Microsoft Azure

This article covers the details for connecting Microsoft Azure:
Microsoft Azure - Microsoft Azure is a cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through a global network of Microsoft-managed data.

Microsoft Azure Active Directory (Azure AD) and Microsoft Intune can be found on Microsoft Azure Active Directory (Azure AD).

The Microsoft Azure adapter fetches devices from the Microsoft Azure Cloud Environment.

Related Enforcement Actions:
Microsoft Azure - Add Tag to Cloud Instance

To connect to Microsoft Azure you need to create a Designated Axonius application in the Microsoft Azure Portal and grant it read-only permissions. All required credentials will be given once an application is created. For details, see Creating an application in the Microsoft Azure Portal.

This page contains the following topics:

• Parameters - the general parameters to configure to work with the Microsoft Azure adapter.
• Microsoft Azure - Advanced Settings - explanation of all Advanced Configuration Settings for the Microsoft Azure adapter.
• Creating an application in the Microsoft Azure Portal
• Connecting Axonius with Microsoft Intune
• Table of Azure Permissions - a summary of permissions that Axonius requires to fetch various Microsoft Azure resources.

Parameters

Microsoft Azure

1. Azure Subscription IDs (optional) - The comma-separated Subscription ID access control roles in IAM for the Axonius application. When you enter Azure Subscription IDs Axonius fetches data from the specified subscriptions. If you do not enter anything here, you must select Fetch All Subscriptions.

2. Fetch All Subscriptions - Select to fetch data from all subscriptions associated with the specified Microsoft Azure tenant ID. If you do not select this option, make sure you enter Azure Subscription IDs in order to fetch data.

3. Azure Client ID, Azure Client Secret, Azure Tenant ID, Cloud Environment (required) - See details under Microsoft Azure AD.

4. Azure Stack Hub Management URL and Azure Stack Hub Resource String (optional) - Specify the hostname or IP address of the Microsoft Azure Stack Hub server (a Microsoft Azure on-premise server) and the URL for the Azure Stack Hub Resource String.

   • If supplied, Axonius will authenticate to the Microsoft Azure cloud server, and will fetch asset data from the Microsoft Azure Stack Hub server. Axonius will not fetch any asset data from Microsoft Azure cloud server.
   • If not supplied, Axonius will authenticate to the Microsoft Azure cloud server, and will fetch asset data from the Microsoft Azure cloud server. Axonius will not fetch any asset data from Microsoft Azure Stack Hub server.

5. Azure Stack Hub Proxy Settings (required, default: Do not use proxy) - Select one of the following proxy options:

   • Do not use proxy - Axonius will not use a proxy to authenticate to the Microsoft Azure cloud server and will not use a proxy to fetch asset data from the Microsoft Azure Stack Hub server.
   • Proxy authentication only - Axonius will only use the proxy specified in the HTTPS Proxy field to authenticate to the Microsoft Azure cloud server.
   • Proxy Azure Stack Hub only - Axonius will only use the proxy specified in the HTTPS Proxy field to fetch asset data from the Microsoft Azure Stack Hub server.
   • Proxy all - Axonius will use the proxy specified in the HTTPS Proxy field to authenticate to the Microsoft Azure cloud server and also to fetch asset data from the Microsoft Azure Stack Hub server.

6. Account Tag (optional) - Optional tag for the Azure Cloud instance ("nickname").

   • If supplied, Axonius will tag all devices fetched from this adapter connection.
   • If not supplied, Axonius will not tag any of the devices fetched from this adapter connection.

7. Verify SSL, HTTPS Proxy, HTTPS Proxy User Name, HTTPS Password - See details under Microsoft Azure AD

8. Enable Client Side Certificate - Select to enable Axonius to send requests using the certificates uploaded to allow Mutual TLS configuration for this adapter. When you select this option, 2 more fields are displayed.

   

   • Click Choose file next to Client Private Key File to upload a client private key file in PEM format
   • Click Choose file next to Client Certificate File to upload a public key file in PEM format

9. To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

Microsoft Azure - Advanced Settings

1. Fetch update deployments - Select whether to fetch software update deployments from Microsoft Azure.

2. List of tags to parse as fields (optional) - Specify a comma-separated list of tag keys to be parsed as devices fields. Each tag is a key-value pair that is part of the Adapter Tags complex field.

   • If supplied, all connections for this adapter will parse any of the listed tags that are associated with the fetched device as:
     • Values of the Adapter Tags field.
     • Designated field with the name of the tag key and the value of the tag value.
   • If not supplied, all connections for this adapter will only parse all tags as values of the Adapter Tags field.

3. Fetch Security Center sub-assessments for devices (optional) - Select to fetch security assessments (such as Qualys vulnerabilities) for devices, where available. This option requires the Security Center to be active in the subscription.

10. Add backup protection information from recovery services into VMs - Select this option to enrich Virtual Machines devices with their backup config information, if it exists.

11. Fetch Azure Security alerts - Select to fetch security alerts from Azure Security Center service as devices. Make sure you add permissions for SecurityEvents.Read.All to fetch Azure Security alerts.

12. Use Cloud ID as manufacturer serial number - Select to use the unique ID for tracking support data as a manufacturer serial number.

13. Use Asset Name as Hostname and Hostname as Asset Name - Select to swap the information in the Asset Name with the Hostname field.

