DivvyCloud

Welcome to the DivvyCloud Docs!

DivvyCloud is a Cloud Security Posture Management (CSPM) platform that provides real-time analysis and automated remediation across leading cloud and container technologies.

For questions about documentation reach out to us [email protected]

Take Me to the Docs!    Release Notes

Organizations (Azure)

Overview

DivvyCloud supports the ability to add multiple Azure cloud accounts by taking advantage of the Azure Management Groups functionality. You can read a bit more about that capability here.

For instructions on adding a single cloud account (Azure or any provider) refer to our Cloud Account Setup documentation. Otherwise, if you have any questions or issues, reach out to us through [email protected].

Prerequisites

Before getting started with adding an Azure Management Group as an organization in DivvyCloud, you will need to have the following:

  • A functioning DivvyCloud platform
  • Administrative access to the Azure console
    • Note this process requires root-level access to subscriptions and management groups, for additional details refer to Azure's documentation.
  • Existing familiarity/configuration for Azure Management Groups

Creating an App Registration

1. Login to your Azure portal with admin credentials.

2. Locate and select "App Registrations" (using the Search bar at the top).

3. Click "New Registration".

Azure Portal - New App Registration

4. Complete the new App registration details as follows:

  • Provide a "Name" that denotes this app is used for DivvyCloud, e.g., 'DivvyCloud Docs Test'. By creating a specific DivvyCloud app, you are then able to monitor all actions taken by DivvyCloud. This facilitates troubleshooting, helping you understand what DivvyCloud is doing versus what other apps are doing.
  • Select the supported account type.
  • Enter an optional "Redirect URI", note that this field:

5. Select Register to create the app registration.

Azure Portal - Register an application

6. After successful registration, a preview panel provides an overview of your newly-created app. This screen includes the "Application ID" and the "Tenant ID".

  • Copy both of these IDs to a safe location; you will need to use these values later.

Azure Portal - App Preview (details for Application and Tenant ID)

7. Locate the "Certificates & Secrets" option in the left-hand navigation menu and open this page.

8. From the "Certificates & Secrets" page, select "New Client Secret".

Azure Portal - New Client Secret

9. Provide the new Client Secret with a "Description", select the "expiration period" as desired, and click "Add".

10. For the new client secret that you just created, you will need to copy and save the "Value" (use the copy icon to the right of the value string).

🚧

Important Note - Copy the Secret Value

This is the only opportunity you will have to copy this newly created value. When you navigate away from the page this data will no longer display. Copy this information and keep it in a safe place.

Azure Portal - Copy Secret Value

11. With your newly-created App still selected, navigate to the "API Permissions" in the left-hand navigation menu.

12. Click on "Add a permission", to setup your permissions for the new app registration.

13. Scroll or search to locate the "Azure Active Directory Graph" option.

Azure Portal - API Permissions

14. After selecting "Azure Active Directory Graph", click on "Application permissions".

15. Locate and select the API permission "Directory.Read.All" under the "Directory" heading. Click "Add permission".

Azure Portal - Updating API Permissions

16. (Optional step) - Grant additional permissions as needed. (See note/image below)

🚧

Permissions

If you are not an admin, you'll need an admin to grant permissions by clicking on the Grant admin consent to divvycloud (Default Directory) button, shown below.

Azure Portal - Grant Permissions

Configuring Required Roles

You will need to create two roles to complete the configuration for Azure Organizations:

  • The DivvyCloud Reader Role, which provides access to the Azure Management Groups capabilities
  • The Additional Custom Role, which enables DivvyCloud to harvest your Azure cloud account information

If you want to complete these steps in Powershell refer to the detailed instructions on this page.

Otherwise, to complete the creation of these roles we recommend using the Azure Cloud Shell & CLI.

1. From the Azure Portal locate and launch Cloud Shell.

2. After launching select "Bash"

Azure Portal - Launch Cloud Shell

3. Pick your desired subscription and click "Create storage".

From the newly-opened CLI you will:

  • Create two new files (.txt) for the required roles
    • Save and name these so you locate/identify them later.
  • Update the two new files with the appropriate details
  • Create the roles

4. Using your preferred editor (we used VIM in our example) create a new file (Standard/Reader Role) and paste in the reader role (supplied below).

