Azure Setup - Organization

The information on this page has moved

For the most up-to-date Azure Setup content, go to Onboard an Azure Account.

Legacy Content

Once your InsightCloudSec instance is up and running, the first thing you'll want to do is integrate an Azure organization (management group in Azure's parlance) to take advantage of the security Insights that apply to your cloud footprint. You can read more about Azure management groups here.

InsightCloudSec supports Microsoft Azure and Microsoft Azure China. These differ primarily in supported services and regions.

Organization Support

Currently, InsightCloudSec does not offer Organization onboarding support for Azure GovCloud.

  • This page and the functionality detailed here refer to the provider-specific organizations capability available under Clouds > Organizations.
  • This functionality should not be confused with the InsightCloudSec-specific Organizations capability that allows for multi-tenant functionality available under System Administration > Organizations.
  • To add a single Azure account to InsightCloudSec, refer to the Azure Setup - Single Cloud documentation.

Prerequisites

Before getting started with adding an Azure Management Group as an organization in InsightCloudSec, you will need to have the following:

  • Domain Admin permissions within InsightCloudSec
  • Global Admin-level access to Azure subscriptions and management groups. For instructions on attaining Global Admin access, refer to Azure's "Elevate access" documentation
  • Contributor-level (or higher) access to the management group you want to harvest. For instructions on attaining Contributor access on a management group, refer to Azure's "Assign roles" documentation
  • Existing familiarity/configuration for Azure Management Groups
  • An IAM Role that allows InsightCloudSec to harvest Azure subscription data.

Roles

An IAM role must be associated with the Azure management group that will be harvested by InsightCloudSec to ensure secure and appropriate access of this information. There are two paths for selecting the IAM role:

  • Standard role managed by Azure: this requires less maintenance long term because Microsoft will automatically update these roles for new services.
  • Custom role that by InsightCloudSec: this offers more customization and a 1:1 match to the Azure resources that InsightCloudSec supports.

Key Rotation Permissions

Due to a limitation with Azure, roles with a Management Group (Azure Organization) scope cannot have dataActions permissions. This means that none of the recommended roles below include the Microsoft Key Vault dataActions permission, Microsoft.KeyVault/vaults/keyrotationpolicies/read, which provides read access to key rotation policies (an InsightCloudSec-supported resource). See Microsoft Key Vault Harvesting for more information on a post-setup workaround.

Using a Standard Role

InsightCloudSec recommends using the Azure Reader role for read-only permissions to all resources. For users interested in a power-user-level harvesting (especially if you plan on using Bots often), InsightCloudSec recommends using the Azure Contributor role for the ability to create and manage all types of Azure resources except the ability to grant access to other roles.

Using a Custom Role

InsightCloudSec recommends using the Custom Azure Reader or Reader Plus. For users interested in a power-user-level harvesting (especially if you plan on using Bots often), InsightCloudSec recommends using the Azure Power User role for the ability to create and manage all types of Azure resources except the ability to grant access to other roles.

Frequently Asked Questions (FAQ)

Below are some general questions related to adding Azure cloud accounts using this feature.

How do organizations handle Azure subscriptions that have the same name?

How do organizations handle Azure subscriptions that have the same name? Do we have the ability to still leverage nicknames to uniquely identify those when using organizations?

  • Right now, in InsightCloudSec the names will be overwritten with the name of the subscription coming from Azure.
Will migrating to organizations impact anything from the user experience side?

Will migrating to organizations impact anything from the user experience side? Will users still follow the same process as they do today to get data specific to their cloud accounts?

The InsightCloudSec user experience should be the same.

Is there any reporting available for new cloud accounts added/changed/removed as part of organizations?

Is there any reporting available for new cloud accounts added/changed/removed as part of organizations?

Not at this time

How long is data retained for an account when it's onboarded via organization?

What happens to an account when it's onboarded via the organization but then the account is deleted? How long do we keep the account/data for, etc.

The account in the InsightCloudSec "Clouds" page is deleted immediately. Any resources attached to that cloud may take up to a day to be removed from the database.

Configure an organization

For InsightCloudSec to securely access the information contained within your Azure management group, you'll need to create and setup an application registration as well as configure some role assignments. Review Azure's Active Directory documentation for more information on these concepts.

Step 1: Configure an Application Registration

Step 1: Configure an Application Registration

The Azure management group that contains resource data you want to harvest for InsightCloudSec will need an Application Registration associated with it. By creating a specific InsightCloudSec app, you are then able to monitor all actions taken by InsightCloudSec. This facilitates troubleshooting, helping you understand what InsightCloudSec is doing versus what other apps are doing.

