DivvyCloud

Welcome to the DivvyCloud Docs!

DivvyCloud is a Cloud Security Posture Management (CSPM) platform that provides real-time analysis and automated remediation across leading cloud and container technologies.

For questions about documentation reach out to us [email protected]

Take Me to the Docs!    Release Notes

Microsoft Azure

Overview

Microsoft Azure is one of the world’s leading public cloud providers, offering a variety of cloud services. DivvyCloud supports Microsoft Azure, Microsoft Azure Government (also termed GovCloud), and Microsoft Azure China. These three differ primarily in supported services and regions.

Follow the instructions included on this page for set up and make sure to create the prerequisite roles.

Prerequisites

Before you get started with this setup, ensure that you have the following:

  • A Microsoft Azure account with the appropriate admin permissions
  • A DivvyCloud account with Domain Admin permissions
  • The appropriate Azure roles. You will need to verify that the prerequisite roles exist or that you have permissions to create/modify the required roles. Click here for details on Azure custom roles.

Microsoft Azure Supported Services and Regions

The major differences between Azure, Azure Government, and Azure China are supported services and regions.

Microsoft Azure Public Cloud

Listed below are the supported services and regions for Microsoft Azure public cloud.

Advisor
Azure Active Directory
Azure Cache For Redis
Azure Data Lake Storage (ADLSv1)
Azure Database for MySQL
Azure Database for PostgreSQL
Azure Functions
Azure Kubernetes Service (AKS)
Azure Service Endpoints
Azure SQL Database
Container Registry
CosmosDB
Enhanced tag visibility
EventHub 
Express Route
HDInsight
Key Vault
Load Balancers
Managed Disks
Private Azure DNS Zones
Route Tables
Security Center
Storage
Storage Accounts
Unmanaged Disks
Virtual Machines
Virtual Machine Scale Sets
Virtual Network
Web Apps
australiacentral
australiaeast
australiasoutheast
brazilsouth
canadacentral
canadaeast
centralindia
centralus
eastasia
eastus
eastus2
francecentral
japaneast
japanwest
koreacentral
koreasouth
northcentralus
northeurope
southafricanorth
southcentralus
southeastasia
southindia
uaenorth
uksouth
ukwest
westcentralus
westeurope
westindia
westus
westus2

Microsoft Azure Government Cloud

Listed below are the supported services and regions for Microsoft Azure Government cloud.

HDInsight
Virtual Machines
Azure Functions
Web Apps
Container Registry
CosmosDB
Azure Database for MySQL
Azure Database for PostgreSQL
Azure SQL Database
Azure Cache For Redis
Azure Active Directory
Virtual Network
Storage
Managed Disks
Enhanced tag visibility
usgovarizona
usgoviowa
usgovtexas
usgovvirginia

Microsoft Azure China

Microsoft Azure China supports the same services as Microsoft Azure Public cloud. Supported regions for Microsoft Azure China are listed below.

chinaeast
chinaeast2
chinanorth
chinanorth2

Adding an Azure Account

You can add an Azure account into DivvyCloud using the following steps.

Azure Setup

1. Determined whether you are using regular Azure or Azure Government. Login to the Azure Dashboard (portal.azure.com).

2. Add a New Application Registration.

  • Select Azure Active Directory from the navigation menu on the far left.
  • Select App registrations under Azure Active Directory's Manage menu.
  • Select New registration.

🚧

App Registrations (Legacy)

App Registrations (Legacy) is deprecated and no longer available as of May 2019.

3. Describe the New App Registration

  • Enter a Name to denote that this app is used for DivvyCloud, e.g., 'DivvyDocs Azure Test'. By creating a specific DivvyCloud app, you are then able to monitor all actions taken by DivvyCloud. This facilitates troubleshooting, helping you understand what DivvyCloud is doing versus what other apps are doing.
  • Select the supported account type.
  • Enter a 'Redirect URI'. This value is optional, but:
    • May be required later for authentication.
    • If entered, must follow specified URL format, e.g., 'https://*name_of_site*'.

