Azure - Onboarding

After InsightCloudSec is successfully installed, you're ready to start harvesting resources from your target accounts. This documentation provides details on configuring Azure to "talk" with InsightCloudSec securely for both admin and non-admin users and explains the different onboarding workflows you can expect for new and returning users.

Getting Started with Onboarding Azure

Before you can begin the Azure onboarding process, you'll need to login to InsightCloudSec and open the Cloud Account Onboarding Wizard, which provides a different experience depending on the type of user you are:

First-time User: InsightCloudSec is freshly deployed and this will be the first time a Cloud Service Provider (CSP) has been onboarded.
Returning User: InsightCloudSec has one or more CSPs already onboarded and you would like to add a new Azure account.
Admin User: You can login to the Azure portal and have the appropriate access to grant InsightCloudSec access to your account(s).
Non-Admin User: You can interact with InsightCloudSec and would like to onboard an Azure account(s) but do not have the appropriate Azure access to grant InsightCloudSec access to your account(s).

In addition, we also provide instructions for:

Existing Cloud Accounts: For information about modifying an existing Azure account, check out the Cloud Account Setup & Management page.

📘
Need Support?
We are here to help! If you have questions or concerns reach out to us through the Customer Support Portal.

Configuration Information for Azure Cloud

Azure Cloud Details

There are several steps that must be taken within the Azure Cloud console to enable InsightCloudSec to get access to an account, and this page provides those steps.

Additional Resources on Azure include:

All Azure roles that provide appropriate permissions to InsightCloudSec are contained on Azure Custom Roles.

👍
Additional Azure-related InsightCloudSec Features
InsightCloudSec offers some features that require additional permissions/roles within Azure. It is easiest to perform this configuration while onboarding a subscription/management group. Review the links below to determine which features you'd like to use and we'll provide a reminder to perform the additional configuration during the instructions below.

Azure Event-Driven Harvesting

Container Vulnerability Management

Azure Least Privileged Access (LPA)

Roles

Custom Reader User Role

This role grants InsightCloudSec read-only permissions to supported resources so data is harvested and available for reporting, but this means the role must be manually updated with each new Azure service that InsightCloudSec supports.

The role JSON can be obtained from our public S3 bucket. Note: The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.

Azure Reader Plus User Role

The Reader Plus role is similar to the built-in Azure Reader role but offers read-only permissions to all resources instead of only the resources that InsightCloudSec supports. Because of the wildcard usage, the role is more easily maintained. In addition, the following permissions are explicitly granted:

"Microsoft.Web/sites/config/list/Action"
"Microsoft.Web/sites/slots/config/list/Action"

 For the permissions above, the config/list/Action permission provides visibility to determine if Web Apps are configured to require authentication and for Serverless Functions to determine if the function is enabled/disabled. The caveat is that those permissions also provide access to any environment variables configured for WebApps, which may contain sensitive information.

Azure Power User Role

The InsightCloudSec Azure Power User role will grant InsightCloudSec all permissions to supported resources so it can act upon cloud resources in addition to monitoring and reporting on them, but this means the role must be manually updated with each new Azure service that InsightCloudSec supports.

Non-Admin Onboarding for Azure

If you've determined that you're not an Admin user or you're not sure, you will need to provide an Admin within your organization with the "Microsoft Azure Admin Instructions". Once the Admin has completed the instructions, they should be able to provide you with answers and/or content for the following required fields:

An Azure Cloud Environment (Commercial, Government, China)
A Nickname
An Application ID
A Tenant ID
An authentication type and credentials

Steps for Non-Admin Onboarding

The steps to complete this process for both First-time Users and Returning Users are provided below. Step 2a and 2b provide specifics for the two user types.

1. Log in to your InsightCloudSec installation.

2-a. For first-time users a successful log in should launch the Onboard a Cloud Account workflow. You will need to select "Microsoft Azure" as your Cloud Service Provider, and then select "No - Help me identify the details needed". Click "Next" to start the onboarding process.

2-b. For returning users navigate to "Cloud --> Cloud Accounts" and select "Add Cloud". *You will need to select "Microsoft Azure" as your Cloud Service Provider, and then select the "Don't have admin access?" option at the bottom right of the window.

3. Copy the details from "Microsoft Azure Admin Instructions" and share them with your Admin.

4. Once your Admin has completed the setup, they can provide you with the required information to complete the configuration.

