Azure

For administrative users this section includes step-by-step instructions for the configuration required in both the Azure portal and the InsightCloudSec Onboarding Wizard to connect.

  • If you are connecting to InsightCloudSec for the first time, you will be greeted by a workflow that shares some details around InsightCloudSec capabilities and allows you to select your Cloud Service Provider to start the onboarding process.

  • If you have connected to InsightCloudSec previously but are setting up Azure for the first time, you will need to navigate to "Cloud --> Cloud Accounts" and select the "Add Cloud" option to open the cloud onboarding.

Using either path above select "Microsoft Azure" as your CSP to get started with the admin onboarding.

Azure Onboarding Landing Page

Azure Onboarding Landing Page

App Registration & Permissions (Step 1)

In the Azure Portal - Create an App Registration

1. Login to the Azure Portal using the account you would like to connect to InsightCloudSec.

2. Add a New Application Registration.

  • Select "Azure Active Directory" from the navigation menu on the far left.
  • Select "App registrations" under Azure Active Directory's Manage menu.
  • Select "New registration".
1744

New App Registration

3. Describe the New App Registration.

  • Enter a "Name" to denote that this app is used for InsightCloudSec, e.g., "InsightCloudSec Azure Account".
  • Select the supported account type. Note: We recommend using the Single Tenant option.
  • Optionally, enter a "Redirect URI" using the specified URL format, e.g., "https://<name_of_site>"
    • Note: This may be required later for authentication
  • Select "Register" to create the app registration.
1602

Application Configuration

4. Once you have registered your app, a preview panel opens. This panel shows an overview of your newly created app and displays both the Application ID and the Tenant ID.

📘

Application ID and Tenant ID

Copy the Application ID and Tenant ID to a secure location.

1603

Application Overview - Tenant and Directory IDs


In the Azure Portal - Configure Authentication and Permissions

This section will assist in configuring an authentication method for InsightCloudSec to connect to your Azure account. There's two options:

  • Uploading a certificate
  • Creating a client secret

Note: These instructions explicitly outline creating a client secret, so if you desire to use a certificate instead ensure it's uploaded successfully and copy the PEM certificate and Certificate Thumbprint to a secure location.

1. Create and save a key for this Application.

  • From the new application's Overview page, select "Certificates & secrets" from the Manage menu on the left-hand side.
  • Under Client secrets, click "New client secret".
  • Give your client secret a description.
  • Set an expiration period for your secret.
  • Click "Add". Your new client secret's values will be displayed on the Certificates & secrets page under Client secrets.
1601

Add Client Secret

2. Copy the generated client secret key value to a safe location; you will need to use this value later.

📘

Credentials

Copy the Client secret key (API Key) to a secure location. This is the only opportunity you have to copy this secret key value. If you leave this page without copying the secret key value, you will not be able to access the value and you'll need to delete the key and create another one.

1599

Copy Secret Value

3. Set up permissions for this App Registration.

  • From the application's Overview page, select "API permissions" from the Manage menu on the left-hand side.
  • Select "Add a permission".
  • Select "Microsoft Graph".
1405

Microsoft Graph - Adding Permissions

4. Select "Application Permissions".

  • Search for Directory.Read.All under the "Directory" section.
  • Check the box next to the permission and click "Add permissions".
  • Search for AuditLog.Read.All under the "AuditLog" section.
  • Check the box next to the permission and click "Add permissions".

📘

Azure Application Credentials Permissions

The Directory.Read.All permission contains the Application.Read.All permission, which is required to harvest the Azure Application Credentials resource. Review the Resource Matrix for more information and contact the support team through the Customer Support Portal for any questions or assistance.

941

Microsoft Graph API - Application Permissions

5. Click "Grant admin consent for Default Directory", then confirm the selection.

2878

Grant Admin Consent


In the InsightCloudSec Onboarding Wizard

1. Scroll down to the "Create Custom Role" section.

2. Open one of the custom roles in a new tab and copy the JSON.

In the Azure Portal - Create a Role

1. Navigate to the Subscriptions page.

  • Select "All Services" from the navigation menu, then select "Subscriptions".
1351

Subscriptions

2. Identify the subscription with which you wish to associate your application.

📘

Subscription ID

Copy the Subscription ID to a secure location.

1509

Subscription ID

Note: The following section utilizes the Azure Portal to assign (and/or create) a role to a subscription. Azure details several other methods, e.g., via Azure CLI, REST API, Powershell, etc., for assigning (and/or creating) a role in their documentation.

3. From the desired subscription's menu panel on the left, navigate to "Access control (IAM)". From the Access control (IAM) panel, click "Add --> Add custom role."

1603

Add Custom Role

2. Provide the Basics.

  • Provide a custom role name.
  • Optionally, provide a description for the role.
  • Select "Start from scratch".
1600

Custom Role Basics

3. Update the generated JSON file for the correct permissions.

  • Click the "JSON" tab.
  • Click "Edit".

