Azure Setup - Organization

🚧
New Azure Onboarding
As of InsightCloudSec version 23.4.11, a new Azure onboarding experience is available. This experience will replace the old setup experience and you will not be able to access it. This page and associated pages have been archived to prevent confusion. Review Azure - Onboarding for more details on the new experience.
As usual, if you have issues or need support reach out to us through the Customer Support Portal with any questions.

Once your InsightCloudSec instance is up and running, the first thing you'll want to do is integrate an Azure organization (management group in Azure's parlance) to take advantage of the security Insights that apply to your cloud footprint. You can read more about Azure management groups here.

InsightCloudSec supports Microsoft Azure and Microsoft Azure China. These differ primarily in supported services and regions.

🚧
Organization Support
Currently, InsightCloudSec does not offer Organization onboarding support for Azure GovCloud.

Note: This page and the functionality detailed here refer to the provider-specific organizations capability available under "Clouds --> Organizations". This functionality should not be confused with the InsightCloudSec-specific Organizations capability that allows for multi-tenant functionality available under "System Administration --> Organizations".

For instructions on adding a single Azure account to InsightCloudSec, refer to the Azure Setup - Single Cloud documentation. Otherwise, if you have any questions or issues, reach out to us through the Customer Support Portal.

Setup Overview

For InsightCloudSec to securely access the information contained within your Azure management group, you'll need to create and setup an application registration as well as configure some role assignments. Review Azure's Active Directory documentation for more information on these concepts. To achieve proper harvesting for InsightCloudSec, you will complete the following within your Azure and InsightCloudSec environments:

Step 1: Configure an Application Registration -- Create an InsightCloudSec-associated application registration within your Azure environment that will be given access to the Azure management group containing the data you wish to harvest.
Step 2: Assign a Role -- Assign two roles to the Azure management group (the Tenant Root Group) to be harvested and add the application registration to the roles' scopes.
Step 3: Configure InsightCloudSec -- Setup your Azure cloud account harvesting within InsightCloudSec and begin receiving resource data.

The diagram below outlines the setup required:

2976 — Azure Management Group Setup Overview for InsightCloudSec

Prerequisites

Before getting started with adding an Azure Management Group as an organization in InsightCloudSec, you will need to have the following:

Domain Admin permissions within InsightCloudSec
Global Admin-level access to Azure subscriptions and management groups
- For instructions on attaining Global Admin access, refer to Azure's "Elevate access" documentation
Contributor-level (or higher) access to the management group you want to harvest
- For instructions on attaining Contributor access on a management group, refer to Azure's "Assign roles" documentation
Existing familiarity/configuration for Azure Management Groups
An IAM Role that allows InsightCloudSec to harvest Azure subscription data
- See the Roles section below for more information

📘
FAQ
Optionally, review the FAQ below for common questions about the organization setup process.

Roles

An IAM role must be associated with the Azure management group that will be harvested by InsightCloudSec to ensure secure and appropriate access of this information. There are two paths for selecting the IAM role:

1. Use a standard role managed by Azure; this requires less maintenance long term because Microsoft will automatically update these roles for new services

2. Use a custom role that the InsightCloudSec team has created; this offers more customization and a 1:1 match to the Azure resources that InsightCloudSec supports

📘
Key Rotation Permissions
Due to a limitation with Azure, roles with a Management Group (Azure Organization) scope cannot have dataActions permissions. This means that none of the recommended roles below include the Microsoft Key Vault dataActions permission, "Microsoft.KeyVault/vaults/keyrotationpolicies/read", which  provides read access to key rotation policies (an InsightCloudSec-supported resource). See Microsoft Key Vault Harvesting for more information on a post-setup workaround.

Using a Standard Role

InsightCloudSec recommends using the Azure Reader role for read-only permissions to all resources. For users interested in a power-user-level harvesting (especially if you plan on using Bots often), InsightCloudSec recommends using the Azure Contributor role for the ability to create and manage all types of Azure resources except the ability to grant access to other roles.