  1. Login as an Admin to the Azure Dashboard for the account you want to harvest.
  2. Add a New Application Registration.
    • Click "Azure Active Directory" from the navigation menu on the far left.
    • Click "App registrations" under the Azure Active Directory's Manage menu.
    • Click "New registration".
  3. Describe the New App Registration.
    • Enter a "Name" to denote that this app is used for InsightCloudSec, e.g., "InsightCloudSec Azure Test".
    • Select the supported account type.
    • Optionally, enter a "Redirect URI" using the specified URL format, e.g., "https://<name_of_site>"
      • Note: This may be required later for authentication
    • Select "Register" to create the app registration.
  4. Once you have registered your app, a preview panel opens. This panel shows an overview of your newly created app and displays both the Application ID and the Tenant ID. Copy both of these IDs to a safe location; you will need to use these values later.
  5. Create and save a key for this Application.
    • From the new application's Overview page, select "Certificates & secrets" from the Manage menu on the left-hand side.
    • Under Client secrets, click "New client secret".
    • Give your client secret a description.
    • Set an expiration period for your secret.
    • Click "Add". Your new client secret's values will be displayed on the Certificates & secrets page under Client secrets.
  6. Copy the generated client secret key value to a safe location; you will need to use this value later. This is the only opportunity you have to copy this secret key value. If you leave this page without copying the secret key value, you will not be able to access the value and you'll need to delete the key and create another one.
  7. Set up permissions for this App Registration.
    • From the application's Overview page, select "API permissions" from the Manage menu on the left-hand side.
    • Select "Add a permission".
    • Select "Microsoft Graph".
  8. Select "Application Permissions".
    • Search for Directory.Read.All under the "Directory" section.
    • Check the box next to the permission and click "Add permissions".
    • Search for AuditLog.Read.All under the "AuditLog" section.
    • Check the box next to the permission and click "Add permissions".
  9. Click "Grant admin consent for Default Directory", then confirm the selection.

Azure Application Credentials Permissions

The Directory.Read.All permission contains the Application.Read.All permission, which is required to harvest the Azure Application Credentials resource. Review the Resource Matrix for more information and contact the support team through the Customer Support Portal for any questions or assistance.

Step 2: Assign Roles

Step 2: Assign Roles

To ensure that the new InsightCloudSec-associated Application Registration you created in the previous section is securely and appropriately accessing your Azure account data, you'll need to select and/or create the appropriate IAM role. You'll also need to create the custom Organization Reader Role within the Tenant Root Group, which provides access to the Azure Management Groups capabilities.

After all roles have been created/decided upon, both roles will need to be assigned to the relevant Azure management group.

Prerequisites

Before you can assign a role to an Azure management group, you must have already decided what role to use. Review the Prerequisites section for more information.

The following sections utilize the Azure Portal to assign (and/or create) a role to a subscription. Azure details several other methods, e.g., via Azure CLI, REST API, Powershell, etc., for assigning (and/or creating) a role in their documentation.

Add the Organization Reader Role

If you'd prefer to create a custom role

Add the Organization Reader Role

First, you'll need to create the Organization Reader Role within the Tenant Root Group. This role will allow InsightCloudSec to access basic information about the relevant management group.

  1. From the Tenant Root Group's menu panel on the left, select Access control (IAM).
  2. From the Access control (IAM) panel, click Add > Add custom role.
  3. Provide the Basics.
    1. Provide a custom role name.
    2. Optionally, provide a description for the role.
    3. Select Start from scratch.
  4. Update the generated JSON file for the correct permissions.
    1. Click the JSON tab.
    2. Click Edit.
    3. Open the Custom Azure Organization Reader Role section in a new tab.
    4. Point your mouse cursor to the code area and click the Copy icon. This will store the JSON permissions object in your clipboard.
    5. Return to the Azure Portal tab and replace the default permissions object with the one you just copied. It should look similar to the image below. The pasted code does not need to match the indention level of the existing JSON.
  5. Click Review + create.
    1. The JSON will be validated. If successful, verify everything looks correct.
    2. Click Create.
(Optional) Add a custom role

(Optional) Adding a Custom Role

  • If you plan on using a custom InsightCloudSec role, you'll need to create the role first so proceed with the next steps.
  • If you plan on using a standard Azure role, skip to Adding a Role Assignment.

Add a custom role

If you want to assign a custom InsightCloudSec role (e.g., Reader Plus, Power User) to a subscription, first you'll need to add a custom role to the desired subscription.

  1. From the desired subscription's menu panel on the left, select Access control (IAM).
  2. From the Access control (IAM) panel, click Add > Add custom role.
  3. Provide the Basics.
    1. Provide a custom role name.
    2. Optionally, provide a description for the role.
    3. Select Start from scratch.
  4. Update the generated JSON file for the correct permissions.
    1. Click the JSON tab.
    2. Click Edit.
    3. Open the Microsoft Azure - Custom Roles page in a new tab.
    4. For the desired role, navigate to the section and download the role JSON and copy it.
    5. Return to the Azure Portal tab and replace the JSON object with the one you just copied.
    6. Update the placeholder Subscription ID for the ID associated with the subscription you're integrating with InsightCloudSec.
    7. Verify the JSON. It should look similar to the example below, which is using the Reader Plus custom role.
    8. Click Save.
  5. Click Review + create.
    • The JSON will be validated. If successful, verify everything looks correct.
    • Click Create.
Add a role assignment

Adding a Role Assignment

Standard and custom roles alike must be assigned to a subscription so it can be harvested properly and securely. You'll need to add both the harvesting role (e.g., Reader, Reader Plus, etc.) and the Organization Reader Role assignment. Unfortunately, Azure only allows one role assignment at a time, so you'll need to repeat the steps.

