Manual Onboarding (Azure Console)

Instructions for Onboarding an Azure Account or Accounts with InsightCloudSec via the Azure Console

This page is for Administrative users that wish to manually onboard an Azure account using the Azure console. Note: If you are a non-admin user, return to the Azure - Onboarding Overview for details.

  • If you are connecting to InsightCloudSec for the first time, you will be greeted by a workflow that shares some details around InsightCloudSec capabilities and allows you to select your Cloud Service Provider to start the onboarding process.
  • If you have connected to InsightCloudSec previously but are setting up Azure for the first time, you will need to navigate to "Cloud --> Cloud Accounts" and select the "Add Cloud" option to open the cloud onboarding.

Using either path above, select "Microsoft Azure" as your CSP to get started with onboarding.

Azure Onboarding Landing Page

Azure Onboarding Landing Page

Introduction (Step 1)

In the InsightCloudSec Onboarding Wizard

1. Skip the script instructions and click "Next" to go to 2. App Registration & Permissions.

App Registration & Permissions (Step 2)

In the Azure Portal - Create an App Registration

1. Login to the Azure Portal using the Tenant you would like to connect to InsightCloudSec.

2. Add a New Application Registration.

  • Select "Azure Active Directory" from the navigation menu on the far left.
  • Select "App registrations" under Azure Active Directory's Manage menu.
  • Select "New registration".
1744

New App Registration

3. Describe the New App Registration.

  • Enter a "Name" to denote that this app is used for InsightCloudSec, e.g., "InsightCloudSec Azure Account".
  • Select the supported account type. Note: We recommend using the Single Tenant option.
  • Optionally, enter a "Redirect URI" using the specified URL format, e.g., "https://<name_of_site>"
    • Note: This may be required later for authentication
  • Select "Register" to create the app registration.
1602

Application Configuration

4. Once you have registered your app, a preview panel opens. This panel shows an overview of your newly created app and displays both the Application ID and the Tenant ID.

πŸ“˜

Application ID and Tenant ID

Copy the Application ID and Tenant ID to a secure location.

1603

Application Overview - Tenant and Directory IDs


In the Azure Portal - Configure Authentication and Permissions

This section will assist in configuring an authentication method for InsightCloudSec to connect to your Azure account. There's two options:

  • Uploading a certificate
  • Creating a client secret

Note: These instructions explicitly outline creating a client secret, so if you desire to use a certificate instead ensure it's uploaded successfully and copy the PEM certificate and Certificate Thumbprint to a secure location.

1. Create and save a key for this Application.

  • From the new application's Overview page, select "Certificates & secrets" from the Manage menu on the left-hand side.
  • Under Client secrets, click "New client secret".
  • Give your client secret a description.
  • Set an expiration period for your secret.
  • Click "Add". Your new client secret's values will be displayed on the Certificates & secrets page under Client secrets.
1601

Add Client Secret

2. Copy the generated client secret key value to a safe location; you will need to use this value later.

πŸ“˜

Credentials

Copy the Client secret key (API Key) to a secure location. This is the only opportunity you have to copy this secret key value. If you leave this page without copying the secret key value, you will not be able to access the value and you'll need to delete the key and create another one.

1599

Copy Secret Value

3. Set up permissions for this App Registration.

  • From the application's Overview page, select "API permissions" from the Manage menu on the left-hand side.
  • Select "Add a permission".
  • Select "Microsoft Graph".
1405

Microsoft Graph - Adding Permissions

4. Select "Application Permissions".

  • Search for Directory.Read.All under the "Directory" section.
  • Check the box next to the permission and click "Add permissions".
  • Search for AuditLog.Read.All under the "AuditLog" section.
  • Check the box next to the permission and click "Add permissions".

πŸ“˜

Azure Application Credentials Permissions

The Directory.Read.All permission contains the Application.Read.All permission, which is required to harvest the Azure Application Credentials resource. Review the Resource Matrix for more information and contact the support team through the Customer Support Portal for any questions or assistance.

941

Microsoft Graph API - Application Permissions

5. Click "Grant admin consent for Default Directory", then confirm the selection.

2878

Grant Admin Consent


In the InsightCloudSec Onboarding Wizard

1. Scroll down to the "Create Custom Role" section.

2. Open one of the custom roles in a new tab and copy the JSON.

In the Azure Portal - Create a Role

1. Navigate to the Subscriptions page.

  • Select "All Services" from the navigation menu, then select "Subscriptions".
1351

Subscriptions

2. Identify the subscription with which you wish to associate your application.

πŸ“˜

Subscription ID

Copy the Subscription ID to a secure location.

1509

Subscription ID

Note: The following section utilizes the Azure Portal to assign (and/or create) a role to a subscription. Azure details several other methods, e.g., via Azure CLI, REST API, Powershell, etc., for assigning (and/or creating) a role in their documentation.

3. From the desired subscription's menu panel on the left, navigate to "Access control (IAM)". From the Access control (IAM) panel, click "Add --> Add custom role."

1603

Add Custom Role

2. Provide the Basics.

  • Provide a custom role name.
  • Optionally, provide a description for the role.
  • Select "Start from scratch".
1600

Custom Role Basics

3. Update the generated JSON file for the correct permissions.

  • Click the "JSON" tab.
  • Click "Edit".

