How to Onboard Microsoft Azure Account

Once you successfully logged in for the first time. You will be able to see the "Environment" page only under Global Tenant Setting (please refer to the screenshot below).

You will be able to see all of the pages once you add any AWS or Azure account.

Now, hit the marked option to link your Microsoft Azure account.

Input the necessary credentials for

Microsoft Azure account Client id
Client secret key
Subscription ID
Tenant ID,

then verify. Then click next to input other information.

Then you will have the option to add Account and Organization details. Once the account is connected, the scan will get automatically started.

Step 1: Create an App Registration

Go to Azure Active Directory > App registrations > New registration

Step 2: Give API permissions to App Registration

1. Search for all the above permissions listed below and add it to the created app.

Application.Read.All
AuditLog.Read.All
Directory.Read.All
Domain.Read.All
Group.Read.All
IdentityProvider.Read.All
Policy.Read.All
User.Read.All
Reports.Read.All

Step 3: Attach a custom built Role with Below role definition to the app for Subscription

Go to Subscription > Access control (IAM) > Add > Add role assignment then add custom built role and assign the role to app.

{
    "properties": {
        "roleName": "ReadOnlyCustomRole",
        "description": "A custom role to view all resources, but does not allow you to make any changes in the infrastructure.",
        "assignableScopes": [
            "/subscriptions/{subscriptionId}"
        ],
        "permissions": [
            {
                "actions": [
                    "*/read",
                    "Microsoft.KeyVault/checkNameAvailability/read",
                    "Microsoft.KeyVault/deletedVaults/read",
                    "Microsoft.KeyVault/locations/*/read",
                    "Microsoft.KeyVault/vaults/*/read",
                    "Microsoft.KeyVault/operations/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Step 4: Create a client secret for the App

Go to App registration select your app and click on Certificates & secrets > New client secret

Step 5: Copy Required Credentials

1. Copy Client ID and Tenant ID

Go to Azure Active Directory > App registrations. Then click on the application.

2. Copy Client Secret

Go to Azure Active Directory > App registrations > Certificates & secrets. Then copy the Client Secret.

3. Copy the Subscription ID

Go to Subscriptions. Copy the Subscription ID.

PreviousHow to Onboard AWS Account NextCompliance Findings

Last updated 1 year ago

{ "properties": { "roleName": "ReadOnlyCustomRole", "description": "A custom role to view all resources, but does not allow you to make any changes in the infrastructure.", "assignableScopes": [ "/subscriptions/{subscriptionId}" ], "permissions": [ { "actions": [ "*/read", "Microsoft.KeyVault/checkNameAvailability/read", "Microsoft.KeyVault/deletedVaults/read", "Microsoft.KeyVault/locations/*/read", "Microsoft.KeyVault/vaults/*/read", "Microsoft.KeyVault/operations/read" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } }