Microsoft Azure
  • 04 Sep 2024
  • 11 Minutes to read
  • Dark
    Light
  • PDF

Microsoft Azure

  • Dark
    Light
  • PDF

Article summary

This article covers the details for connecting Microsoft Azure:
Microsoft Azure - Microsoft Azure is a cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through a global network of Microsoft-managed data. The Microsoft Azure adapter fetches devices from the Microsoft Azure Cloud Environment.

Microsoft Entra ID (formerly Azure Active Directory) and Microsoft Intune can be found on Microsoft Entra ID.

Related Enforcement Actions:
In order to help make data in the Axonius platform available directly within Azure, tags can be added to Azure VMs through enforcements.

About Microsoft Azure

Use cases the adapter solves
The Azure adapter allows Axonius users to evaluate their public cloud resources to ensure that they are correctly configured and managed, even across multiple tenants. Users can also leverage data from this adapter to modify software update deployments (including security agents).

Data retrieved by Microsoft Azure

The Azure adapter retrieves device data regarding Azure VMs, networks/NSGs, SQL servers, load balancers, storage accounts, key vaults, Redis instances, and Kubernetes.

Types of Assets Fetched

This adapter fetches the following types of assets:

  • Devices
  • Roles
  • Groups
  • SaaS Applications
  • Compute Services
  • Application Services
  • Networks
  • Load Balancers
  • Databases
  • Containers
  • Object Storage
  • Network Services
  • Accounts
  • Disks
  • Compute Images
  • Secrets
  • Certificates
  • Firewall Rules
  • Alerts/Incidents
  • Application Resources

To connect to Microsoft Azure you need to create a Designated Axonius application in the Microsoft Azure Portal and grant it read-only permissions. All required credentials will be given once an application is created. For details, see Creating an application in the Microsoft Azure Portal.

This page contains the following topics:

Parameters

Microsoft Azure

  1. Azure Subscription IDs (optional) - The comma-separated Subscription ID access control roles in IAM for the Axonius application. When you enter Azure Subscription IDs Axonius fetches data from the specified subscriptions. If you do not enter anything here, you must select Fetch All Subscriptions.
Note:

Either enter a list of comma-separated Subscription ID access control roles in IAM or select Fetch All Subscriptions

  1. Fetch All Subscriptions - Select to fetch data from all subscriptions associated with the specified Microsoft Azure tenant ID. If you do not select this option, make sure you enter Azure Subscription IDs in order to fetch data.

  2. Azure Client ID, Azure Client Secret, Azure Tenant ID, Cloud Environment (required) - See details under Microsoft Entra ID.

  3. Azure Stack Hub Management URL and Azure Stack Hub Resource String (optional) - Specify the hostname or IP address of the Microsoft Azure Stack Hub server (a Microsoft Azure on-premise server) and the URL for the Azure Stack Hub Resource String.

    • If supplied, Axonius will authenticate to the Microsoft Azure cloud server, and will fetch asset data from the Microsoft Azure Stack Hub server. Axonius will not fetch any asset data from Microsoft Azure cloud server.
    • If not supplied, Axonius will authenticate to the Microsoft Azure cloud server, and will fetch asset data from the Microsoft Azure cloud server. Axonius will not fetch any asset data from Microsoft Azure Stack Hub server.
  4. Azure Stack Hub Proxy Settings (required, default: Do not use proxy) - Select one of the following proxy options:

    • Do not use proxy - Axonius will not use a proxy to authenticate to the Microsoft Azure cloud server and will not use a proxy to fetch asset data from the Microsoft Azure Stack Hub server.
    • Proxy authentication only - Axonius will only use the proxy specified in the HTTPS Proxy field to authenticate to the Microsoft Azure cloud server.
    • Proxy Azure Stack Hub only - Axonius will only use the proxy specified in the HTTPS Proxy field to fetch asset data from the Microsoft Azure Stack Hub server.
    • Proxy all - Axonius will use the proxy specified in the HTTPS Proxy field to authenticate to the Microsoft Azure cloud server and also to fetch asset data from the Microsoft Azure Stack Hub server.
  5. Account Tag (optional) - Optional tag for the Azure Cloud instance ("nickname").

    • If supplied, Axonius will tag all devices fetched from this adapter connection.
    • If not supplied, Axonius will not tag any of the devices fetched from this adapter connection.
  6. Verify SSL, HTTPS Proxy, HTTPS Proxy User Name, HTTPS Password - See details under Microsoft Entra ID.