  • You will need to update this file to reflect your Tenant ID under "AssignableScopes" (in this example file - Line 176).
{
    "Name": "DivvyCloud Standard User",
    "Id": null,
    "IsCustom": true,
    "Description": "Provides read-only access to resources supported by DivvyCloud.",
    "Actions": [
        "Microsoft.Advisor/recommendations/read",
        "Microsoft.Authorization/classicAdministrators/read", 
        "Microsoft.Authorization/locks/read",
        "Microsoft.Authorization/policyAssignments/read",
        "Microsoft.Authorization/policyDefinitions/read",
        "Microsoft.Authorization/policySetDefinitions/read",
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleDefinitions/read",
        "Microsoft.Cache/redis/read",
        "Microsoft.Cache/redis/firewallRules/read",
        "Microsoft.Compute/disks/read",
        "Microsoft.Compute/galleries/read",
        "Microsoft.Compute/galleries/images/read",
        "Microsoft.Compute/galleries/images/versions/read",
        "Microsoft.Compute/hostGroups/read",
        "Microsoft.Compute/images/read",
        "Microsoft.Compute/skus/read",
        "Microsoft.Compute/snapshots/read",
        "Microsoft.Compute/virtualMachineScaleSets/extensions/read",
        "Microsoft.Compute/virtualMachineScaleSets/instanceView/read",
        "Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read",
        "Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses/read",
        "Microsoft.Compute/virtualMachineScaleSets/read",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions/read",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/publicIPAddresses/read",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/read",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/extensions/read",
        "Microsoft.Compute/virtualMachines/instanceView/read",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.ContainerInstance/containerGroups/read",
        "Microsoft.ContainerRegistry/registries/pull/read",
        "Microsoft.ContainerRegistry/registries/read",
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.Databricks/workspaces/read",
        "Microsoft.DataFactory/factories/read",
        "Microsoft.DataLakeStore/accounts/read",
        "Microsoft.DBforMariaDB/locations/performanceTiers/read",
        "Microsoft.DBforMariaDB/performanceTiers/read",
        "Microsoft.DBforMariaDB/servers/configurations/read",
        "Microsoft.DBforMariaDB/servers/firewallRules/read",
        "Microsoft.DBforMariaDB/servers/read",
        "Microsoft.DBforMariaDB/servers/virtualNetworkRules/read",
        "Microsoft.DBforMySQL/locations/performanceTiers/read",
        "Microsoft.DBforMySQL/performanceTiers/read",
        "Microsoft.DBforMySQL/servers/administrators/read",         
        "Microsoft.DBforMySQL/servers/configurations/read",
        "Microsoft.DBforMySQL/servers/firewallRules/read",
        "Microsoft.DBforMySQL/servers/keys/read",
        "Microsoft.DBforMySQL/servers/read",
        "Microsoft.DBforMySQL/servers/virtualNetworkRules/read",     
        "Microsoft.DBforPostgreSQL/locations/performanceTiers/read",
        "Microsoft.DBforPostgreSQL/performanceTiers/read",
        "Microsoft.DBforPostgreSQL/servers/administrators/read",       
        "Microsoft.DBforPostgreSQL/servers/configurations/read",
        "Microsoft.DBforPostgreSQL/servers/firewallRules/read",
        "Microsoft.DBforPostgreSQL/servers/keys/read",
        "Microsoft.DBforPostgreSQL/servers/read",
        "Microsoft.DBforPostgreSQL/servers/virtualNetworkRules/read",
        "Microsoft.DocumentDB/databaseAccounts/read",
        "Microsoft.DocumentDB/databaseAccounts/usages/read",
        "Microsoft.EventHub/namespaces/eventhubs/read",
        "Microsoft.EventHub/namespaces/networkruleset/read",
        "Microsoft.EventHub/namespaces/networkrulesets/read",
        "Microsoft.EventHub/namespaces/read",
        "Microsoft.HDInsight/clusters/read",
        "Microsoft.Insights/DiagnosticSettings/Read",
        "Microsoft.Insights/LogProfiles/read",
        "Microsoft.KeyVault/vaults/read",
        "Microsoft.Network/applicationGateways/read",
        "Microsoft.Network/azurefirewalls/read",
        "Microsoft.Network/dnszones/A/read",
        "Microsoft.Network/dnszones/AAAA/read",
        "Microsoft.Network/dnszones/CAA/read",
        "Microsoft.Network/dnszones/CNAME/read",
        "Microsoft.Network/dnszones/MX/read",
        "Microsoft.Network/dnszones/NS/read",
        "Microsoft.Network/dnszones/PTR/read",
        "Microsoft.Network/dnszones/SOA/read",
