Microsoft Azure

This article covers the details for connecting Microsoft Azure:
Microsoft Azure - Microsoft Azure is a cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through a global network of Microsoft-managed data. The Microsoft Azure adapter fetches devices from the Microsoft Azure Cloud Environment.

Microsoft Azure Active Directory (Azure AD) and Microsoft Intune can be found on Microsoft Azure Active Directory (Azure AD).

About Microsoft Azure

Use cases the adapter solves
The Azure adapter allows Axonius users to evaluate their public cloud resources to ensure that they are correctly configured and managed, even across multiple tenants. Users can also leverage data from this adapter to modify software update deployments (including security agents).

Data retrieved by Microsoft Azure

The Azure adapter retrieves device data regarding Azure VMs, networks/NSGs, SQL servers, load balancers, storage accounts, key vaults, Redis instances, and Kubernetes.

Related Enforcement Actions:
In order to help make data in the Axonius platform available directly within Azure, tags can be added to Azure VMs through enforcements.

Microsoft Azure - Add Tag to Cloud Instance

To connect to Microsoft Azure you need to create a Designated Axonius application in the Microsoft Azure Portal and grant it read-only permissions. All required credentials will be given once an application is created. For details, see Creating an application in the Microsoft Azure Portal.

This page contains the following topics:

• Parameters - the general parameters to configure to work with the Microsoft Azure adapter.
• Microsoft Azure - Advanced Settings - explanation of all Advanced Configuration Settings for the Microsoft Azure adapter.
• Creating an application in the Microsoft Azure Portal

Parameters

Microsoft Azure

1. Azure Subscription IDs (optional) - The comma-separated Subscription ID access control roles in IAM for the Axonius application. When you enter Azure Subscription IDs Axonius fetches data from the specified subscriptions. If you do not enter anything here, you must select Fetch All Subscriptions.

2. Fetch All Subscriptions - Select to fetch data from all subscriptions associated with the specified Microsoft Azure tenant ID. If you do not select this option, make sure you enter Azure Subscription IDs in order to fetch data.

3. Azure Client ID, Azure Client Secret, Azure Tenant ID, Cloud Environment (required) - See details under Microsoft Azure AD.

4. Azure Stack Hub Management URL and Azure Stack Hub Resource String (optional) - Specify the hostname or IP address of the Microsoft Azure Stack Hub server (a Microsoft Azure on-premise server) and the URL for the Azure Stack Hub Resource String.

   • If supplied, Axonius will authenticate to the Microsoft Azure cloud server, and will fetch asset data from the Microsoft Azure Stack Hub server. Axonius will not fetch any asset data from Microsoft Azure cloud server.
   • If not supplied, Axonius will authenticate to the Microsoft Azure cloud server, and will fetch asset data from the Microsoft Azure cloud server. Axonius will not fetch any asset data from Microsoft Azure Stack Hub server.

5. Azure Stack Hub Proxy Settings (required, default: Do not use proxy) - Select one of the following proxy options:

   • Do not use proxy - Axonius will not use a proxy to authenticate to the Microsoft Azure cloud server and will not use a proxy to fetch asset data from the Microsoft Azure Stack Hub server.
   • Proxy authentication only - Axonius will only use the proxy specified in the HTTPS Proxy field to authenticate to the Microsoft Azure cloud server.
   • Proxy Azure Stack Hub only - Axonius will only use the proxy specified in the HTTPS Proxy field to fetch asset data from the Microsoft Azure Stack Hub server.
   • Proxy all - Axonius will use the proxy specified in the HTTPS Proxy field to authenticate to the Microsoft Azure cloud server and also to fetch asset data from the Microsoft Azure Stack Hub server.

6. Account Tag (optional) - Optional tag for the Azure Cloud instance ("nickname").

   • If supplied, Axonius will tag all devices fetched from this adapter connection.
   • If not supplied, Axonius will not tag any of the devices fetched from this adapter connection.

7. Verify SSL, HTTPS Proxy, HTTPS Proxy User Name, HTTPS Password - See details under Microsoft Azure AD

8. Enable Client Side Certificate - Select to enable Axonius to send requests using the certificates uploaded to allow Mutual TLS configuration for this adapter. When you select this option, 2 more fields are displayed.

   

   • Click Choose file next to Client Private Key File to upload a client private key file in PEM format
   • Click Choose file next to Client Certificate File to upload a public key file in PEM format

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

Microsoft Azure - Advanced Settings

1. Fetch update deployments - Select whether to fetch software update deployments from Microsoft Azure.

2. List of tags to parse as fields (optional) - Specify a comma-separated list of tag keys to be parsed as devices fields. Each tag is a key-value pair that is part of the Adapter Tags complex field.

   • If supplied, all connections for this adapter will parse any of the listed tags that are associated with the fetched device as:
     • Values of the Adapter Tags field.
     • Designated field with the name of the tag key and the value of the tag value.
   • If not supplied, all connections for this adapter will only parse all tags as values of the Adapter Tags field.

3. Fetch Security Center sub-assessments for devices (optional) - Select to fetch security assessments (such as Qualys vulnerabilities) for devices, where available. This option requires the Security Center to be active in the subscription.

4. Add backup protection information from recovery services into VMs - Select this option to enrich Virtual Machines devices with their backup config information, if it exists.