  7. Enable Client Side Certificate - Select to enable Axonius to send requests using the certificates uploaded to allow Mutual TLS configuration for this adapter. When you select this option, 2 more fields are displayed.

    TLSonAdapter.png

    • Click Choose file next to Client Private Key File to upload a client private key file in PEM format
    • Click Choose file next to Client Certificate File to upload a public key file in PEM format

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

AzureUP

Microsoft Azure - Advanced Settings

Note:

Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to ​Advanced Configuration for Adapters.

  1. Fetch update deployments - Select whether to fetch software update deployments from Microsoft Azure.

  2. List of tags to parse as fields (optional) - Specify a comma-separated list of tag keys to be parsed as devices fields. Each tag is a key-value pair that is part of the Adapter Tags complex field.

    • If supplied, all connections for this adapter will parse any of the listed tags that are associated with the fetched device as:
      • Values of the Adapter Tags field.
      • Designated field with the name of the tag key and the value of the tag value.
    • If not supplied, all connections for this adapter will only parse all tags as values of the Adapter Tags field.
  3. Fetch Security Center sub-assessments for devices (optional) - Select to fetch security assessments (such as Qualys vulnerabilities) for devices, where available. This option requires the Security Center to be active in the subscription.

  1. Add backup protection information from recovery services into VMs - Select this option to enrich Virtual Machines devices with their backup config information, if it exists.

  2. Fetch Azure Security alerts - Select to fetch security alerts from Azure Security Center service as devices. Make sure you add permissions for SecurityEvents.Read.All to fetch Azure Security alerts.

  3. Use Cloud ID as manufacturer serial number - Select to use the unique ID for tracking support data as a manufacturer serial number.

  4. Use Asset Name as Hostname and Hostname as Asset Name - Select to swap the information in the Asset Name with the Hostname field.

  5. Use Asset Name as Hostname and Hostname as Asset Name (15 chars) - Select this option to switch between the asset name value and the hostname value if the hostname has 15 characters.

  6. Consider Azure Managed disks as encrypted - Select to consider Azure managed disks as SSE encrypted.

  7. Use Instance view Computer Name as Hostname - Select to swap the information from os_profile > computer_name to instance_view > computer_name.

  8. Fetch Azure Firewall Rules and Policies (optional) - Select to fetch firewall rules and web application firewall policies configured in the asset's subnets.

  9. Do not save Subscription Tags to Adapter Tags for entity types - From the drop-down, select the Azure entity types for which you don't want to have the Subscription Tags included in the Adapter Tags values.

  10. Azure services to fetch as assets (optional) - Select one or more services from the list to fetch as devices (this replaces specific options previously available, which will now appear in the drop-down, in addition to other options). Some of the services require additional permissions to fetch - see Additional Permissions.
    The following options are available:

    • Analysis Services
    • Apache Spark pools
    • API Connections
    • API Management
    • App Services
    • App Service plans
    • Application Gateway
    • Application Gateway HTTP Listener
    • Application Insights
    • Automation Accounts
    • Availability Sets
    • Availability Tests
    • Azure Arc-Enabled Machines
    • Azure Databricks
    • Azure Workbooks
    • Action Groups
    • B2C Tenants
    • Blob Containers
    • Certificates From Key Vaults. Refer to Fetching Certificates from Key Vaults
    • Communication Services
    • Connections
    • Container App
    • Container Groups
    • Container Registries
    • Cosmos DB Accounts
    • Data Factory
    • Database for PostgreSQL - Flexible Server
    • Database for PostgreSQL - Single Server
    • Database for MySQL - Flexible Server
    • Database for MySQL - Single Server
    • Database for MariaDB
    • Dedicated SQL pools
    • Disks
    • DNS Records
    • DNS Zones
    • Event Hubs
    • Event Hubs Namespaces
    • File Shares
    • Form recognizers
    • Front Door and CDN profiles
    • Front Door WAF policies
    • Firewalls
    • Key Vaults
    • Keys from Key Vaults - adds the keys from key vaults and displays them as the asset "secrets". See the permissions required here.
    • Recovery Service Vaults
    • Kubernetes Agent Pools
    • Kubernetes Clusters
    • Load Balancing Rules
    • Load Balancers
    • Local Network Gateways
    • Log Analytics MAC Addresses
    • Log Analytics Workspaces
    • Logic Apps
    • Machine Learning Service Registries
    • Machine Learning Service Workspaces
    • Machine Learning Web Services
    • Managed Identities
    • Management Groups -* See the permissions required here.*
    • NetApp Accounts
    • NetApp Volumes
    • Network Interfaces
    • Network Security Groups
    • Network Security Rules
    • Network Watchers
    • Private Endpoints
    • Public IP Addresses
    • Queues
    • Redis Caches
    • Relays
    • Resource Groups
    • Route Tables
    • Secrets From Key Vaults
    • Service Bus Namespaces
    • Sentinel Incidents
    • Shared dashboards
    • SignalR
    • Solutions
    • SQL Databases
    • SQL Databases Inaccessible By Server (fetches inaccessible databases as the asset Database with the Azure Entity Type SqlDB.)
    • SQL Managed Instances
    • SQL Servers
    • Subscription
    • Storage Accounts
    • Storage Accounts - Access Keys / Kerberos Keys
    • Synapse Workspaces
    • System Topics
    • Tables
    • Tenants
    • Virtual Machines - Selected by default, clear if you do not want to fetch.
    • Virtual Machine Scale Sets (fetches Virtual Machine Scale Sets from Azure, and saves them as Compute Services.)
    • Virtual Network Gateways
    • Virtual Networks
    • WCF Relays
    • Web Apps
    • Web Application Firewall Policies
  11. Check device existence in the following log analytics query pack names (optional) - Add the names of the query packs that you want to run on your devices to determine if the devices contain relevant logs. Please note that this feature does not return log data, just indications if devices were found that meet the queries' criteria.

