How to Onboard Microsoft Azure Account

Log in to CloudSecOps portal using your credentials.

Once you successfully logged in for the first time. You will be able to see the "Environment" page only under Global Tenant Setting (please refer to the screenshot below).

You will be able to see all of the pages once you add any AWS or Azure account.

Now, hit the marked option to link your Microsoft Azure account.

Input the necessary credentials for

  1. Microsoft Azure account Client id

  2. Client secret key

  3. Subscription ID

  4. Tenant ID,

then verify. Then click next to input other information.

Then you will have the option to add Account and Organization details. Once the account is connected, the scan will get automatically started.

Step 1: Create an App Registration

Go to Azure Active Directory > App registrations > New registration

Step 2: Give API permissions to App Registration

1. Search for all the above permissions listed below and add it to the created app.

  • Application.Read.All

  • AuditLog.Read.All

  • Directory.Read.All

  • Domain.Read.All

  • Group.Read.All

  • IdentityProvider.Read.All

  • Policy.Read.All

  • User.Read.All

  • Reports.Read.All

2. Grant admin consent for the default directory.

Step 3: Attach a custom built Role with Below role definition to the app for Subscription

Go to Subscription > Access control (IAM) > Add > Add role assignment then add custom built role and assign the role to app.

{
    "properties": {
        "roleName": "ReadOnlyCustomRole",
        "description": "A custom role to view all resources, but does not allow you to make any changes in the infrastructure.",
        "assignableScopes": [
            "/subscriptions/{subscriptionId}"
        ],
        "permissions": [
            {
                "actions": [
                    "*/read",
                    "Microsoft.KeyVault/checkNameAvailability/read",
                    "Microsoft.KeyVault/deletedVaults/read",
                    "Microsoft.KeyVault/locations/*/read",
                    "Microsoft.KeyVault/vaults/*/read",
                    "Microsoft.KeyVault/operations/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Step 4: Create a client secret for the App

Go to App registration select your app and click on Certificates & secrets > New client secret

Step 5: Copy Required Credentials

1. Copy Client ID and Tenant ID

Go to Azure Active Directory > App registrations. Then click on the application.

2. Copy Client Secret

Go to Azure Active Directory > App registrations > Certificates & secrets. Then copy the Client Secret.

3. Copy the Subscription ID

Go to Subscriptions. Copy the Subscription ID.

PreviousHow to Onboard AWS AccountNextCompliance Findings

Last updated