Azure Setup
This page explains how to setup & onboard an Azure account as a data source.
Azure setup overview
Secberus is completely agentless and uses a read-only API permission to securely access your AWS metadata. In order to create a data source for an AWS account you will need administrative access to the Azure Portal
SETUP ORGANIZATIONS FIRST
Secberus uses "Organizations" to allow users to segment visibility, posture, teams, and actions within the platform.
Cloud environments only exist within Organizations, so it is important to make sure you setup your organizational structure first before onboarding cloud environments to those specific Organizations.
Click here to Setup Organizations.
Roles and permissions in Azure
Step 1. Create a new application
- Go to your Azure Portal and navigate to Azure Active Directory using the Search bar.
- From Azure Active Directory | Overview select App registrations.
- From Azure Active Directory | App registrations select + New registration.
- From the Register an application page use the Name field to name the application. The name should signify the app is authorizing Secberus platform (e.g. 'secberus-app'). Leave the rest of the page unchanged and click the Register button.
- You will be returned to Azure Active Directory | App registrations. Observe that the new registration is created.
Step 2. Create a custom role
- Navigate to the Subscriptions page using the Search bar.
- Select a Subscription to authorize from the Subscriptions page.
- Select Access Control (IAM) for the Subscription.
- Select the Add button under Create a custom Role on the Subscription | Access control (IAM) page.
- Use the Custom role name field on the Create a custom role page to name the new role. Name the custom role to indicate a Secberus connection (e.g. 'secberus-role'). Optionally describe the role. Leave Baseline permissions set to Start from scratch. Select the Next button.
- From the Create a custom role page select the Permissions tab and click Add permissions.
- Using the Search bar under Add permissions search for 'Microsoft.Web/sites/config/list/action' and select Microsoft Web App.
- From the microsoft.web permissions screen select the Other checkbox and click Add.
- Observe the permission has been added.
- From the Create a custom role screen choose + Add permissions.
- Using the Search bar under Add permissions search for 'Microsoft.Storage/storageAccounts/listkeys/action' and select Microsoft Storage.
- From the Microsoft.Storage permissions screen select the Other checkbox and click Add.
- Observe the permission has been added.
- With both permissions in place, select Review + create.
- From the Review + create screen choose Create
- Select OK to confirm the custom role has been created.
Step 3. Assign roles
- Navigate to the Subscriptions page using the Search bar.
- From the Subscriptions screen select the Subscription used in step 1.
- From the Subscription screen select Access control (IAM)
- Under the Subscription | Access control (IAM) screen select Add role assignment from Grant access to this resource.
- From the Add role assignment screen leave the Assignment type as Job function roles and select Next.
- Use the Table Search bar under the Role section to find and select the Reader role.
- With the Reader role selected (it will be highlighted in grey) click the Next button.
- Choose + Select members under the Members section of the Add role assignment screen.
- Use the Select field under the Select members section to search for the application created in step 1.
- Confirm the application is under Selected members and click Select.
- Confirm the application is listed under the Members tab on the Add role assignment screen and click Review + assign.
- Choose Review + assign from the Review + assign tab of the Add role assignment screen to complete the assignment of the Reader role to the application.
- Repeat steps 1-12 for the Key Vault Reader role.
- Repeat steps 1-12 for the Custom role you created earlier in step 2. (e.g. 'secberus-role').
- From the Subscription | Access control (IAM) select the Role assignments tab and confirm that your application has been assigned the three roles.
Step 4: Add API permissions for IAM Graph
- Using the Search bar navigate to App registrations.
- Choose the Secberus application we created in step 1.
- Under the Secberus application screen select API permissions.
- From the Secberus application | API Permissions screen Select Add a permission.
- Select Microsoft Graph under Request API permissions.
- Select Application permissions and use the Select permissions field to search for and select the User.Read.All permission. With the permission selected click Add permissions.
- Repeat steps 5-6 for the Group.Read.All permission.
- Repeat steps 5-6 for the Directory.Read.All permission.
- From the Secberus app screen choose + Add a permission.
- Under the Request API permissions select the APIs my organization uses tab and click Windows Azure Active Directory.
- Select Application permissions and use the Select permissions field to select the Directory.Read.All permission.
- Click Add Permissions.
- From the Secberus app | API permissions screen click Grant Admin Consent for [Tenant Name].
- Finally, Click Yes under Grant admin consent confirmation.
- From the Secberus app | API permissions screen confirm that these permissions are attached to your Application:
Api | Permissions name |
---|---|
Azure Active Directory Graph | Directory.Read.All |
Microsoft Graph | Group.Read.All |
Microsoft Graph | User.Read.All |
Microsoft Graph | Directory.Read.All |
Add Azure subscription to Secberus
- In the Secberus application, navigate to Settings and select Data Sources and click the Azure data source icon.
- Populate the Name field in the Add Azure data source form.
- Navigate to the Azure Portal and user the Search bar to select Azure Active Directory.
- From the Directory | Overview screen select App registrations and click the application.
- Copy the Application (client) ID from Azure.
- Paste this value into the Secberus application Add Azure data source window under Application Client ID.
- Copy the Directory (tenant) ID from Azure.
- Paste this value into the Secberus application Add Azure data source window under Tenant ID.
- Return to the Seberus app screen in Azure, select Certificates & secrets, and click New client secret.
- Populate the Description field under Add a client secret and click the Add button.
- Copy the client secret Value.
- Paste this value into the Secberus application Add Azure data source window under Secret value.
- Return to the Azure portal and use the Search bar to locate and select Subscriptions.
- Copy the Subscription ID for the subscription used in the previous steps.
- Paste this value into the Secberus application Add Azure data source window under Subscription ID.
- Finally, click Connect to verify your credentials and connect Secberus to your data source.
Your Azure Account is Connected!
Permissions can take a 5-10 minutes to propagate in Azure. You will see the result of your initial scan in Secberus after that. If you have any issues, please reach out via the in-app chat or [email protected].
Updated 9 months ago