Azure Setup - Single Cloud

Integrating an Azure Account with InsightCloudSec

Once your InsightCloudSec instance is up and running, the first thing you'll want to do is integrate an Azure cloud account (subscription in Azure's parlance) to take advantage of the security Insights that apply to your cloud footprint. InsightCloudSec supports Microsoft Azure, Microsoft Azure Government (also termed GovCloud), and Microsoft Azure China. These three differ primarily in supported services and regions. If you have any issues or questions with this setup, reach out to the support team through the Customer Support Portal.

If you need to add multiple accounts grouped under an Azure organization (management group in Azure's parlance) to InsightCloudSec, review Azure Setup - Organization.

Setup Overview

For InsightCloudSec to securely access the information contained within your Azure cloud account, you'll need to create and setup an application registration as well as configure a role assignment. Review Azure's Active Directory documentation for more information on these concepts. To achieve proper harvesting for InsightCloudSec, you will complete the following within your Azure and InsightCloudSec environments:

  • Step 1: Configure an Application Registration -- Create an InsightCloudSec-associated application registration within your Azure environment that will be given access to the Azure subscription containing the data you wish to harvest.

  • Step 2: Assign a Role -- Assign a role to the Azure subscription to be harvested and add the application registration to the role's scope.

  • Step 3: Configure InsightCloudSec -- Setup your Azure cloud account harvesting within InsightCloudSec and begin receiving resource data.

The diagram below outlines the setup required:

26962696

Azure Cloud Setup Overview for InsightCloudSec

Prerequisites

Before you configure anything in your Azure environment, you'll need the following:

  • Admin access to the Azure cloud account you want to harvest
  • Domain Admin permissions within InsightCloudSec
  • An IAM Role that allows InsightCloudSec to harvest Azure subscription data
    • See the Roles section below for more information

Roles

An IAM role must be associated with the Azure subscription that will be harvested by InsightCloudSec to ensure secure and appropriate access of this information. There are two paths for selecting the IAM role:

1. Use a standard role managed by Azure; this requires less maintenance long term because Microsoft will automatically update these roles for new services

2. Use a custom role that the InsightCloudSec team has created; this offers more customization and a 1:1 match to the Azure resources that InsightCloudSec supports

Using a Standard Role

InsightCloudSec recommends using the Azure Reader role for read-only permissions to all resources. Note: this role does not include the following additional permissions, which 
provide read/write access to enable harvesting of file share data: "Microsoft.Storage/storageAccounts/listkeys/action".

For users interested in a power-user-level harvesting (especially if you plan on using Bots often), InsightCloudSec recommends using the Azure Contributor role for the ability to create and manage all types of Azure resources except the ability to grant access to other roles.

Using a Custom Role

InsightCloudSec recommends using the Azure Reader or Reader Plus

For users interested in a power-user-level harvesting (especially if you plan on using Bots often), InsightCloudSec recommends using the Azure Power User role for the ability to create and manage all types of Azure resources except the ability to grant access to other roles.

Step 1: Configure an Application Registration

The Azure subscription that contains resource data you want to harvest for InsightCloudSec will need an Application Registration associated with it. By creating a specific InsightCloudSec app, you are then able to monitor all actions taken by InsightCloudSec. This facilitates troubleshooting, helping you understand what InsightCloudSec is doing versus what other apps are doing.

1. Login as an Admin to the Azure Dashboard for the account you want to harvest.

2. Add a New Application Registration.

  • Select "Azure Active Directory" from the navigation menu on the far left.
  • Select "App registrations" under Azure Active Directory's Manage menu.
  • Select "New registration".
17441744

New App Registration

3. Describe the New App Registration.

  • Enter a "Name" to denote that this app is used for InsightCloudSec, e.g., "InsightCloudSec Azure Test".
  • Select the supported account type.
  • Optionally, enter a "Redirect URI" using the specified URL format, e.g., "https://<name_of_site>"
    • Note: This may be required later for authentication
  • Select "Register" to create the app registration.
16021602

Application Configuration

4. Once you have registered your app, a preview panel opens. This panel shows an overview of your newly created app and displays both the Application ID and the Tenant ID. Copy both of these IDs to a safe location; you will need to use these values later.

16031603

Application Overview - Tenant and Directory IDs

5. Create and save a key for this Application.

  • From the new application's Overview page, select "Certificates & secrets" from the Manage menu on the left-hand side.
  • Under Client secrets, click "New client secret".
  • Give your client secret a description.
  • Set an expiration period for your secret.
  • Click "Add". Your new client secret's values will be displayed on the Certificates & secrets page under Client secrets.
16011601

Add Client Secret

6. Copy the generated client secret key value to a safe location; you will need to use this value later.

❗️

Copying the Secret Key Value

This is the only opportunity you have to copy this secret key value. If you leave this page without copying the secret key value, you will not be able to access the value and you'll need to delete the key and create another one.