📘

Key Rotation Permissions

The recommended custom roles do not include the Microsoft Key Vault dataActions permission, "Microsoft.KeyVault/vaults/keyrotationpolicies/read", which 
provides read access to key rotation policies (an InsightCloudSec-supported resource). If desired, you should add this permission to the policy now before saving it.

  • Replace the JSON object with the one you just copied from the InsightCloudSec Onboarding Wizard.
  • Update the placeholder Subscription ID for the ID associated with the subscription you're integrating with InsightCloudSec.
  • Verify the JSON. It should look similar to the example below, which is using the Reader Plus custom role.
  • Click "Save". The "Review + create" button will become active.
1600

Custom Role JSON Example

4. Click "Review + create".

  • The JSON will be validated. If successful, verify everything looks correct.
  • Click "Create".
1600

Create Custom Role


In the Azure Portal - Assign the Role

1. From the desired subscription's menu panel on the left, select "Access control (IAM)". From the Access control (IAM) panel, click "Add --> Add role assignment."

1601

Add Role Assignment

2. Select the role you wish to assign.

  • Select the type of role, e.g., "Reader", and click "Next" to continue.
  • Note: If you created a custom role, it might be easier to search for the role's name.

3. Add the Application Registration as a member.

  • Leave the Assign access to field as the default value ("User, group, or service principal").
  • Next to Members, click "+ Select members".
  • In the "Select" panel, begin typing the name of the application you created earlier. Select that application once it appears, then click "Select".
  • Click "Review + assign" to add the role.

👍

Additional Azure-related InsightCloudSec Feature Configuration

At this point, if you wanted to enable Container Vulnerability Management, Azure Event-Driven Harvesting, and/or Azure Least Privileged Access (LPA) you should perform the configuration steps found on the separate pages below:

1602

Select Application for Role Assignment

Tenant Visibility (optional) (Step 2)

📘

Tenant Visibility Not Required?

If you do not wish to provide tenant visibility (and not take advantage of Subscription Auto Discovery), skip to the end of this section and click "Next" within the InsightCloudSec Onboarding Wizard.

For onboarding Azure Tenants, the recommended approach is to take advantage of InsightCloudSec's Subscription Auto Discovery feature which eliminates manual configuration of each Account. Introducing tenant visibility is a two step process:

  • Creating a custom Role at the scope of the Tenant/Root Management Group
  • Assign this new role to the existing Application Registration

In the InsightCloudSec Onboarding Wizard

1. Click "Next" to go to 2. Tenant Visibility (optional).

2. Scroll down to the "Custom Role Creation" section and expand the "Example Organization Reader Role" drop-down.

3. Click "Copy".

Azure Onboarding Tenant Visibility

Azure Onboarding Tenant Visibility


In the Azure Portal - Create a Role

1. From the Tenant Root Group's menu panel on the left, select "Access control (IAM)". From the Access control (IAM) panel, click "Add --> Add custom role."

1600

Add Custom Role

2. Provide the Basics.

  • Provide a custom role name.
  • Optionally, provide a description for the role.
  • Select "Start from scratch".
1600

Custom Role Basics

3. Update the generated JSON file for the correct permissions.

  • Click the "JSON" tab.
  • Click "Edit".
  • Replace the JSON object with the one you just copied from the InsightCloudSec Onboarding Wizard.
    • Note: The pasted code does not need to match the indentation level of the existing JSON.
1600

Azure Organization Reader Role JSON

4. Click "Review + create".

  • The JSON will be validated. If successful, verify everything looks correct.
  • Click "Create".
1600

Create Azure Organization Reader Role


In the Azure Portal - Assign the Role

1. From the desired management group's menu panel on the left, select "Access control (IAM)". From the Access control (IAM) panel, click "Add --> Add role assignment."

1600

Add Role Assignment

2. Select the role you wish to assign.

  • Search for the new, custom Azure Organization Reader Role. Select it, then click "Next".
1600

Search for Role

3. Add the Application Registration as a member.

  • Leave the Assign access to field as the default value ("User, group, or service principal").
  • Next to Members, click "+ Select members".
  • In the "Select" panel, begin typing the name of the application you created earlier. Select that application once it appears, then click "Select".
  • Click "Review + assign" to add the role.
1600

Select Application for Role Assignment

Connect Subscription (Step 3)

In the InsightCloudSec Onboarding Wizard

1. Click "Next" to go to 3. Connect Subscription.

2. Select the Azure Cloud Environment you'll be using.

3. Provide the Nickname, Tenant ID, Subscription ID, Application ID, and authentication type/credentials you copied earlier.

4. Click "Connect Account" to finalize your Azure setup.