Microsoft Azure

This article covers the details for connecting Microsoft Azure:
Microsoft Azure - Microsoft Azure is a cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through a global network of Microsoft-managed data. The Microsoft Azure adapter fetches devices from the Microsoft Azure Cloud Environment.

Microsoft Entra ID (formerly Azure Active Directory) and Microsoft Intune can be found on Microsoft Entra ID.

Related Enforcement Actions:
In order to help make data in the Axonius platform available directly within Azure, tags can be added to Azure VMs through enforcements.

• Microsoft Azure - Add Tag to Cloud Instance
• Microsoft Azure - Send JSON to Azure Storage
• Microsoft Azure - Send CSV to Azure Storage
• Microsoft Azure - Send Assets to Microsoft Power BI
• Microsoft Azure - Send CSV to Microsoft OneDrive

About Microsoft Azure

Use cases the adapter solves
The Azure adapter allows Axonius users to evaluate their public cloud resources to ensure that they are correctly configured and managed, even across multiple tenants. Users can also leverage data from this adapter to modify software update deployments (including security agents).

Data retrieved by Microsoft Azure

The Azure adapter retrieves device data regarding Azure VMs, networks/NSGs, SQL servers, load balancers, storage accounts, key vaults, Redis instances, and Kubernetes.

Types of Assets Fetched

For the full list of asset types and services this adapter fetches, see Microsoft Azure Services Fetched as Assets.

To connect to Microsoft Azure you need to create a Designated Axonius application in the Microsoft Azure Portal and grant it read-only permissions. All required credentials will be given once an application is created. For details, see Creating an application in the Microsoft Azure Portal.

This page contains the following topics:

• Parameters - the general parameters to configure to work with the Microsoft Azure adapter.
• Microsoft Azure - Advanced Settings - explanation of all Advanced Configuration Settings for the Microsoft Azure adapter.
• Creating an application in the Microsoft Azure Portal

Parameters

Microsoft Azure

1. Azure Subscription IDs (optional) - The comma-separated Subscription ID access control roles in IAM for the Axonius application. When you enter Azure Subscription IDs Axonius fetches data from the specified subscriptions. If you do not enter anything here, you must select Fetch All Subscriptions.

2. Fetch All Subscriptions - Select to fetch data from all subscriptions associated with the specified Microsoft Azure tenant ID. If you do not select this option, make sure you enter Azure Subscription IDs in order to fetch data.

3. Azure Management Group IDs (optional) - Enter the Azure management group IDs associated with the subscriptions you want to fetch data from. The adapter will fetch data only from the subscriptions with the specified management groups.

4. Azure Client ID (required), Azure Client Secret (optional), Azure Tenant ID (required), Cloud Environment (required) - See details under Microsoft Entra ID.

5. Azure Stack Hub Management URL and Azure Stack Hub Resource String (optional) - Specify the hostname or IP address of the Microsoft Azure Stack Hub server (a Microsoft Azure on-premises server) and the URL for the Azure Stack Hub Resource String.

   • If supplied, Axonius will authenticate to the Microsoft Azure cloud server, and will fetch asset data from the Microsoft Azure Stack Hub server. Axonius will not fetch any asset data from Microsoft Azure cloud server.
   • If not supplied, Axonius will authenticate to the Microsoft Azure cloud server, and will fetch asset data from the Microsoft Azure cloud server. Axonius will not fetch any asset data from Microsoft Azure Stack Hub server.

6. Azure Stack Hub Proxy Settings (required, default: Do not use proxy) - Select one of the following proxy options:

   • Do not use proxy - Axonius will not use a proxy to authenticate to the Microsoft Azure cloud server and will not use a proxy to fetch asset data from the Microsoft Azure Stack Hub server.
   • Proxy authentication only - Axonius will only use the proxy specified in the HTTPS Proxy field to authenticate to the Microsoft Azure cloud server.
   • Proxy Azure Stack Hub only - Axonius will only use the proxy specified in the HTTPS Proxy field to fetch asset data from the Microsoft Azure Stack Hub server.
   • Proxy all - Axonius will use the proxy specified in the HTTPS Proxy field to authenticate to the Microsoft Azure cloud server and also to fetch asset data from the Microsoft Azure Stack Hub server.

7. Account Tag (optional) - Optional tag for the Azure Cloud instance ("nickname").

   • If supplied, Axonius will tag all devices fetched from this adapter connection.
   • If not supplied, Axonius will not tag any of the devices fetched from this adapter connection.

8. Verify SSL, HTTPS Proxy, HTTPS Proxy User Name, HTTPS Password - See details under Microsoft Entra ID.

9. Enable Client Side Certificate - Select to enable Axonius to send requests using the certificates uploaded to allow Mutual TLS configuration for this adapter.