5. Fetch Azure Security alerts - Select to fetch security alerts from Azure Security Center service as devices. Make sure you add permissions for SecurityEvents.Read.All to fetch Azure Security alerts.

6. Use Cloud ID as manufacturer serial number - Select to use the unique ID for tracking support data as a manufacturer serial number.

7. Use Asset Name as Hostname and Hostname as Asset Name - Select to swap the information in the Asset Name with the Hostname field.

8. Use Asset Name as Hostname and Hostname as Asset Name (15 chars) - Select this option to switch between the asset name value and the hostname value if the hostname has 15 characters.

9. Consider Azure Managed disks as encrypted - Select to consider Azure managed disks as SSE encrypted.

10. Use Instance view Computer Name as Hostname - Select to swap the information from os_profile > computer_name to instance_view > computer_name.

11. Fetch Azure Firewalls from Virtual Network level (optional) - Select to fetch firewall rules and web application firewall policies configured in the asset's subnets.

12. Azure services to fetch as assets (optional) - Select one or more services from the list to fetch as devices (this replaces specific options previously available, which will now appear in the drop-down, in addition to other options). The following options are available:

    • Analysis Services
    • Apache Spark pools
    • API Connections
    • API Management
    • App Services
    • App Service plans
    • Application Gateway
    • Application Gateway HTTP Listener
    • Application Insights
    • Automation Accounts
    • Availability Sets
    • Availability Tests
    • Azure Arc-Enabled Machines
    • Azure Databricks
    • Azure Workbooks
    • Action Groups
    • B2C Tenants
    • Blob Containers
    • Communication Services
    • Connections
    • Container App
    • Container Groups
    • Container Registries
    • Cosmos DB Accounts
    • Data Factory
    • Database for PostgreSQL - Flexible Server
    • Database for PostgreSQL - Single Server
    • Database for MySQL - Flexible Server
      * Database for MySQL - Single Server
    • Database for MariaDB
    • Dedicated SQL pools
    • Disks
    • DNS Records
    • DNS Zones
    • Event Hubs
    • Event Hubs Namespaces
    • File Shares
    • Form recognizers
    • Front Door and CDN profiles
    • Front Door WAF policies
    • Firewalls
    • Key Vaults
    • Keys from Key Vaults - adds the keys from key vaults and displays them as the asset "secrets".
    • Recovery Service Vaults
    • Kubernetes Agent Pools
    • Kuberenetes Clusters
    • Load Balancing Rules
    • Load Balancers
    • Local Network Gateways
    • Log Analytics MAC Addresses
    • Log Analytics Workspaces
    • Logic Apps
    • Machine Learning Service Registries
    • Machine Learning Service Workspaces
    • Machine Learning Web Services
    • Managed Identities
    • Network Interfaces
    • Network Security Groups
    • Network Security Rules
    • Network Watchers
    • Private Endpoints
    • Public IP addresses
    • Queues
    • Redis Caches
    • Relays
    • Resource Groups
    • Route Tables
    • Service Bus Namespaces
    • Sentinel Incidents
    • Shared dashboards
    • SignalR
    • Solutions
    • SQL Databases
    • SQL Databases Inaccessible By Server (fetches inaccessible databases as the asset Database with the Azure Entity Type SqlDB.)
    • SQL Managed Instances
    • SQL Servers
    • Subscription
    • Storage Accounts
    • Storage Accounts - Access Keys / Kerberos Keys
    • Synapse Workspaces
    • System Topics
    • Tables
    • Virtual Machine Scale Sets (fetches Virtual Machine Scale Sets from Azure, and saves them as Compute Services.)
    • Virtual Network Gateways
    • Virtual Networks
    • WCF Relays
    • Web Apps
    • Web Application Firewall Policies

13. Check device existence in the following log analytics query pack names (Optional) - Add the names of the query packs that you want to run on your devices to determine if the devices contain relevant logs. Please note that this feature does not return log data, just indications if devices were found that meet the queries' criteria.

    • All the queries must include the '_ResourceId' column to allow for correlating the log/query with the Device (Virtual Machine).
    • For information on creating Query Packs and saving Queries inside the query packs, see Log Analytics Query Packs.

Creating an application in the Microsoft Azure Portal

1. Log in to the Azure Portal with an administrator account.
2. Search for App registrations.
3. Select App registrations > New registration. Fill in the details and click Register.

4. After you have created the app, the Application ID and Directory ID values are displayed. Write down these values, which are known as Client ID and Tenant ID.

5. In the left menu, click Certificates & Secrets, then click New Client Secret. Click Add and copy the secret.

6. Assign a Read role to this application. Search for "Subscriptions" in the search box at the top bar of the panel and click Subscriptions.
7. Use the top search bar and search for Management Groups. Select the Management group that includes all subscriptions you would like Axonius to collect. If you need to add permissions to multiple management groups repeat the steps below for each one.

8. Select Access control (IAM), then click Add > Add Role Assignment to add a new permission. Select the Reader role then click Next. On the Members screen, click Select Members. Search for the Axonius application and then click Select. Click Review + assign.

You can now use these credentials to connect to Azure.

Additional Permissions

In order to fetch 'Keys From Key Vaults' as an Azure service the following permissons are required.