Microsoft Azure, Microsoft Azure Active Directory (Azure AD) and Microsoft Intune
  • 11 Minutes To Read
  • Print
  • Share
  • Dark
    Light

Microsoft Azure, Microsoft Azure Active Directory (Azure AD) and Microsoft Intune

  • Print
  • Share
  • Dark
    Light

This article covers the details for connecting the following adapters:

  1. Microsoft Azure - Microsoft Azure is a cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through a global network of Microsoft-managed data.
  2. Microsoft Azure Active Directory (Azure AD) - covers:
    1. Microsoft Azure Active Directory (Azure AD) is Microsoft's multi-tenant, cloud-based directory, and identity management service.
    2. Microsoft Intune is a cloud-based service in the enterprise mobility management (EMM) space that integrates closely with Azure Active Directory (Azure AD) for identity and access control and Azure Information Protection for data protection.



The Microsoft Azure and the Microsoft Azure Active Directory AD (Azure AD) adapters fetch devices from the Microsoft Azure Cloud Environment.

To connect to Microsoft Azure and Microsoft Azure AD, you need to create a Designated Axonius application in the Microsoft Azure Portal and grant it read-only permissions. All required credentials will be given once an application is created. For details, see Creating an application in the Microsoft Azure Portal.

Parameters

Microsoft Azure AD

  1. Azure Client ID (required) - The Application ID of the Axonius application.
  2. Azure Client Secret (required) - A user created key for the Axonius application.
  3. Azure Tenant ID (required) - Microsoft Azure Active Directory ID.
  4. Cloud Environment (required) - Select your Microsoft Azure or Microsoft Azure AD cloud environment type.
  5. Azure Stack Hub Management URL and Azure Stack Hub Resource String (optional, default: empty, relevant only for Microsoft Azure) - Specify the hostname or IP address of the Microsoft Azure Stack Hub server (a Microsoft Azure on-premise server) and the URL for the Azure Stack Hub Resource String.
    • If supplied, Axonius will authenticate to the Microsoft Azure cloud server, and will fetch asset data from the Microsoft Azure Stack Hub server. Axonius will not fetch any asset data from Microsoft Azure cloud server.
    • If not supplied, Axonius will authenticate to the Microsoft Azure cloud server, and will fetch asset data from the Microsoft Azure cloud server. Axonius will not fetch any asset data from Microsoft Azure Stack Hub server.
  6. Azure Oauth Authorization Code (optional, default: empty, relevant only for Microsoft Intune) - The authorization code described in Connecting Axonius with Microsoft Intune
  7. Is Azure AD B2C (required, default: False)
    • If enabled, Axonius will considered this Microsoft Azure AD adapter connection is configured as B2C.
    • If disabled, Axonius will not considered this Microsoft Azure AD adapter connection is configured as B2C.
  8. Account Tag (optional, default: empty) - Optional tag for the Azure Cloud instance ("nickname").
    • If supplied, Axonius will tag all devices fetched from this adapter connection.
    • If not supplied, Axonius will not tag any of the devices fetched from this adapter connection.
  9. Verify SSL (required, default: True) - Verify the SSL certificate offered by the selected Microsoft Azure / Azure AD cloud environment. For more details, see SSL Trust & CA Settings.
    • If enabled, the SSL certificate offered by the selected Microsoft Azure / Azure AD cloud environment will be verified against the CA database inside of Axonius. If the SSL certificate can not be validated against the CA database inside of Axonius, the connection will fail with an error.
    • If disabled, the SSL certificate offered by the selected Microsoft Azure / Azure AD cloud environment will not be verified against the CA database inside of Axonius.
  10. HTTPS Proxy (optional, default: empty) - A proxy to use when connecting to the selected Microsoft Azure / Azure AD cloud environment.
    • If supplied, Axonius will utilize the proxy when connecting to the selected Microsoft Azure / Azure AD cloud environment.
    • If not supplied, Axonius will connect directly to the selected Microsoft Azure / Azure AD cloud environment.
  11. HTTPS Proxy User Name (optional, default: empty) - The user name to use when connecting to the selected Microsoft Azure / Azure AD cloud environment via the value supplied in HTTPS Proxy.
    • If supplied, Axonius will authenticate with this value when connecting to the value supplied in HTTPS Proxy.
    • If not supplied, Axonius will not perform authentication when connecting to the value supplied in HTTPS Proxy.
  12. HTTPS Proxy Password (optional, default: empty) - The password to use when connecting to the selected Microsoft Azure / Azure AD cloud environment via the value supplied in HTTPS Proxy.
    • If supplied, Axonius will authenticate with this value when connecting to the value supplied in HTTPS Proxy.
    • If not supplied, Axonius will not perform authentication when connecting to the value supplied in HTTPS Proxy.
  13. For details on the common adapter connection parameters and buttons, see Adding a New Adapter Connection.