4. Select Register to create the app registration.

🚧

In the Following Steps, You Will Need to Save...

  • The Application (client) ID
  • The Tenant (directory) ID
  • The Key value
  • The Subscription ID

You will copy each of these values outside of your browser, using whatever application you prefer to take notes, e.g., Notes, Google docs, etc.

5. Once you have registered your app, a preview panel opens. This panel shows an overview of your newly created app and displays both the Application ID and the Tenant ID. Copy both of these IDs to a safe location; you will need to use these values later.

6. Create and Save a Key for this Application. Return to the App registrations page (or the Apps registration [Preview] page).

  • Select Certificates and secrets from the middle preview panel.
  • Select New client secret, toward the bottom of the Navigate to the Subscriptions page: Select 'All Services' under 'Client secrets'.
  • Give your client secret a description.
  • Set an expiration period for your secret.

7. Select "Add" to complete.

8. Copy the generated client secret key to your notes.

❗️

This is the only opportunity you have to copy this secret key.

9. Set Up Permissions for this App Registration

  • Select 'API permissions' from the overview panel.
  • Select 'Add a permission'.
  • Scroll down on the 'Request API permissions' panel to locate and select 'Azure Active Directory Graph'.

10. Select 'Application Permissions'.

11. Select the API permission 'Directory.Read.All' under the 'Directory' heading.

🚧

Permissions

If you are not an admin, you'll need an admin to grant permissions by clicking on the Grant admin consent to divvycloud (Default Directory) button, shown in the screenshot above.

12. Assign a Role to this Subscription by navigating to the Subscriptions page.

  • Select 'All Services' from the navigation menu, then Select Subscriptions:

13. Identify the subscription with which you wish to associate your application; copy the subscription ID to your notes.

14. With your subscription selected, Select Access control (IAM) and then select "Add --> Add role assignment."

15. Select the role you wish to assign:

  • Select the type of role, e.g., 'Reader' in the example.

🚧

Divvy-Recommended Roles

DivvyCloud recommends using the 'Reader' role for read-only permissions to all resources. Note this role does not include the following additional permissions:

"Microsoft.Storage/storageAccounts/listkeys/action"



is used to provide read/write access to enable harvesting of file share data.


"Microsoft.Web/sites/config/list/Action",
"Microsoft.Web/sites/slots/config/list/Action"


For the permissions above, the config/list/action permission provides visibility to determine if Web Apps are configured to require authentication and for to Serverless Functions to determine if the function is enabled/disabled. The caveat is that those permissions also provide access to any environment variables configured for WebApps, which may contain sensitive information.

For users that want to maintain "Reader" but include these permissions, we recommend using the "Reader Plus" Custom Role.

Access all of the roles and details on the Microsoft Azure - Custom Roles page.

To access read/write permissions, we recommend using the 'Contributor' role. Contributor - Can create and manage all types of Azure resources but can’t grant access to others.

16. Select the name of the application to which this role is assigned, i.e., the app you created earlier. Select Save.

DivvyCloud Setup

1. From your DivvyCloud setup open the Clouds page from the navigation menu on the left.

2. Select Add Cloud in the upper right.

3. Determine whether you are connecting a regular Azure account, an Azure China account, or an Azure Government account and make sure to select the correct type. Click "See More" to display the full list of supported Cloud Service Providers.

Microsoft Azure

4. Enter Cloud Information (varies based on type) and complete the required fields.

  • Select your Authentication Type.
  • Name your cloud account.
  • Provide your tenant ID.
  • Provide your subscription ID.
  • Provide your API Key.

5. Add any Badges you would like to this particular cloud account (also under Show Advanced). Badges provide a way to assign additional metadata about resources within the DivvyCloud platform. They are key/value pairs which can be used for filtering and identifying resources from parent cloud account.

6. Select Add Cloud.

7. Confirm the addition of your Azure Cloud account.

Note: Your main cloud page should show your newly added Microsoft Azure cloud account.

  • DivvyCloud will begin harvesting immediately and the data should start to surface after five minutes or so, depending on the size of your cloud account.

Updated about a month ago


Microsoft Azure


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.