14. Use Asset Name as Hostname and Hostname as Asset Name (15 chars) - Select this option to switch between the asset name value and the hostname value if the hostname has 15 characters.

15. Consider Azure Managed disks as encrypted - Select to consider Azure managed disks as SSE encrypted.

16. Use Instance view Computer Name as Hostname - Select to swap the information from os_profile > computer_name to instance_view > computer_name.

17. Fetch Azure Firewalls from Virtual Network level (optional) - Select to fetch firewall rules and web application firewall policies configured in the asset's subnets.

18. Azure services to fetch as devices (optional) - Select one or more services from the list to fetch as devices (this replaces specific options previously available, which will now appear in the drop-down, in addition to other options). The following options are available:

    • Analysis Services
    • Apache Spark pools
    • API Connections
    • App Services
    • App Service plans
    • Application Gateway
    • Application Gateway HTTP Listener
    • Application Insights
    • Automation Accounts
    • Availability Sets
    • Availability Tests
    • Azure Databricks
    • Azure Workbooks
    • B2C Tenants
    • Communication Services
    • Connections
    • Cosmos DB Accounts
    • Dedicated SQL pools
    • Disks
    • DNS Records
    • DNS Zones
    • Event Hubs
    • Event Hubs Namespaces
    • Form recognizers
    • Front Door and CDN profiles
    • Front Door WAF policies
    • Firewalls
    • Key Vaults
    • Recovery Service Vaults
    • Kubernetes Agent Pools
    • Kuberenetes Clusters
    • Load Balancing Rules
    • Load Balancers
    • Local Network Gateways
    • Log Analytics MAC Addresses
    • Log Analytics Workspaces
    • Logic Apps
    • Managed Identities
    • Network Security Groups
    • Network Security Rules
    • Network Watchers
    • Public IP addresses
    • Redis Caches
    • Relays
    • Resource Groups
    • Route Tables
    • Service Bus Namespaces
    • Sentinel Incidents
    • Shared dashboards
    • SignalR
    • Solutions
    • SQL Databases
    • SQL Managed Instances
    • SQL Servers
    • Storage Accounts
    • Synapse Workspaces
    • Virtual Network Gateways
    • Virtual Networks
    • WCF Relays
    • Web Apps
    • Web Application Firewall Policies

Creating an application in the Microsoft Azure Portal

1. Log in to the Azure Portal with an administrator account.
2. Search for App registrations.
3. Select App registrations > New registration. Fill in the details and click Register.

4. After you have created the app, the Application ID and Directory ID values are displayed. Write down these values, which are known as Client ID and Tenant ID.

5. In the left menu, click Certificates & Secrets, then click New Client Secret. Click Add and copy the secret.

6. In the left menu, select API Permissions > Add a permission > Microsoft Graph.

7. Grant both application permissions and delegated permissions to the Axonius App.

   1. Click Application permissions, then select user.read.all and directory.read.all.
      
   Note:

   To enable Allow fetching MFA enrollment status for users setting, select reports.Read.All.

   2. Click Add permissions.

   3. Click Add a permission again and repeat these steps for Delegated permissions and Application permissions.

   4. Select user.read.all, directory.read.all and Device.Read.all checkboxes.

   5. If you want to use Azure AD Intune as well, select:

      • DeviceManagementApps.Read.All
      • DeviceManagementConfiguration.Read.All
      • DeviceManagementManagedDevices.Read.All
      • DeviceManagementRBAC.Read.All
      • DeviceManagementServiceConfig.Read.All

   6. To view the last sign-in audit log information, including whether a user used MFA in the last sign-in, select:

      • AuditLog.Read.All

   7. To fetch authentication method (if the Allow use of BETA API endpoints setting is enabled), select:

      • UserAuthenticationMethod.Read.All

   8. To fetch Security Alerts add permissions for SecurityEvents.Read.All.

   9. To fetch Office365 Activity Endpoints, select: AuditLog: Select "AuditLog.Read.all" for Delegated permissions and Application permissions.

   

   10. To fetch Risky Users Information select:
   • IdentityRiskyUser.Read.All

8. When done, click Add permissions. In the end you should have something that looks like:
   

9. On the same API permissions page, click Grant admin consent for {your-domain} and then click Yes.

10. Assign a Read role to this application. Search for "Subscriptions" in the search box at the top bar of the panel and click Subscriptions.

11. Keep the Subscription ID. This is a value needed for the Azure adapter. Select your subscription and then Access Control (IAM)

12. Click Add > Add Role Assignment to add a new permission. Select the Reader role and search for the application you just created. Click Save.

You can now use these credentials to connect to Azure and Azure AD.

Connecting Axonius with Microsoft Intune

To authorize Axonius Read information from Microsoft Intune, you must have the following application permissions assigned to you:

• User.read.all
• Directory.read.all
• Device.Read.all
• DeviceManagementApps.Read.All
• DeviceManagementConfiguration.Read.All
• DeviceManagementManagedDevices.Read.All
• DeviceManagementRBAC.Read.All
• DeviceManagementServiceConfig.Read.All

Table of Azure Permissions

This table summarizes permissions that Axonius requires to fetch various Azure resources.
Use this information both to enable required permissions, and to only apply necessary permissions.

Additional permissions are required for using the enforcement action.