image.png

Microsoft Azure

  1. Azure Subscription ID (optional, default: empty) - The Subscription ID access control role in IAM for the Axonius application.
    • If supplied, Axonius will fetch data from the specified subscription.
      • If the Fetch All Subscriptions checkbox is disabled, Azure Subscription ID field must be specified.
    • If not supplied, If the Fetch All Subscriptions checkbox is enabled, Axonius will fetch data from all subscriptions associated with the specified Tenant ID. Otherwise, Axonius will fail to fetch data.
  2. Fetch All Subscriptions (required, default value: False) - Select whether to fetch all subscriptions from the same Microsoft Azure tenant ID or a single account as specified in the Azure Subscription ID field.
    • If enabled, Axonius will fetch data from all subscriptions associated with the specified Tenant ID.
    • If disabled, Azure Subscription ID field must be specified. Axonius will fetch data from the specified subscription in the Azure Subscription ID field.
  3. Azure Client ID , Azure Client Secret, Azure Tenant ID, Cloud Environment (required) - See details under Microsoft Azure AD section
  4. Azure Stack Hub Management URL and Azure Stack Hub Resource String (optional, default: empty) - Specify the hostname or IP address of the Microsoft Azure Stack Hub server (a Microsoft Azure on-premise server) and the URL for the Azure Stack Hub Resource String.
    • If supplied, Axonius will authenticate to the Microsoft Azure cloud server, and will fetch asset data from the Microsoft Azure Stack Hub server. Axonius will not fetch any asset data from Microsoft Azure cloud server.
    • If not supplied, Axonius will authenticate to the Microsoft Azure cloud server, and will fetch asset data from the Microsoft Azure cloud server. Axonius will not fetch any asset data from Microsoft Azure Stack Hub server.
  5. Azure Stack Hub Proxy Settings (required, default: Do not use proxy) - Select one of the following proxy options:
    • Do not use proxy - Axonius will not use a proxy to authenticate to the Microsoft Azure cloud server and will not use a proxy to fetch asset data from the Microsoft Azure Stack Hub server.
    • Proxy authentication only - Axonius will only use the proxy specified in the HTTPS Proxy field to authenticate to the Microsoft Azure cloud server.
    • Proxy Azure Stack Hub only - Axonius will only use the proxy specified in the HTTPS Proxy field to fetch asset data from the Microsoft Azure Stack Hub server.
    • Proxy all - Axonius will use the proxy specified in the HTTPS Proxy field to authenticate to the Microsoft Azure cloud server and also to fetch asset data from the Microsoft Azure Stack Hub server.
  6. Account Tag (optional, default: empty) - Optional tag for the Azure Cloud instance ("nickname").
    • If supplied, Axonius will tag all devices fetched from this adapter connection.
    • If not supplied, Axonius will not tag any of the devices fetched from this adapter connection.
  7. Verify SSL , HTTPS Proxy, HTTPS Proxy User Name, HTTPS Password - See details under Microsoft Azure AD section
  8. For details on the common adapter connection parameters and buttons, see Adding a New Adapter Connection.

image.png

Microsoft Azure AD - Advanced Settings

  1. Fields to exclude (optional, default: empty) - Specify a comma-separated list of fields to be excluded from the fetched data.

    • If supplied, all connections for this adapter will exclude the listed fields from the raw and parsed data. For example, if this field value is "emailAddress, phoneNumber", both fields will be excluded from the raw and parsed data from all connections for this adapter.
    • If not supplied, all connections for this adapter will fetch all the assets data.
  2. Allow use of BETA API endpoints (required, default: False) - Select whether Axonius will use BETA API.

    • If enabled, all connections for this adapter will use BETA API to fetch information about users' last log-on and users' MFA enrollment status, but only if Allow fetching MFA enrollment status for users is enabled.
    • If disabled, all connections for this adapter will not use BETA API to fetch additional information about users.
  3. Allow fetching MFA enrollment status for users (required, default: False) - Select whether to fetch users' MFA enrollment status.

    • If enabled, all connections for this adapter will use BETA API to fetch information about users' MFA enrollment status.
    • If disabled, all connections for this adapter will NOT fetch users' MFA enrollment status.
    NOTE
    • To enable this setting, Allow use of BETA API endpoints checkbox must be enabled.
    • This setting required enabling the following application permissions:
      • reports.Read.All
  4. Do not fail if Intune token has expired (required, default: False) - Select whether to fail all the connections for this adapter if the Intune token expires.