15991599

Copy Secret Value

7. Set up permissions for this App Registration.

  • From the application's Overview page, select "API permissions" from the Manage menu on the left-hand side.
  • Select "Add a permission".
  • Select "Microsoft Graph".
14051405

Microsoft Graph - Adding Permissions

8. Select "Application Permissions".

  • Search for Directory.Read.All under the "Directory" section.
  • Check the box next to the permission and click "Add permissions".
  • Search for AuditLog.Read.All under the "AuditLog" section.
  • Check the box next to the permission and click "Add permissions".
941941

Microsoft Graph API - Application Permissions

9. Click "Grant admin consent for Default Directory", then confirm the selection.

28782878

Grant Admin Consent

Step 2: Assign a Role

To ensure that the new InsightCloudSec-associated Application Registration you created in the previous section is securely and appropriately accessing your Azure account data, you'll need to select the appropriate IAM role and assign it to the relevant subscription.

🚧

Prerequisites

Before you can assign a role to an Azure subscription, you must have already decided what role to use. Review the Prerequisites section for more information.

1. Navigate to the Subscriptions page.

  • Select "All Services" from the navigation menu, then select "Subscriptions".
13511351

Subscriptions

2. Identify the subscription with which you wish to associate your application. Copy the subscription ID to a safe location; you will need to use this value later.

15091509

Subscription ID

Note: The following sections utilize the Azure Portal to assign (and/or create) a role to a subscription. Azure details several other methods, e.g., via Azure CLI, REST API, Powershell, etc., for assigning (and/or creating) a role in their documentation.

(Optional) Adding a Custom Role

🚧

Standard vs. Custom

The next steps will vary depending on the type of role (standard or custom) you want to use for the subscription. If you plan on using a standard Azure role, skip to the following section, Adding a Role Assignment . If you plan on using an InsightCloudSec custom role, you'll need to create the role first, proceed with the next steps.

If you want to assign a custom InsightCloudSec role (e.g., Reader Plus, Power User) to a subscription, first you'll need to add a custom role to the desired subscription.

1. From the desired subscription's menu panel on the left, select "Access control (IAM)". From the Access control (IAM) panel, click "Add --> Add custom role."

16031603

Add Custom Role

2. Provide the Basics.

  • Provide a custom role name.
  • Optionally, provide a description for the role.
  • Select "Start from scratch".
16001600

Custom Role Basics

3. Update the generated JSON file for the correct permissions.

  • Click the "JSON" tab.
  • Click "Edit".
  • Open the Microsoft Azure - Custom Roles page in a new tab.
  • For the desired role, navigate to the section and select the associated "Permissions" tab. Next, point your mouse cursor to the code area and click the "Copy" icon. This will store the JSON permissions object in your clipboard.
  • Return to the Azure Portal tab and replace the default permissions object with the one you just copied. It should look similar to the example below, which is using the Reader Plus custom role. Note: The pasted code does not need to match the indention level of the existing JSON.
  • Click "Save". The "Review + create" button will become active.
16001600

Custom Role JSON Example

4. Click "Review + create".

  • The JSON will be validated. If successful, verify everything looks correct.
  • Click "Create".
16001600

Create Custom Role

Adding a Role Assignment

Standard and custom roles alike must be assigned to a subscription so it can be harvested properly and securely.

1. From the desired subscription's menu panel on the left, select "Access control (IAM)". From the Access control (IAM) panel, click "Add --> Add role assignment."

16011601

Add Role Assignment

2. Select the role you wish to assign.

  • Select the type of role, e.g., "Reader", and click "Next" to continue.
  • Note: If you created a custom role, it might be easier to search for the role's name.

3. Add the Application Registration as a member.

  • Leave the Assign access to field as the default value ("User, group, or service principal").
  • Next to Members, click "+ Select members".
  • In the "Select" panel, begin typing the name of the application you created earlier. Select that application once it appears, then click "Select".
  • Click "Review + assign" to add the role.
16021602

Select Application for Role Assignment

Step 3: Configure InsightCloudSec

🚧

Prerequisites

Before you can successfully add an account to InsightCloudSec, you will need the following on hand:

  • The Application (client) ID (created in step 1)
  • The Directory (tenant) ID (created in step 1)
  • The Client Secret Key value (created in step 1)
  • The Subscription ID (found in step 2)

1. From your InsightCloudSec platform open the Clouds page from the navigation menu on the left.

2. Select "Add Cloud" in the upper right.

16001600

Add Cloud

3. Determine whether you are connecting a regular Azure account, an Azure China account, or an Azure Government account and make sure to select the correct type. Click "See More" to display the full list of supported Cloud Service Providers.

4. Leave the default "Authentication Type" ("API Key/Secret") then provide the requisite Account Details. Click "Add Cloud".

13831383

Azure Account Details

5. Add any Badges you would like to this particular cloud account (also under Show Advanced). Badges provide a way to assign additional metadata about resources within the InsightCloudSec platform. They are key/value pairs which can be used for filtering and identifying resources from parent cloud account.

6. Confirm the addition of your Azure Cloud account.

Note: Your main cloud page should show your newly added Microsoft Azure cloud account.

  • InsightCloudSec will begin harvesting immediately and the data should start to surface after five minutes or so, depending on the size of your cloud account.

Did this page help you?