πŸ“˜

Key Vault Permissions

The recommended custom roles do not include the Microsoft Key Vault dataActions permissions, which 
provides read access to key rotation policies (an InsightCloudSec-supported resource). If desired, you should add these permissions to the policy now before saving it:

  • "Microsoft.KeyVault/vaults/*/read"
  • "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
  • Replace the JSON object with the one you just copied from the InsightCloudSec Onboarding Wizard.
  • Update the placeholder Subscription ID for the ID associated with the subscription you're integrating with InsightCloudSec.
  • Verify the JSON. It should look similar to the example below, which is using the Reader Plus custom role.
  • Click "Save". The "Review + create" button will become active.
1600

Custom Role JSON Example

4. Click "Review + create".

  • The JSON will be validated. If successful, verify everything looks correct.
  • Click "Create".
1600

Create Custom Role


In the Azure Portal - Assign the Role

1. From the desired subscription's menu panel on the left, select "Access control (IAM)". From the Access control (IAM) panel, click "Add --> Add role assignment."

1601

Add Role Assignment

2. Select the role you wish to assign.

  • Select the type of role, e.g., "Reader", and click "Next" to continue.
  • Note: If you created a custom role, it might be easier to search for the role's name.

3. Add the Application Registration as a member.

  • Leave the Assign access to field as the default value ("User, group, or service principal").
  • Next to Members, click "+ Select members".
  • In the "Select" panel, begin typing the name of the application you created earlier. Select that application once it appears, then click "Select".
  • Click "Review + assign" to add the role.

πŸ‘

Additional Azure-related InsightCloudSec Feature Configuration

At this point, if you wanted to enable Container Vulnerability Management, Azure Event-Driven Harvesting, and/or Azure Least Privileged Access (LPA) you should perform the configuration steps found on the separate pages below:

1602

Select Application for Role Assignment

Tenant Visibility (optional) (Step 3)

πŸ“˜

Tenant Visibility Not Required?

If you do not wish to provide tenant visibility (and not take advantage of Account Discovery), skip to the end of this section and click "Next" within the InsightCloudSec Onboarding Wizard.

For onboarding Azure Tenants, the recommended approach is to take advantage of InsightCloudSec's Subscription Auto Discovery feature which eliminates manual configuration of each Account. Introducing tenant visibility is a two step process:

  • Creating a custom Role at the scope of the Tenant/Root Management Group
  • Assign this new role to the existing Application Registration

In the InsightCloudSec Onboarding Wizard

1. Click "Next" to go to 3. Tenant Visibility (optional).

2. Scroll down to the "Custom Role Creation" section and expand the "Example Organization Reader Role" drop-down.

3. Click "Copy".

Azure Onboarding Tenant Visibility

Azure Onboarding Tenant Visibility


In the Azure Portal - Create a Role

1. From the Tenant Root Group's menu panel on the left, select "Access control (IAM)". From the Access control (IAM) panel, click "Add --> Add custom role."

1600

Add Custom Role

2. Provide the Basics.

  • Provide a custom role name.
  • Optionally, provide a description for the role.
  • Select "Start from scratch".
1600

Custom Role Basics

3. Update the generated JSON file for the correct permissions.

  • Click the "JSON" tab.
  • Click "Edit".
  • Replace the JSON object with the one you just copied from the InsightCloudSec Onboarding Wizard.
    • Note: The pasted code does not need to match the indentation level of the existing JSON.
1600

Azure Organization Reader Role JSON

4. Click "Review + create".

  • The JSON will be validated. If successful, verify everything looks correct.
  • Click "Create".
1600

Create Azure Organization Reader Role


In the Azure Portal - Assign the Role

1. From the desired tenant root group's menu panel on the left, select "Access control (IAM)". From the Access control (IAM) panel, click "Add --> Add role assignment."

1600

Add Role Assignment

2. Select the role you wish to assign.

  • Search for the new, custom Azure Organization Reader Role. Select it, then click "Next".
1600

Search for Role

3. Add the Application Registration as a member.

  • Leave the Assign access to field as the default value ("User, group, or service principal").
  • Next to Members, click "+ Select members".
  • In the "Select" panel, begin typing the name of the application you created earlier. Select that application once it appears, then click "Select".
  • Click "Review + assign" to add the role.
1600

Select Application for Role Assignment

Connect Subscription (Step 4)

In the InsightCloudSec Onboarding Wizard

1. Click "Next" to go to 4. Connect Subscription.

2. Select the Azure Cloud Environment you'll be using.

3. Provide the Nickname, Tenant ID, Subscription ID, Application ID, and authentication type/credentials you copied earlier.

4. Click "Connect Account" to finalize your Azure setup.

πŸ‘

Success!

Congratulations on successfully onboarding an Azure account! InsightCloudSec will now detect the following:

  • If there are any missing permissions, which could cause impaired visibility into your account
  • If the account is an Azure Tenant Account; if it is a Tenant, you can enable Account Discovery. If Account Discovery is enabled, Rapid7 can onboard and collect information on related Azure Tenants and Subscriptions via the onboarded Tenant. Click "Enable Auto Discovery" at the bottom of the window to start this process.