    • All the queries must include the '_ResourceId' column to allow for correlating the log/query with the Device (Virtual Machine).
    • For information on creating Query Packs and saving Queries inside the query packs, see Log Analytics Query Packs.
  • Get cost data per subscription for the last X days - In order to get the billing data per service, select Subscriptions in the 'Azure services to fetch as assets' field and enter a number between 1 and 365 in this field.
Note:

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.

Creating an application in the Microsoft Azure Portal

  1. Log in to the Azure Portal with an administrator account.
  2. Search for App registrations.
  3. Select App registrations > New registration. Fill in the details and click Register.

AzureConfig2.png

  1. After you have created the app, the Application ID and Directory ID values are displayed. Write down these values, which are known as Client ID and Tenant ID.

AzureConfig4.png

  1. In the left menu, click Certificates & Secrets, then click New Client Secret. Click Add and copy the secret.

AzureConfig3.png

  1. Assign a Read role to this application. Search for "Subscriptions" in the search box at the top bar of the panel and click Subscriptions.
  2. Use the top search bar and search for Management Groups. Select the Management group that includes all subscriptions you would like Axonius to collect. If you need to add permissions to multiple management groups repeat the steps below for each one.
Note:

When configuring your Azure connection within Axonius and utilizing the ‘Fetch all subscriptions’ option, there is no need to indicate a management group ID or subscription ID, or otherwise create multiple connections. Axonius will automatically discover all subscriptions that have inherited the Reader role with the specified tenant.

image.png

  1. Select Access control (IAM), then click Add > Add Role Assignment to add a new permission. Select the Reader role then click Next. On the Members screen, click Select Members. Search for the Axonius application and then click Select. Click Review + assign.

Step12

You can now use these credentials to connect to Azure.

Additional Permissions

Some of the Microsoft Azure services require additional permissions to fetch.

Fetching Keys From Key Vaults

To 'Keys From Key Vaults' as an Azure service the following permissions are required.

Access policy templateOperationsAzure role
Key ManagementKeys: all operationsKey Vault Crypto Officer

Fetching Certificates from Key Vaults

To fetch certificates from Key Vaults

  1. Open Key Vaults

  2. Select the specific key vault

  3. Go to Access Policies

  4. Add new policy

    • Select the application configured in Axonius
    • Give the permission to list Certificates

Fetching Management Groups

To fetch 'Management Groups' as an Azure service, you need to assign a permission (role) to the application you created in the Microsoft Azure Portal, through which you connect to the adapter. The minimum permission required is Reader.

  1. Go to the Management Group for which you want to add permissions.
  2. Select Access Control (IAM).
  3. From the Role Assignments tab, click Add and then select Add role assignment.
    MaganemtGroupAssignRole11
  4. From the Role tab, type and add the Reader role.
    MaganemtGroupAssignRole21
  5. From the Members tab, click Select Members to search for and select the application used to connect to the adapter.
  6. Click Review + assign twice to save this role assignment.
    MaganemtGroupAssignRole31

Was this article helpful?