Microsoft Azure and Microsoft Azure Active Directory (Azure AD)
  • 3 minutes to read
  • Print
  • Share
  • Dark
    Light

Microsoft Azure and Microsoft Azure Active Directory (Azure AD)

  • Print
  • Share
  • Dark
    Light

Microsoft Azure is a cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through a global network of Microsoft-managed data.

Microsoft Azure Active Directory (Azure AD) is Microsoft's multi-tenant, cloud-based directory, and identity management service.

The Microsoft Azure and the Microsoft Azure AD adapters fetch devices from the Microsoft Azure Cloud Environment.

To connect to Microsoft Azure and Microsoft Azure AD, you need to create a designated Axonius application in the Microsoft Azure Portal and grant it with read-only permissions. All required credentials will be given once an application is created (see below for a complete step-by-step guide).

The Microsoft Azure & Microsoft Azure AD adapters connection requires the following parameters:

  1. Azure Subscription ID - Subscription ID access control role in IAM for the Axonius application
  2. Azure Client ID – The Application ID of the Axonius application.
  3. Azure Client Secret – A user created key for the Axonius application.
  4. Azure Tenant ID - Microsoft Azure Active Directory ID.
  5. Cloud Environment - Choose your Azure cloud environment type.
  6. Account Tag (optional) - Optional tag for the Azure Cloud instance ("nickname").
  7. HTTPS Proxy (optional) – Connect the adapter to a proxy instead of directly connecting it to the domain.
  8. Choose Instance - If you are using multi-nodes, choose the Axonius node that is integrated with the adapter. By default, the 'Master' Axonius node (instance) is used. For details, see Connecting Additional Axonius Nodes

image.png

Creating an application in Microsoft Azure Portal

  1. Log in to the Azure Portal with an administrator account.
  2. Select Azure Active Directory. If you have more than one directory, make sure you are logged in to the right directory. If you are not, click on the top-right account logo and then click "Switch Directory" and select the directory you want Axonius to access.

image.png

  1. Select App registrations and click New registration. Fill in the details and click Register.

image.png

  1. After you created the app, you should see its Application ID and Directory ID. Keep these values, they are known as Client ID and Tenant ID.

image.png

  1. In the left menu, click Certificates & Secrets, then click New client secret. Click Add and copy the secret.
    image.png

  2. In the left menu, click API Permissions and then Add a permission. Then select Microsoft Graph

image.png

We need to grant both application permissions and delegated permissions to the Axonius App.
Click Application permissions, then select user.read.all and directory.read.all.

image.png

Click 'Add permissions'. Then click 'Add a permission again' and select Microsoft Graph, but this time choose Delegated permissions. select user.read.all and directory.read.all. If you want to use Azure AD Intune as well, select DeviceManagementApps.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All, DeviceManagementRBAC.Read.All, DeviceManagementServiceConfig.Read.All

image.png

Finish with clicking 'Add permissions'. In the end you should have something that looks like:
image.png

  1. On the same API permissions page, click Grant admin consent for {your-domain} and then click yes.

  2. Now we need to assign a Read role to this application. Search for "Subscriptions" in the search box at the top bar of the panel and click Subscriptions.

Keep the Subscription ID, this is a value we need for the Azure adapter. Select your subscription and then Access Control (IAM)

image.png

  1. Click Add > Add Role Assignment to add a new permission. Select the Reader role and search for the application you just created. Click Save.

image.png

You can now use these credentials to connect to Azure and Azure AD.

Connecting Axonius with Microsoft Intune

To authorize Axonius read information from Microsoft Intune, you need to authorize the Axonius App using an administrator.

  1. Go to the Applications Settings (Azure Active Directory > App Registration > [Axonius App] > Authentication -> Redirect URIs and add 'https://localhost'. Hit save

image.png

  1. Fill in the tenant id and the client id in the following link and open it in your browser while you are logged in as an administrator:
https://login.windows.net/<tenant_id>/oauth2/authorize?response_type=code&client_id=<client_id>&redirect_uri=https://localhost&state=after-auth&resource=https://graph.microsoft.com&prompt=admin_consent
  1. Click Approve to authorize Axonius read information about Intune. You will be redirected to:
https://localhost?code=<code>&state=after-auth&session_state=.....&admin_consent=True

Save the code part (not including the '=' in the beginning and the '&' in the end).

  1. In the 'Azure OAuth Authorization Code' in the adapter settings, fill the code.

Troubleshooting

  1. The following error appears, even though I did everything this document says: "Insufficient permissions: did you grant read-only permissions to the application?" - Wait a few minutes, then try saving the credentials again - It takes time for the changes in Azure to propagate.

Was this article helpful?