Using a Custom Role

InsightCloudSec recommends using the Custom Azure Reader or Reader Plus. For users interested in a power-user-level harvesting (especially if you plan on using Bots often), InsightCloudSec recommends using the Azure Power User role for the ability to create and manage all types of Azure resources except the ability to grant access to other roles.

FAQ

Below are some general questions related to adding Azure cloud accounts using this feature. If you have a question that is not included here or another issue you need our assistance with, reach out to us through the Customer Support Portal.

How do organizations handle Azure subscriptions that have the same name? Do we have the ability to still leverage nicknames to uniquely identify those when using organizations?

Right now, in InsightCloudSec the names will be overwritten with the name of the subscription coming from Azure.

Will migrating to organizations impact anything from the user experience side? Will users still follow the same process as they do today to get data specific to their cloud accounts?

The InsightCloudSec user experience should be the same.

Is there any reporting available for new cloud accounts added/changed/removed as part of organizations?

Not today

What happens to an account when it's onboarded via the organization but then the account is deleted? How long do we keep the account/data for, etc.

The account in the InsightCloudSec "Clouds" page is deleted immediately. Any resources attached to that cloud may take up to a day to be removed from the database.

Step 1: Configure an Application Registration

The Azure management group that contains resource data you want to harvest for InsightCloudSec will need an Application Registration associated with it. By creating a specific InsightCloudSec app, you are then able to monitor all actions taken by InsightCloudSec. This facilitates troubleshooting, helping you understand what InsightCloudSec is doing versus what other apps are doing.

1. Login as an Admin to the Azure Dashboard for the account you want to harvest.

2. Add a New Application Registration.

Click "Azure Active Directory" from the navigation menu on the far left.
Click "App registrations" under the Azure Active Directory's Manage menu.
Click "New registration".

3. Describe the New App Registration.

Enter a "Name" to denote that this app is used for InsightCloudSec, e.g., "InsightCloudSec Azure Test".
Select the supported account type.
Optionally, enter a "Redirect URI" using the specified URL format, e.g., "https://<name_of_site>"
- Note: This may be required later for authentication
Select "Register" to create the app registration.

4. Once you have registered your app, a preview panel opens. This panel shows an overview of your newly created app and displays both the Application ID and the Tenant ID. Copy both of these IDs to a safe location; you will need to use these values later.

1603 — Application Overview - Tenant and Directory IDs

5. Create and save a key for this Application.

From the new application's Overview page, select "Certificates & secrets" from the Manage menu on the left-hand side.
Under Client secrets, click "New client secret".
Give your client secret a description.
Set an expiration period for your secret.
Click "Add". Your new client secret's values will be displayed on the Certificates & secrets page under Client secrets.

6. Copy the generated client secret key value to a safe location; you will need to use this value later.

❗️
Copying the Secret Key Value
This is the only opportunity you have to copy this secret key value. If you leave this page without copying the secret key value, you will not be able to access the value and you'll need to delete the key and create another one.

7. Set up permissions for this App Registration.

From the application's Overview page, select "API permissions" from the Manage menu on the left-hand side.
Select "Add a permission".
Select "Microsoft Graph".

1405 — Microsoft Graph - Adding Permissions

8. Select "Application Permissions".

Search for Directory.Read.All under the "Directory" section.
Check the box next to the permission and click "Add permissions".
Search for AuditLog.Read.All under the "AuditLog" section.
Check the box next to the permission and click "Add permissions".

📘
Azure Application Credentials Permissions
The Directory.Read.All permission contains the Application.Read.All permission, which is required to harvest the Azure Application Credentials resource. Review the Resource Matrix for more information and contact the support team through the Customer Support Portal for any questions or assistance.

941 — Microsoft Graph API - Application Permissions

9. Click "Grant admin consent for Default Directory", then confirm the selection.

Step 2: Assign Roles

To ensure that the new InsightCloudSec-associated Application Registration you created in the previous section is securely and appropriately accessing your Azure account data, you'll need to select and/or create the appropriate IAM role. You'll also need to create the custom Organization Reader Role within the Tenant Root Group, which provides access to the Azure Management Groups capabilities. After all roles have been created/decided upon, both roles will need to be assigned to the relevant Azure management group.