5. Return to the onboarding workflow, provide input to the required fields to finalize your Azure onboarding setup and click "Connect".

Admin Onboarding for Azure

For administrative users this section includes step-by-step instructions for the configuration required in both the Azure portal and the InsightCloudSec Onboarding Wizard to connect.

If you are connecting to InsightCloudSec for the first time, you will be greeted by a workflow that shares some details around InsightCloudSec capabilities and allows you to select your Cloud Service Provider to start the onboarding process.
If you have connected to InsightCloudSec previously but are setting up Azure for the first time, you will need to navigate to "Cloud --> Cloud Accounts" and select the "Add Cloud" option to open the cloud onboarding.

Using either path above select "Microsoft Azure" as your CSP to get started with the admin onboarding.

App Registration & Permissions (Step 1)

In the Azure Portal - Create an App Registration

1. Login to the Azure Portal using the account you would like to connect to InsightCloudSec.

2. Add a New Application Registration.

Select "Azure Active Directory" from the navigation menu on the far left.
Select "App registrations" under Azure Active Directory's Manage menu.
Select "New registration".

3. Describe the New App Registration.

Enter a "Name" to denote that this app is used for InsightCloudSec, e.g., "InsightCloudSec Azure Account".
Select the supported account type. Note: We recommend using the Single Tenant option.
Optionally, enter a "Redirect URI" using the specified URL format, e.g., "https://<name_of_site>"
- Note: This may be required later for authentication
Select "Register" to create the app registration.

4. Once you have registered your app, a preview panel opens. This panel shows an overview of your newly created app and displays both the Application ID and the Tenant ID.

📘
Application ID and Tenant ID
Copy the Application ID and Tenant ID to a secure location.

1603 — Application Overview - Tenant and Directory IDs

In the Azure Portal - Configure Authentication and Permissions

This section will assist in configuring an authentication method for InsightCloudSec to connect to your Azure account. There's two options:

Uploading a certificate
Creating a client secret

Note: These instructions explicitly outline creating a client secret, so if you desire to use a certificate instead ensure it's uploaded successfully and copy the PEM certificate and Certificate Thumbprint to a secure location.

1. Create and save a key for this Application.

From the new application's Overview page, select "Certificates & secrets" from the Manage menu on the left-hand side.
Under Client secrets, click "New client secret".
Give your client secret a description.
Set an expiration period for your secret.
Click "Add". Your new client secret's values will be displayed on the Certificates & secrets page under Client secrets.

2. Copy the generated client secret key value to a safe location; you will need to use this value later.

📘
Credentials
Copy the Client secret key (API Key) to a secure location. This is the only opportunity you have to copy this secret key value. If you leave this page without copying the secret key value, you will not be able to access the value and you'll need to delete the key and create another one.

3. Set up permissions for this App Registration.

From the application's Overview page, select "API permissions" from the Manage menu on the left-hand side.
Select "Add a permission".
Select "Microsoft Graph".

1405 — Microsoft Graph - Adding Permissions

4. Select "Application Permissions".

Search for Directory.Read.All under the "Directory" section.
Check the box next to the permission and click "Add permissions".
Search for AuditLog.Read.All under the "AuditLog" section.
Check the box next to the permission and click "Add permissions".

📘
Azure Application Credentials Permissions
The Directory.Read.All permission contains the Application.Read.All permission, which is required to harvest the Azure Application Credentials resource. Review the Resource Matrix for more information and contact the support team through the Customer Support Portal for any questions or assistance.

941 — Microsoft Graph API - Application Permissions

5. Click "Grant admin consent for Default Directory", then confirm the selection.

In the InsightCloudSec Onboarding Wizard

1. Scroll down to the "Create Custom Role" section.

2. Open one of the custom roles in a new tab and copy the JSON.

In the Azure Portal - Create a Role

1. Navigate to the Subscriptions page.

Select "All Services" from the navigation menu, then select "Subscriptions".

2. Identify the subscription with which you wish to associate your application.

📘
Subscription ID
Copy the Subscription ID to a secure location.

Note: The following section utilizes the Azure Portal to assign (and/or create) a role to a subscription. Azure details several other methods, e.g., via Azure CLI, REST API, Powershell, etc., for assigning (and/or creating) a role in their documentation.

3. From the desired subscription's menu panel on the left, navigate to "Access control (IAM)". From the Access control (IAM) panel, click "Add --> Add custom role."

2. Provide the Basics.

Provide a custom role name.
Optionally, provide a description for the role.
Select "Start from scratch".

3. Update the generated JSON file for the correct permissions.

Click the "JSON" tab.
Click "Edit".

📘
Key Rotation Permissions
The recommended custom roles do not include the Microsoft Key Vault dataActions permission, "Microsoft.KeyVault/vaults/keyrotationpolicies/read", which  provides read access to key rotation policies (an InsightCloudSec-supported resource). If desired, you should add this permission to the policy now before saving it.

Replace the JSON object with the one you just copied from the InsightCloudSec Onboarding Wizard.
Update the placeholder Subscription ID for the ID associated with the subscription you're integrating with InsightCloudSec.
Verify the JSON. It should look similar to the example below, which is using the Reader Plus custom role.
Click "Save". The "Review + create" button will become active.

4. Click "Review + create".

The JSON will be validated. If successful, verify everything looks correct.
Click "Create".

In the Azure Portal - Assign the Role

1. From the desired subscription's menu panel on the left, select "Access control (IAM)". From the Access control (IAM) panel, click "Add --> Add role assignment."

2. Select the role you wish to assign.

Select the type of role, e.g., "Reader", and click "Next" to continue.
Note: If you created a custom role, it might be easier to search for the role's name.

3. Add the Application Registration as a member.

Leave the Assign access to field as the default value ("User, group, or service principal").
Next to Members, click "+ Select members".
In the "Select" panel, begin typing the name of the application you created earlier. Select that application once it appears, then click "Select".
Click "Review + assign" to add the role.

👍
Additional Azure-related InsightCloudSec Feature Configuration
At this point, if you wanted to enable Container Vulnerability Management, Azure Event-Driven Harvesting, and/or Azure Least Privileged Access (LPA) you should perform the configuration steps found on the separate pages below:

CVM - Azure Role Permissions

EDH - Azure Setup

Azure LPA Setup

Tenant Visibility (optional) (Step 2)

📘
Tenant Visibility Not Required?
If you do not wish to provide tenant visibility (and not take advantage of Subscription Auto Discovery), skip to the end of this section and click "Next" within the InsightCloudSec Onboarding Wizard.

For onboarding Azure Tenants, the recommended approach is to take advantage of InsightCloudSec's Subscription Auto Discovery feature which eliminates manual configuration of each Account. Introducing tenant visibility is a two step process:

Creating a custom Role at the scope of the Tenant/Root Management Group
Assign this new role to the existing Application Registration

In the InsightCloudSec Onboarding Wizard

1. Click "Next" to go to 2. Tenant Visibility (optional).

2. Scroll down to the "Custom Role Creation" section and expand the "Example Organization Reader Role" drop-down.

3. Click "Copy".

In the Azure Portal - Create a Role

1. From the Tenant Root Group's menu panel on the left, select "Access control (IAM)". From the Access control (IAM) panel, click "Add --> Add custom role."

2. Provide the Basics.

Provide a custom role name.
Optionally, provide a description for the role.
Select "Start from scratch".

3. Update the generated JSON file for the correct permissions.

Click the "JSON" tab.
Click "Edit".
Replace the JSON object with the one you just copied from the InsightCloudSec Onboarding Wizard.
- Note: The pasted code does not need to match the indentation level of the existing JSON.

4. Click "Review + create".

The JSON will be validated. If successful, verify everything looks correct.
Click "Create".

In the Azure Portal - Assign the Role

1. From the desired management group's menu panel on the left, select "Access control (IAM)". From the Access control (IAM) panel, click "Add --> Add role assignment."

2. Select the role you wish to assign.

Search for the new, custom Azure Organization Reader Role. Select it, then click "Next".

3. Add the Application Registration as a member.

Leave the Assign access to field as the default value ("User, group, or service principal").
Next to Members, click "+ Select members".
In the "Select" panel, begin typing the name of the application you created earlier. Select that application once it appears, then click "Select".
Click "Review + assign" to add the role.

Connect Subscription (Step 3)

In the InsightCloudSec Onboarding Wizard

1. Click "Next" to go to 3. Connect Subscription.

2. Select the Azure Cloud Environment you'll be using.

3. Provide the Nickname, Tenant ID, Subscription ID, Application ID, and authentication type/credentials you copied earlier.

4. Click "Connect Account" to finalize your Azure setup.

Azure - Onboarding

Getting Started with Onboarding Azure

📘
Need Support?