Azure Organization Reader Role

  1. From the desired management group's menu panel on the left, select "Access control (IAM)". From the Access control (IAM) panel, click Add > Add role assignment.
  2. Select the role you wish to assign.
  3. Search for the Azure Organization Reader Role, then click Next.
  4. Add the Application Registration as a member.
    1. Leave the Assign access to field as the default value ("User, group, or service principal").
    2. Next to Members, click + Select members.
    3. In the Select panel, begin typing the name of the application you created earlier. Select that application once it appears, then click Select.
    4. Click Review + assign to add the role.

Harvesting Role

  1. From the desired management group's menu panel on the left, select "Access control (IAM)". From the Access control (IAM) panel, click Add > Add role assignment.
  2. Select the role you wish to assign, then click Next.
  3. Add the Application Registration as a member.
    1. Leave the Assign access to field as the default value ("User, group, or service principal").
    2. Next to Members, click + Select members.
    3. In the Select panel, begin typing the name of the application you created earlier. Select that application once it appears, then click Select.
    4. Click Review + assign to add the role.
Step 3: Configure InsightCloudSec

Step 3: Configure InsightCloudSec

Prerequisites

Before you can successfully add an organization to InsightCloudSec, you will need the following on hand which were created in step 1:

  • The Application (client) ID
  • The Directory (tenant) ID
  • The Client Secret Key value

Configure

  1. Go to Cloud > Clouds.
  2. On the Organizations tab, click Add Organization.
  3. From the Cloud Type drop-down menu select Microsoft Azure.
  4. Provide a nickname for the Organization. This creates a system Badge containing the nickname that can be searched or referenced throughout InsightCloudSec.
  5. Fill out the Azure form with the following information:
    • Tenant ID
    • Application ID
    • Client Secret
    • Subscriptions to Skip: Enter details for subscriptions (ID’s or Names) to be skipped (e.g., you have a group of development subscriptions you are not interested in tracking).
    • Auto-remove disabled subscriptions: Select this box to automatically remove suspended Azure subscriptions from InsightCloudSec. As soon as this checkbox is enabled, a background process will begin running and remove the subscriptions automatically as they are found.
    • Auto-Badge Subscriptions: Select this box to allow InsightCloudSec to automatically badge your incoming accounts based on Azure subscription tags.
    • Limit import scope: Select this box and provide Management Group ID(s) to only include the given group(s) and anything underneath it.
  6. Click Add to complete the addition of your organization.

Once your organization has been added, you will be able to view details under Clouds > Organizations, which will populate as the accounts are connected, or under Clouds as individual cloud accounts.

Post-Setup Information

Congratulations on integrating your Azure management group with InsightCloudSec. Below you'll find some key information about your new integration as well as managing it.

Auto-badging

As an enhancement to support for provider-base organizations InsightCloudSec includes auto badging capabilities. The purpose of auto-badging is to create a 1:1 map of AWS account-level tags to Badges in InsightCloudSec. This allows Clouds to be scoped to a badge that maps to the account tag.

After the tags and labels are harvested into InsightCloudSec as badges - you cannot delete them in InsightCloudSec - they must be deleted in AWS and the changes will propagate to InsightCloudSec.

Auto-badging takes place in two stages.

StageDescription
Retrieves tags and labels from each account and project and compares them with ResourceTags associated with the cloud account in the InsightCloudSec database.If there are any changes detected, the ResourceTags in the database are overwritten with the values from the account/project.

This means that Cloud Account tags should not be locally modified since any local changes will be overwritten the next time the process runs. Additionally, any local changes that are made to Cloud Account tags are not pushed back up to the cloud provider.
Retrieves all ResourceTags from the local database that are associated with the accounts managed by an organization.For each cloud the list of tags for that cloud is compared with the current list of Badges and for each Key/Value pair of tags:

  • Existing Badges with a Key prefix of system. are skipped.
  • If the corresponding Badge with the Key/Value pair for that cloud does not already exist, it is created.
  • If a tag Value changes, the Badge with the corresponding Key will be updated to that value.
  • If a Badge no longer has a tag with a corresponding Key, it will be deleted.
  • All Badges that have a corresponding tag will have their autogenerated column set to ‘true’ even if they were previously set to ‘false’.

Microsoft Key Vault Harvesting

As mentioned above, if you used a recommended role during setup, you cannot harvest Microsoft Key Vault key rotation policies because of a limitation with Azure management group-scoped roles and dataActions permissions. Unfortunately, the only workaround currently is to add a custom role with the permission to each subscription within the Management Group. The InsightCloudSec documentation discusses this during the Azure Setup - Single Cloud instructions. Reach out to us through the Customer Support Portal for more information.