🚧
Prerequisites
Before you can assign a role to an Azure management group, you must have already decided what role to use. Review the Prerequisites section for more information.

Note: The following sections utilize the Azure Portal to assign (and/or create) a role to a subscription. Azure details several other methods, e.g., via Azure CLI, REST API, Powershell, etc., for assigning (and/or creating) a role in their documentation.

Add the Organization Reader Role

First, you'll need to create the Organization Reader Role within the Tenant Root Group. This role will allow InsightCloudSec to access basic information about the relevant management group.

1. From the Tenant Root Group's menu panel on the left, select "Access control (IAM)". From the Access control (IAM) panel, click "Add --> Add custom role."

2. Provide the Basics.

Provide a custom role name.
Optionally, provide a description for the role.
Select "Start from scratch".

3. Update the generated JSON file for the correct permissions.

Click the "JSON" tab.
Click "Edit".
Open the Custom Azure Organization Reader Role section in a new tab.
Point your mouse cursor to the code area and click the "Copy" icon. This will store the JSON permissions object in your clipboard.
Return to the Azure Portal tab and replace the default permissions object with the one you just copied. It should look similar to the image below. Note: The pasted code does not need to match the indention level of the existing JSON.

4. Click "Review + create".

The JSON will be validated. If successful, verify everything looks correct.
Click "Create".

(Optional) Adding a Custom Role

🚧
Standard vs. Custom
The next steps will vary depending on the type of role (standard or custom) you want to use for the subscription.

If you plan on using a standard Azure role, skip to Adding a Role Assignment.

If you plan on using a custom InsightCloudSec role, you'll need to create the role first so proceed with the next steps.**

If you want to assign a custom InsightCloudSec role (e.g., Reader Plus, Power User) to a subscription, first you'll need to add a custom role to the desired subscription.

1. From the desired subscription's menu panel on the left, select "Access control (IAM)". From the Access control (IAM) panel, click "Add --> Add custom role."

2. Provide the Basics.

Provide a custom role name.
Optionally, provide a description for the role.
Select "Start from scratch".

3. Update the generated JSON file for the correct permissions.

Click the "JSON" tab.
Click "Edit".
Open the Microsoft Azure - Custom Roles page in a new tab.
For the desired role, navigate to the section and download the role JSON and copy it.
Return to the Azure Portal tab and replace the JSON object with the one you just copied.
Update the placeholder Subscription ID for the ID associated with the subscription you're integrating with InsightCloudSec.
Verify the JSON. It should look similar to the example below, which is using the Reader Plus custom role.
Click "Save". The "Review + create" button will become active.

4. Click "Review + create".

The JSON will be validated. If successful, verify everything looks correct.
Click "Create".

Adding a Role Assignment

Standard and custom roles alike must be assigned to a subscription so it can be harvested properly and securely. You'll need to add both the harvesting role (e.g., Reader, Reader Plus, etc.) and the Organization Reader Role assignment. Unfortunately, Azure only allows one role assignment at a time, so you'll need to repeat the steps.

🚧
Refresh Portal
It can take several minutes and even a browser page refresh for the custom role(s) created in the previous section to appear in the list of roles available for assignment.

Azure Organization Reader Role

1. From the desired management group's menu panel on the left, select "Access control (IAM)". From the Access control (IAM) panel, click "Add --> Add role assignment."

2. Select the role you wish to assign.

Search for the new, custom Azure Organization Reader Role. Select it, then click "Next".

3. Add the Application Registration as a member.

Leave the Assign access to field as the default value ("User, group, or service principal").
Next to Members, click "+ Select members".
In the "Select" panel, begin typing the name of the application you created earlier. Select that application once it appears, then click "Select".
Click "Review + assign" to add the role.

Harvesting Role

1. From the desired management group's menu panel on the left, select "Access control (IAM)". From the Access control (IAM) panel, click "Add --> Add role assignment."