        "Microsoft.Network/dnszones/SRV/read",
        "Microsoft.Network/dnszones/TXT/read",
        "Microsoft.Network/dnszones/read",
        "Microsoft.Network/dnszones/recordsets/read",
        "Microsoft.Network/expressRouteCircuits/read",
        "Microsoft.Network/ipGroups/read",
        "Microsoft.Network/loadBalancers/backendAddressPools/read",
        "Microsoft.Network/loadBalancers/frontendIPConfigurations/read",
        "Microsoft.Network/loadBalancers/networkInterfaces/read",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/locations/usages/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/networkWatchers/read",
        "Microsoft.Network/privateDnsZones/A/read",
        "Microsoft.Network/privateDnsZones/AAAA/read",
        "Microsoft.Network/privateDnsZones/CNAME/read",
        "Microsoft.Network/privateDnsZones/MX/read",
        "Microsoft.Network/privateDnsZones/PTR/read",
        "Microsoft.Network/privateDnsZones/SOA/read",
        "Microsoft.Network/privateDnsZones/SRV/read",
        "Microsoft.Network/privateDnsZones/TXT/read",
        "Microsoft.Network/privateDnsZones/read",
        "Microsoft.Network/privateDnsZones/recordsets/read",
        "Microsoft.Network/privateDnsZones/virtualNetworkLinks/read",
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/routeTables/read",
        "Microsoft.Network/serviceEndpointPolicies/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
        "Microsoft.Network/virtualnetworks/read",
        "Microsoft.OperationalInsights/workspaces/read",
        "Microsoft.Resources/subscriptions/locations/read",
        "Microsoft.Resources/subscriptions/providers/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/resourcegroups/resources/read",
        "Microsoft.Search/searchServices/read",
        "Microsoft.Security/advancedThreatProtectionSettings/read",
        "Microsoft.Security/alerts/read",
        "Microsoft.Security/assessments/read",
        "Microsoft.Security/autoProvisioningSettings/read",
        "Microsoft.Security/locations/jitNetworkAccessPolicies/read",
        "Microsoft.Security/pricings/read",
        "Microsoft.Security/securityContacts/read",
        "Microsoft.Security/tasks/read",
        "Microsoft.ServiceBus/namespaces/networkRuleSets/read",
        "Microsoft.ServiceBus/namespaces/queues/read",
        "Microsoft.ServiceBus/namespaces/read",
        "Microsoft.Sql/managedInstances/administrators/read",
        "Microsoft.Sql/managedInstances/encryptionProtector/read",
        "Microsoft.Sql/managedInstances/read",
        "Microsoft.Sql/managedInstances/securityAlertPolicies/read",
        "Microsoft.Sql/managedInstances/vulnerabilityAssessments/read",
        "Microsoft.Sql/servers/administrators/read",
        "Microsoft.Sql/servers/auditingSettings/read",
        "Microsoft.Sql/servers/databases/auditingSettings/read",
        "Microsoft.Sql/servers/databases/extendedAuditingSettings/read",
        "Microsoft.Sql/servers/databases/read",
        "Microsoft.Sql/servers/databases/securityAlertPolicies/read",
        "Microsoft.Sql/servers/databases/skus/read",
        "Microsoft.Sql/servers/databases/transparentDataEncryption/read",
        "Microsoft.Sql/servers/extendedAuditingSettings/read",
        "Microsoft.Sql/servers/encryptionProtector/read",
        "Microsoft.Sql/servers/firewallRules/read",
        "Microsoft.Sql/servers/read",
        "Microsoft.Sql/servers/securityAlertPolicies/read",
        "Microsoft.Sql/servers/virtualNetworkRules/read",
        "Microsoft.Sql/servers/vulnerabilityAssessments/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read", 
        "Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/read",
        "Microsoft.Storage/storageAccounts/fileServices/shares/read",
        "Microsoft.Storage/storageAccounts/listkeys/action",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Synapse/workspaces/read",
        "Microsoft.Web/serverfarms/read",
        "Microsoft.Web/sites/Read",
        "Microsoft.Web/sites/config/Read",
        "Microsoft.Web/sites/config/list/Action",
        "Microsoft.Web/sites/functions/read",
        "Microsoft.Web/sites/slots/Read",
        "Microsoft.Web/sites/slots/config/Read",
        "Microsoft.Web/sites/slots/config/list/Action",
        "Microsoft.Web/sites/slots/functions/read",
        "microsoft.web/sites/slots/virtualnetworkconnections/read",
        "microsoft.web/sites/virtualnetworkconnections/read"
    ],
    "NotActions": [],
    "AssignableScopes": [
        "/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000"
    ]
}

