Microsoft Azure
  • 11 Aug 2022
  • 9 Minutes to read
  • Dark
    Light
  • PDF

Microsoft Azure

  • Dark
    Light
  • PDF

This article covers the details for connecting Microsoft Azure:
Microsoft Azure - Microsoft Azure is a cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through a global network of Microsoft-managed data.

Microsoft Azure Active Directory (Azure AD) and Microsoft Intune can be found on Microsoft Azure Active Directory (Azure AD).



The Microsoft Azure adapter fetches devices from the Microsoft Azure Cloud Environment.

To connect to Microsoft Azure you need to create a Designated Axonius application in the Microsoft Azure Portal and grant it read-only permissions. All required credentials will be given once an application is created. For details, see Creating an application in the Microsoft Azure Portal.

This page contains the following topics:

Parameters

Click to view Parameters


Microsoft Azure

  1. Azure Subscription IDs (optional) - The comma-separated Subscription ID access control roles in IAM for the Axonius application. When you enter Azure Subscription IDs Axonius fetches data from the specified subscriptions. If you do not enter anything here, you must select Fetch All Subscriptions.
Note:

Either enter a list of comma-separated Subscription ID access control roles in IAM or select Fetch All Subscriptions

  1. Fetch All Subscriptions - Select to fetch data from all subscriptions associated with the specified Microsoft Azure tenant ID. If you do not select this option, make sure you enter Azure Subscription IDs in order to fetch data.

  2. Azure Client ID, Azure Client Secret, Azure Tenant ID, Cloud Environment (required) - See details under Microsoft Azure AD.

  3. Azure Stack Hub Management URL and Azure Stack Hub Resource String (optional) - Specify the hostname or IP address of the Microsoft Azure Stack Hub server (a Microsoft Azure on-premise server) and the URL for the Azure Stack Hub Resource String.

    • If supplied, Axonius will authenticate to the Microsoft Azure cloud server, and will fetch asset data from the Microsoft Azure Stack Hub server. Axonius will not fetch any asset data from Microsoft Azure cloud server.
    • If not supplied, Axonius will authenticate to the Microsoft Azure cloud server, and will fetch asset data from the Microsoft Azure cloud server. Axonius will not fetch any asset data from Microsoft Azure Stack Hub server.
  4. Azure Stack Hub Proxy Settings (required, default: Do not use proxy) - Select one of the following proxy options:

    • Do not use proxy - Axonius will not use a proxy to authenticate to the Microsoft Azure cloud server and will not use a proxy to fetch asset data from the Microsoft Azure Stack Hub server.
    • Proxy authentication only - Axonius will only use the proxy specified in the HTTPS Proxy field to authenticate to the Microsoft Azure cloud server.
    • Proxy Azure Stack Hub only - Axonius will only use the proxy specified in the HTTPS Proxy field to fetch asset data from the Microsoft Azure Stack Hub server.
    • Proxy all - Axonius will use the proxy specified in the HTTPS Proxy field to authenticate to the Microsoft Azure cloud server and also to fetch asset data from the Microsoft Azure Stack Hub server.
  5. Account Tag (optional) - Optional tag for the Azure Cloud instance ("nickname").

    • If supplied, Axonius will tag all devices fetched from this adapter connection.
    • If not supplied, Axonius will not tag any of the devices fetched from this adapter connection.
  6. Verify SSL, HTTPS Proxy, HTTPS Proxy User Name, HTTPS Password - See details under Microsoft Azure AD

  7. Enable Client Side Certificate - Select to enable Axonius to send requests using the certificates uploaded to allow Mutual TLS configuration for this adapter. When you select this option, 2 more fields are displayed.

    TLSonAdapter.png

    • Click Choose file next to Client Private Key File to upload a client private key file in PEM format
    • Click Choose file next to Client Certificate File to upload a public key file in PEM format
  8. To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

AzureUP

Microsoft Azure - Advanced Settings

Click to view Advanced Settings for Microsoft Azure


Note:

From Version 4.6, Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to ​Advanced Configuration for Adapters.

  1. Fetch update deployments (required, default: False) - Select whether to fetch software update deployments from Microsoft Azure.
    • If selected, all connections for this adapter will fetch software update deployments.
    • If disabled, all connections for this adapter will not fetch software update deployments.
  2. Fetch Load Balancers as devices (required, default: false) - Select whether to fetch Load Balancers and represent them as device.
    • If enabled, all connections for this adapter will fetch Load Balancers and represent them as devices.
    • If disabled, all connections for this adapter will not fetch Load Balancers.
  3. Fetch SQL servers as devices (required, default: false) - Select whether to fetch SQL Servers and represent them as devices.
    • If enabled, all connections for this adapter will fetch SQL Servers and represent them as devices.
    • If disabled, all connections for this adapter will not fetch SQL Servers.
  4. Fetch Kubernetes Clusters as devices (required, default: false) - Select whether to fetch Kubernetes Clusters and represent them as devices.
    • If enabled, all connections for this adapter will fetch Kubernetes Clusters and represent them as devices.
    • If disabled, all connections for this adapter will not fetch Kubernetes Clusters.
  5. Fetch Storage Accounts as devices (required, default: false) - Select whether to fetch Storage Accounts and represent them as devices.
    • If enabled, all connections for this adapter will fetch Storage Accounts and represent them as devices.
    • If disabled, all connections for this adapter will not fetch Storage Accounts.
  6. Fetch Redis Caches as devices (required, default: false) - Select whether to fetch Redis Caches and represent them as devices.
    • If enabled, all connections for this adapter will fetch Redis Caches and represent them as devices.
    • If disabled, all connections for this adapter will not fetch Redis Caches.
  7. Fetch Key Vaults as devices (required, default: false) - Select whether to fetch Key Vaults and represent them as devices.
    • If enabled, all connections for this adapter will fetch Key Vaults and represent them as devices.
    • If disabled, all connections for this adapter will not fetch Key Vaults.
  8. List of tags to parse as fields (optional, default: empty) - Specify a comma-separated list of tag keys to be parsed as devices fields. Each tag is a key-value pair that is part of the Adapter Tags complex field.
    • If supplied, all connections for this adapter will parse any of the listed tags that are associated with the fetched device as:
      • Values of the Adapter Tags field.
      • Designated field with the name of the tag key and the value of the tag value.
    • If not supplied, all connections for this adapter will only parse all tags as values of the Adapter Tags field.
  9. Fetch Security Center sub-assessments for devices (optional, default: false) - Select to fetch security assessments (such as Qualys vulnerabilities) for devices, where available. This option requires the Security Center to be active in the subscription.
  1. Fetch Azure Security alerts - Select to fetch security alerts from Azure Security Center service as devices. Make sure you add permissions for SecurityEvents.Read.All to fetch Azure Security alerts.
  2. Use Cloud ID as manufacturer serial number - Select to use the unique ID for tracking support data as a manufacturer serial number.
Note:

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.

Creating an application in the Microsoft Azure Portal

Click to view Creating an application in the Microsoft Azure Portal


  1. Log in to the Azure Portal with an administrator account.
  2. Select Azure Active Directory. If you have more than one directory, verify that you are logged in to the correct directory. If you are not, select the top-right account logo and then click Switch Directory and select the directory you want Axonius to access.

AzureConfig1.png

  1. Select App registrations > New registration. Fill in the details and click Register.

AzureConfig2.png

  1. After you have created the app, the Application ID and Directory ID values are displayed. Write down these values, which are known as Client ID and Tenant ID.

AzureConfig4.png

  1. In the left menu, click Certificates & Secrets, then click New Client Secret. Click Add and copy the secret.

AzureConfig3.png

  1. In the left menu, select API Permissions > Add a permission > Microsoft Graph.

image.png

  1. Grant both application permissions and delegated permissions to the Axonius App.

    1. Click Application permissions, then select user.read.all and directory.read.all.
      image.png
    Note:

    To enable Allow fetching MFA enrollment status for users setting, select reports.Read.All.

    1. Click Add permissions.

    2. Click Add a permission again and repeat these steps for Delegated permissions and Application permissions.

    3. Select user.read.all, directory.read.all and Device.Read.all checkboxes.

    4. If you want to use Azure AD Intune as well, select:

      • DeviceManagementApps.Read.All
      • DeviceManagementConfiguration.Read.All
      • DeviceManagementManagedDevices.Read.All
      • DeviceManagementRBAC.Read.All
      • DeviceManagementServiceConfig.Read.All
    5. To view the last sign-in audit log information, including whether a user used MFA in the last sign-in, select:

      • AuditLog.Read.All
    6. To fetch authentication method (if the Allow use of BETA API endpoints setting is enabled), select:

      • UserAuthenticationMethod.Read.All
    7. To fetch Security Alerts add permissions for SecurityEvents.Read.All.

    8. To fetch Office365 Activity Endpoints, select: AuditLog: Select "AuditLog.Read.all" for Delegated permissions and Application permissions.

    image.png

    1. To fetch Risky Users Information select:
    • IdentityRiskyUser.Read.All
  2. When done, click Add permissions. In the end you should have something that looks like:
    image.png

  3. On the same API permissions page, click Grant admin consent for {your-domain} and then click Yes.

  4. Assign a Read role to this application. Search for "Subscriptions" in the search box at the top bar of the panel and click Subscriptions.

  5. Keep the Subscription ID. This is a value needed for the Azure adapter. Select your subscription and then Access Control (IAM)

image.png

  1. Click Add > Add Role Assignment to add a new permission. Select the Reader role and search for the application you just created. Click Save.

image.png

You can now use these credentials to connect to Azure and Azure AD.

Connecting Axonius with Microsoft Intune

Click to view Connecting Axonius with Microsoft Intune


To authorize Axonius Read information from Microsoft Intune, you must have the following application permissions assigned to you:

  • User.read.all
  • Directory.read.all
  • Device.Read.all
  • DeviceManagementApps.Read.All
  • DeviceManagementConfiguration.Read.All
  • DeviceManagementManagedDevices.Read.All
  • DeviceManagementRBAC.Read.All
  • DeviceManagementServiceConfig.Read.All


Table of Azure Permissions

Click to view Table of Azure Permissions


This table summarizes permissions that Axonius requires to fetch various Azure resources.
Use this information both to enable required permissions, and to only apply necessary permissions.

Note:

You need to set the desired permissions as both designated and application permissions.

Azure Service Permissions
Fetch Office365 activity endpoints AuditLog.Read.all
Last sign-in audit log information AuditLogs.Read.All
Device.Read.all
Azure AD Intune DeviceManagementApps.Read.All
DeviceManagementConfiguration.Read.All
DeviceManagementManagedDevices.Read.All
DeviceManagementRBAC.Read.All
DeviceManagementServiceConfig.Read.All
directory.read.all
Fetch Risky Users information IdentityRiskyUser.Read.All
Allow fetching MFA enrollment status for users setting reports.Read.all
Application / Delegated permissions user.read.all
Fetch authentication method (if the Allow use of Beta API endpoints setting is enabled) UserAuthenticationMethod.Read.All
Security alerts SecurityEvents.Read.All


First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.