    • If enabled, all connections for this adapter will not fail if the Intune token expires. Instead, the connection will work in a "regular" mode (non-Intune).
    • If disabled, all connections for this adapter will fail if the Intune token expires.
    NOTE

    Axonius will create a daily system notification, starting 14 days before the intune token is about to expire.

  5. Number of parallel requests (optional, default: 10) - Specify the maximum parallel request all connections for this adapter will create when connecting to the Microsoft Azure AD cloud server.

    • If not supplied, Axonius will use the default value.
  6. Max retry count for parallel requests (optional, default: 3) - Specify how many times all connections for this adapter will retry a parallel request when the Microsoft Azure AD cloud server returns a response with an error.

    • If not supplied, Axonius will use the default value.
  7. Time in seconds to wait between retries of parallel requests (optional, default: 3) - Specify how many seconds all connections for this adapter will wait in between each retry when a parallel request to the Microsoft Azure AD cloud server returns a response with an error.

    • If not supplied, Axonius will use the default value.
  8. Fetch email activity from Office 365 in the last X days (required, default: 0) - Specify the number of days to fetch email activity per each user.

    NOTE

    In order to use this new field the application permissions in Microsoft Azure Portal must include the following permissions:

    • reports.Read.All

image.png

NOTE

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.

Microsoft Azure - Advanced Settings

  1. Fetch update deployments (required, default: False) - Select whether to fetch software update deployments from Microsoft Azure.
    • If enabled, all connections for this adapter will fetch software update deployments.
    • If disabled, all connections for this adapter will not fetch software update deployments.

image.png

NOTE

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.

Creating an application in the Microsoft Azure Portal

  1. Log in to the Azure Portal with an administrator account.
  2. Select Azure Active Directory. If you have more than one directory, make sure you are logged in to the right directory. If you are not, click on the top-right account logo and then click "Switch Directory" and select the directory you want Axonius to access.

image.png

  1. Select App registrations and click New registration. Fill in the details and click Register.

image.png

  1. After you have created the app, you should see its Application ID and Directory ID. Keep these values, they are known as Client ID and Tenant ID.

image.png

  1. In the left menu, click Certificates & Secrets, then click New Client Secret. Click Add and copy the secret.
    image.png

  2. In the left menu, click API Permissions and then Add a permission. Then select Microsoft Graph.

image.png

  1. Grant both application permissions and delegated permissions to the Axonius App.

    1. Click Application permissions, then select user.read.all and directory.read.all.
      image.png
    NOTE

    To enable Allow fetching MFA enrollment status for users setting, select reports.Read.All.

    1. Click Add permissions

    2. Click Add a permission again and select Microsoft Graph, but this time click Delegated permissions.

    3. Select user.read.all and directory.read.all checkboxes.

    4. If you want to use Azure AD Intune as well, select:

      • DeviceManagementApps.Read.All
      • DeviceManagementConfiguration.Read.All
      • DeviceManagementManagedDevices.Read.All
      • DeviceManagementRBAC.Read.All
      • DeviceManagementServiceConfig.Read.All

      image.png

  2. Finish with clicking Add permissions. In the end you should have something that looks like:
    image.png

  3. On the same API permissions page, click Grant admin consent for {your-domain} and then click yes.

  4. Assign a Read role to this application. Search for "Subscriptions" in the search box at the top bar of the panel and click Subscriptions.

Keep the Subscription ID, this is a value we need for the Azure adapter. Select your subscription and then Access Control (IAM)

image.png

  1. Click Add > Add Role Assignment to add a new permission. Select the Reader role and search for the application you just created. Click Save.

image.png

You can now use these credentials to connect to Azure and Azure AD.

Connecting Axonius with Microsoft Intune

To authorize Axonius read information from Microsoft Intune, you need to authorize the Axonius App using an administrator.

  1. Go to the Applications Settings (Azure Active Directory > App Registration > [Axonius App] > Authentication -> Redirect URIs and add 'https://localhost'. Hit save

image.png

  1. Fill in the tenant id and the client id in the following link and open it in your browser while you are logged in as an administrator:
https://login.windows.net/<tenant_id>/oauth2/authorize?response_type=code&client_id=<client_id>&redirect_uri=https://localhost&state=after-auth&resource=https://graph.microsoft.com&prompt=admin_consent
  1. Click Approve to authorize Axonius read information about Intune. You will be redirected to:
https://localhost?code=<code>&state=after-auth&session_state=.....&admin_consent=True

Save the code part (not including the '=' in the beginning and the '&' in the end).

  1. In the 'Azure OAuth Authorization Code' in the adapter settings, fill the code.
    Note! The code has to be put into the adapter right after it was generated.
NOTE
If "Insufficient permissions: did you grant read-only permissions to the application?" message is displayed, wait a few minutes, then try saving the credentials again, as it takes time for the changes in Azure to propagate.
Was This Article Helpful?