2. Select the role you wish to assign.

Select the type of role, e.g., "Reader", and click "Next" to continue.
- Note: If you created a custom role, it might be easier to search for the role's name.

3. Add the Application Registration as a member.

Leave the Assign access to field as the default value ("User, group, or service principal").
Next to Members, click "+ Select members".
In the "Select" panel, begin typing the name of the application you created earlier. Select that application once it appears, then click "Select".
Click "Review + assign" to add the role.

Step 3: Configure InsightCloudSec

🚧
Prerequisites
Before you can successfully add an organization to InsightCloudSec, you will need the following on hand:

The Application (client) ID (created in step 1)

The Directory (tenant) ID (created in step 1)

The Client Secret Key value (created in step 1)

1. Navigate to “Cloud → Clouds” and click the "Organizations" tab.

2. From the "Organizations" tab, click “Add Organization”.

3. From the "Cloud Type" drop-down menu select “Microsoft Azure”.

4. Provide a nickname for the Organization. This creates a system Badge containing the nickname that can be searched or referenced throughout InsightCloudSec.

5. Fill out the Azure form with the following information:

Tenant ID
Application ID
Client Secret
Subscriptions to Skip - Enter details for subscriptions (ID’s or Names) to be skipped (e.g., you have a group of development subscriptions you are not interested in tracking).
"Auto-remove disabled subscriptions" (checkbox) - Select this box to automatically remove suspended Azure subscriptions from InsightCloudSec. As soon as this checkbox is enabled, a background process will begin running and remove the subscriptions automatically as they are found.
"Auto-Badge Subscriptions" (checkbox) - Select this box to allow InsightCloudSec to automatically badge your incoming accounts based on Azure subscription tags.
“Limit import scope” (checkbox) - Select this box and provide Management Group ID(s) to only include the given group(s) and anything underneath it.

6. Click “Add” to complete the addition of your organization.

Note: Once your organization has been added, you will be able to view details under “Clouds → Organizations”, which will populate as the accounts are connected, or under “Clouds” as individual cloud accounts.

Post-Setup Information

Congratulations on integrating your Azure management group with InsightCloudSec. Below you'll find some key information about your new integration as well as managing it.

Auto-badging

As an enhancement to support for provider-based organizations, InsightCloudSec includes auto badging capabilities. The purpose of auto badging is to create a 1:1 map of labels to Badges in InsightCloudSec. This allows Clouds to be scoped to a badge that maps to the account tag.

Note: Once the tags and labels are harvested into InsightCloudSec as badges - you cannot delete them in InsightCloudSec - they must be deleted in Azure and the changes will propagate to InsightCloudSec.

Auto badging takes place in two stages:

Periodically a process retrieves tags/labels from each subscription and compares them with ResourceTags associated with the corresponding cloud in the InsightCloudSec database.
- If there are any changes detected, the ResourceTags in the database are overwritten with the values from the account/project. This means that Cloud Account tags should not be locally modified since any local changes will be overwritten the next time the process runs. Additionally any local changes that are made to Cloud Account tags are not pushed back up to the cloud provider.
Periodically a process retrieves all ResourceTags from the local database that are associated with the accounts managed by an organization. For each cloud the list of tags for that cloud is compared with the current list of Badges and for each Key/Value pair of tags:
- Existing Badges with a Key prefix of system. are skipped.
- If the corresponding Badge with the Key/Value pair for that cloud does not already exist, it is created.
- If a tag Value changes, the Badge with the corresponding Key will be updated to that value.
- If a Badge no longer has a tag with a corresponding Key, it will be deleted.
- All Badges that have a corresponding tag will have their autogenerated column set to "true" even if they were previously set to "false".

Microsoft Key Vault Harvesting

As mentioned above, if you used a recommended role during setup, you cannot harvest Microsoft Key Vault key rotation policies because of a limitation with Azure management group-scoped roles and dataActions permissions. Unfortunately, the only workaround currently is to add a custom role with the permission to each subscription within the Management Group. The InsightCloudSec documentation discusses this during the Azure Setup - Single Cloud instructions. Reach out to us through the Customer Support Portal for more information.