   

   • Click Upload file next to Client Private Key File to upload a client private key file in PEM format.
   • Click Upload file next to Client Certificate File to upload a public key file in PEM format.

10. Enable Azure Certificate Authentication - Select to enable Axonius to send requests using the Azure certificates uploaded to allow secure Azure authentication for this adapter. To add the certificate to the App registration in Azure, see Register an app in Microsoft Entra ID.

    • Click Upload file next to Private Key File to upload an Azure private key file in PEM format.
    • Click Upload file next to Certificate File to upload an Azure public key file in PEM format.

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

Microsoft Azure - Advanced Settings

1. Fetch update deployments - Select whether to fetch software update deployments from Microsoft Azure.

2. List of tags to parse as fields (optional) - Specify a comma-separated list of tag keys to be parsed as asset fields. Each tag is a key-value pair that is part of the Adapter Tags complex field.

   • If supplied, all connections for this adapter will parse any of the listed tags that are associated with the fetched device as:
     • Values of the Adapter Tags field.
     • Designated field with the name of the tag key and the value of the tag value.
   • If not supplied, all connections for this adapter will only parse all tags as values of the Adapter Tags field.

3. Fetch Security Center sub-assessments for devices (optional) - Select to fetch security assessments (such as Qualys vulnerabilities) for devices, where available. This option requires the Security Center to be active in the subscription.

4. Fetch Azure Arc-Enabled machine extensions - Select this option to fetch machines enabled by Azure Arc.

5. Consider last seen only for connected Arc-Enabled machines - Select this option to use the Last Seen field as a reference timestamp only for Arc-enabled machines with the status Connected. For machines with any other status, the Last Status Change field will be used as a reference timestamp, reflecting the last time the device was disconnected.

6. Fetch Advisor Recommendations for entities - Select this option to fetch security recommendation from Azure Advisor. When enabled, an 'Advisor Recommendations' field is added to all fetched assets.

7. Enrich Advisor Recommendations with assessment information - Select to enrich the Advisor recommendations in virtual machines with additional data. You can only select this option when Fetch Advisor Recommendations for entities is enabled.

8. Add backup protection information from recovery services into VMs - Select this option to enrich Virtual Machines devices with their backup config information, if it exists.

9. Fetch Azure Security alerts - Select to fetch security alerts from Azure Security Center service as devices. Make sure you add permissions for SecurityEvents.Read.All to fetch Azure Security alerts.

10. Use Cloud ID as manufacturer serial number - Select to use the unique ID for tracking support data as a manufacturer serial number.

11. Use Asset Name as Hostname and Hostname as Asset Name - Select to swap the information in the Asset Name with the Hostname field.

12. Use Asset Name as Hostname and Hostname as Asset Name (15 chars) - Select this option to switch between the asset name value and the hostname value if the hostname has 15 characters.

13. Consider Azure Managed disks as encrypted - Select to consider Azure managed disks as SSE encrypted.

14. Use Instance view Computer Name as Hostname - Select to swap the information from os_profile > computer_name to instance_view > computer_name.

15. Fetch Azure Firewall Rules and Policies (optional) - Select to fetch firewall rules and web application firewall policies configured in the asset's subnets.

16. Do not save Subscription Tags to Adapter Tags for entity types - From the drop-down, select the Azure entity types for which you don't want to have the Subscription Tags included in the Adapter Tags values.

17. Azure services to fetch as assets (optional) - Select one or more services from the list to fetch as devices (this replaces specific options previously available, which will now appear in the drop-down, in addition to other options). Some of the services require additional permissions to fetch - see Additional Permissions.
    The following options are available:

    • Analysis Services
    • Apache Spark pools
    • API Connections
    • API Management
    • App Service plans
    • Application Gateway
    • Application Gateway HTTP Listener
    • Application Insights
    • Automation Accounts
    • Availability Sets
    • Availability Tests
    • Azure Arc-Enabled Machines
    • Azure Databricks
    • Azure Workbooks
    • Action Groups
    • B2C Tenants
    • Blob Containers
    • Certificates From Key Vaults. Refer to Fetching Certificates from Key Vaults
    • Communication Services
    • Connections
    • Container App
    • Container Groups
    • Container Registries
    • Cosmos DB Accounts
    • Data Factory
    • Database for PostgreSQL - Flexible Server
    • Database for PostgreSQL - Single Server
    • Database for MySQL - Flexible Server
    • Database for MySQL - Single Server
    • Database for MariaDB
    • Dedicated SQL pools
    • Disks
    • DNS Records
    • DNS Zones
    • Event Hubs
    • Event Hubs Namespaces
    • File Shares
    • Form recognizers
    • Front Door and CDN profiles
    • Front Door WAF policies
    • Firewalls
    • Function Apps
    • Key Vaults
    • Keys from Key Vaults - adds the keys from key vaults and displays them as the asset "secrets". See the permissions required here.
    • Recovery Service Vaults
    • Kubernetes Agent Pools
    • Kubernetes Clusters
    • Load Balancing Rules
    • Load Balancers
    • Local Network Gateways
    • Log Analytics MAC Addresses
    • Log Analytics Workspaces
    • Logic Apps
    • Machine Learning Service Registries
    • Machine Learning Service Workspaces
    • Machine Learning Web Services
    • Managed Identities
    • Management Groups -* See the permissions required here.*
    • NetApp Accounts
    • NetApp Volumes
    • Network Interfaces
    • Network Security Groups
    • Network Security Rules
    • Network Watchers
    • Policy Set Definitions
    • Private Endpoints
    • Public IP Addresses
    • Queues
    • Redis Caches
    • Relays
    • Resource Groups
    • Route Tables
    • Secrets From Key Vaults
    • Service Bus Namespaces
    • Sentinel Incidents
    • Shared dashboards
    • SignalR
    • Solutions
    • SQL Databases
    • SQL Databases Inaccessible By Server (fetches inaccessible databases as the asset Database with the Azure Entity Type SqlDB.)
    • SQL Managed Instances
    • SQL Servers
    • Subscription
    • Storage Accounts
    • Storage Accounts - Access Keys / Kerberos Keys
    • Synapse Workspaces
    • System Topics
    • Tables
    • Tenants
    • Virtual Machines - Selected by default, clear if you do not want to fetch.
    • Virtual Machine Scale Sets (fetches Virtual Machine Scale Sets from Azure, and saves them as Compute Services.)
    • Virtual Network Gateways
    • Virtual Networks
    • WCF Relays
    • Web Apps
    • Web Application Firewall Policies

18. Fetch VM sizes (optional, default: false) - Select this to fetch VM sizes information. Note that if you enable this option, the fetch time might increase significantly.

19. Check device existence in the following log analytics query pack names (optional) - Add the names of the query packs that you want to run on your devices to determine if the devices contain relevant logs. Please note that this feature does not return log data, just indications if devices were found that meet the queries' criteria.

    • All the queries must include the '_ResourceId' column to allow for correlating the log/query with the Device (Virtual Machine).
    • For information on creating Query Packs and saving Queries inside the query packs, see Log Analytics Query Packs.

• Get cost data per subscription for the last X days - In order to get the billing data per service, select Subscriptions in the 'Azure services to fetch as assets' field and enter a number between 1 and 365 in this field.

Creating an Application in the Microsoft Azure Portal

1. Log in to the Azure Portal with an administrator account.
2. Search for App registrations.
3. Select App registrations > New registration. Fill in the details and click Register.

4. After you have created the app, the Application ID and Directory ID values are displayed. Write down these values, which are known as Client ID and Tenant ID.

5. In the left menu, click Certificates & Secrets, then click New Client Secret. Click Add and copy the secret.

6. Assign a Read role to this application. Search for "Subscriptions" in the search box at the top bar of the panel and click Subscriptions.
7. Use the top search bar and search for Management Groups. Select the Management group that includes all subscriptions you would like Axonius to collect. If you need to add permissions to multiple management groups repeat the steps below for each one.

8. Select Access control (IAM), then click Add > Add Role Assignment to add a new permission. Select the Reader role then click Next. On the Members screen, click Select Members. Search for the Axonius application and then click Select. Click Review + assign.

You can now use these credentials to connect to Azure.

Additional Permissions

Some of the Microsoft Azure services require additional permissions to fetch.

Fetching Keys From Key Vaults

To 'Keys From Key Vaults' as an Azure service the following permissions are required.

Fetching Certificates from Key Vaults

To fetch certificates from Key Vaults

1. Open Key Vaults

2. Select the specific key vault

3. Go to Access Policies

4. Add new policy

   • Select the application configured in Axonius
   • Give the permission to list Certificates

Fetching Management Groups

To fetch 'Management Groups' as an Azure service, you need to assign a permission (role) to the application you created in the Microsoft Azure Portal, through which you connect to the adapter. The minimum permission required is Reader.

1. Go to the Management Group for which you want to add permissions.
2. Select Access Control (IAM).
3. From the Role Assignments tab, click Add and then select Add role assignment.
   
4. From the Role tab, type and add the Reader role.
   
5. From the Members tab, click Select Members to search for and select the application used to connect to the adapter.
6. Click Review + assign twice to save this role assignment.