5. Using your preferred editor create a new file (Org Reader Role) and paste in the reader role (supplied below).

  • You will need to update this file to reflect your Tenant ID under "AssignableScopes" (in this example file - Line 16).
{
    "Name": "DivvyCloud Orgs Reader",
    "Id": null,
    "IsCustom": true,
    "Description": "Provides access to read Management Groups structure.",
    "Actions": [
        "Microsoft.Management/managementGroups/descendants/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Management/managementGroups/settings/read",
        "Microsoft.Resources/subscriptions/read"
    ],
    "DataActions": [],
    "NotActions": [],
    "NotDataActions": [],
    "AssignableScopes": [
        "/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000"
    ]
}

6. Now that you've defined both roles in .txt files, you will need to create both roles using the following command az role definition create --role-definition <role_definition>

  • You will need to run this command twice, updating the <role_definition> field with whatever file names you created in the previous steps.

Adding Azure Organizations

Setup in Azure

Complete the steps below in the Azure Console. These steps assume that you’ve set up the proper Azure ID permissions (e.g., if you want to harvest users).

1. From the Azure Portal, navigate to Management Groups, click on the “details” link next to the target “Tenant/Root Group”.

2. On the updated navigation within your target group, select “Access Control (IAM)”.

3. From the Access Control (IAM) page click “Add” and then select the role and the service principal (App Registration) you want to configure.

  • Note: You will need to complete this step for each role, they have to be added individually.

Setup in DivvyCloud

These steps assume that you have completed the required configuration steps within the Azure Portal for your Azure Management Groups.

1. Navigate to “Cloud → Clouds” and click on the "Organizations" tab.

2. From the Organizations tab, select “Add Organization”.

3. From the Cloud Type drop-down menu select “Microsoft Azure”.

Add Azure Organizations

4. Fill out the Azure form with the following information:

  • Tenant ID
  • Application ID
  • Client Secret
  • Subscriptions to Skip - Enter details for subscriptions (ID’s or Names) to be skipped (e.g., you have a group of development subscriptions you are not interested in tracking).
  • “Limit import scope”(checkbox) - Select this box to supply the name of the management group at a particular level. Entering the ID will pull in information for that group and anything under it.
  • "Auto-remove disabled subscriptions" (checkbox) - Select this box to automatically remove suspended Azure subscriptions from DivvyCloud. As soon as this checkbox is enabled, a background process will begin running and remove the subscriptions automatically as they are found.

5. Click “Add” to complete the addition of your organization.

Once your organization has been added, you will be able to view details under “Clouds → Organizations”, which will populate as the accounts are connected, or under “Clouds” as individual cloud accounts.

FAQ

Below are some general questions related to adding Azure cloud accounts using this feature. If you have a question that is not included here or another issue you need our assistance with, reach out through [email protected].

How do organizations handle Azure subscriptions that have the same name? Do we have the ability to still leverage nicknames to uniquely identify those when using organizations?

  • Right now, in DivvyCloud the names will be overwritten with the name of the subscription coming from Azure.

Will migrating to organizations impact anything from the user experience side? Will users still follow the same process as they do today to get data specific to their cloud accounts?

  • The DivvyCloud user experience should be the same.

Is there any reporting available for new cloud accounts added/changed/removed as part of organizations?

  • Not today

What happens to an account when it's onboarded via the organization but then the account is deleted? How long do we keep the account/data for, etc.

  • The account in the DivvyCloud Clouds page is deleted immediately. Any resources attached to that cloud may take up to a day to be removed from the database.

Auto Badging

As an enhancement to support for provider-based organizations, DivvyCloud includes auto badging capabilities. The purpose of auto badging is to create a 1:1 map of labels to Badges in DivvyCloud. This allows Clouds to be scoped to a badge that maps to the account tag.

Auto badging takes place in two stages:

  • Periodically a process retrieves tags/labels from each subscription and compares them with ResourceTags associated with the corresponding cloud in the DivvyCloud database.

    • If there are any changes detected, the ResourceTags in the database are overwritten with the values from the account/project. This means that Cloud Account tags should not be locally modified since any local changes will be overwritten the next time the process runs. Additionally any local changes that are made to Cloud Account tags are not pushed back up to the cloud provider.
  • Periodically a process retrieves all ResourceTags from the local database that are associated with the accounts managed by an organization. For each cloud the list of tags for that cloud is compared with the current list of Badges and for each Key/Value pair of tags:

    • Existing Badges with a Key prefix of system. are skipped.
    • If the corresponding Badge with the Key/Value pair for that cloud does not already exist, it is created.
    • If a tag Value changes, the Badge with the corresponding Key will be updated to that value.
    • If a Badge no longer has a tag with a corresponding Key, it will be deleted.
    • All Badges that have a corresponding tag will have their autogenerated column set to ‘true’ even if they were previously set to ‘false’.

Updated 8 days ago

Organizations (Azure)


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.