CloudDefense.AI
  • Onboarding
    • How to Onboard AWS Account
    • How to Onboard Microsoft Azure Account
  • CloudDefense Security Hub
    • Compliance Findings
      • How to Remediate findings
  • Identity And Access Management
    • Identity Intelligence
    • Excessive Permission
  • CloudDefense Scan Engine
    • HackerView Scan
    • Workload Scan
  • Others
    • Resources
    • Compliance
      • How to Create Custom Compliance Policy
    • Rule Engine
    • Reports
      • How to create custom reports
    • Global Administration
      • Integrations
        • Create Jira and Service Now Tickets
      • Jira Webhook Integration:
      • User Interface
        • How to invite new users in CloudDefense ACS
      • Environment
      • Audit Logs
    • How to change email & Password
    • Required Policies
Powered by GitBook
On this page
  • Step 1: Create an App Registration
  • Step 2: Give API permissions to App Registration
  • Step 3: Attach a custom built Role with Below role definition to the app for Subscription
  • Step 5: Copy Required Credentials
  1. Onboarding

How to Onboard Microsoft Azure Account

PreviousHow to Onboard AWS AccountNextCompliance Findings

Last updated 1 year ago

Log in to CloudSecOps portal using your credentials.

Once you successfully logged in for the first time. You will be able to see the "Environment" page only under Global Tenant Setting (please refer to the screenshot below).

You will be able to see all of the pages once you add any AWS or Azure account.

Now, hit the marked option to link your Microsoft Azure account.

Input the necessary credentials for

  1. Microsoft Azure account Client id

  2. Client secret key

  3. Subscription ID

  4. Tenant ID,

then verify. Then click next to input other information.

Then you will have the option to add Account and Organization details. Once the account is connected, the scan will get automatically started.

Step 1: Create an App Registration

Go to Azure Active Directory > App registrations > New registration

Step 2: Give API permissions to App Registration

1. Search for all the above permissions listed below and add it to the created app.

  • Application.Read.All

  • AuditLog.Read.All

  • Directory.Read.All

  • Domain.Read.All

  • Group.Read.All

  • IdentityProvider.Read.All

  • Policy.Read.All

  • User.Read.All

  • Reports.Read.All

2. Grant admin consent for the default directory.

Step 3: Attach a custom built Role with Below role definition to the app for Subscription

Go to Subscription > Access control (IAM) > Add > Add role assignment then add custom built role and assign the role to app.

{
    "properties": {
        "roleName": "ReadOnlyCustomRole",
        "description": "A custom role to view all resources, but does not allow you to make any changes in the infrastructure.",
        "assignableScopes": [
            "/subscriptions/{subscriptionId}"
        ],
        "permissions": [
            {
                "actions": [
                    "*/read",
                    "Microsoft.KeyVault/checkNameAvailability/read",
                    "Microsoft.KeyVault/deletedVaults/read",
                    "Microsoft.KeyVault/locations/*/read",
                    "Microsoft.KeyVault/vaults/*/read",
                    "Microsoft.KeyVault/operations/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Step 4: Create a client secret for the App

Go to App registration select your app and click on Certificates & secrets > New client secret

Step 5: Copy Required Credentials

1. Copy Client ID and Tenant ID

Go to Azure Active Directory > App registrations. Then click on the application.

2. Copy Client Secret

Go to Azure Active Directory > App registrations > Certificates & secrets. Then copy the Client Secret.

3. Copy the Subscription ID

Go to Subscriptions. Copy the Subscription ID.