HomeGuidesTerms & ConceptsAPI DocumentationRelease NotesStatus
Guides

Azure Setup

This page explains how to setup & onboard an Azure account as a data source.

Suggest Edits

Azure setup overview

Secberus is completely agentless and uses a read-only API permission to securely access your AWS metadata. In order to create a data source for an AWS account you will need administrative access to the Azure Portal

❗️

SETUP ORGANIZATIONS FIRST

Secberus uses "Organizations" to allow users to segment visibility, posture, teams, and actions within the platform.

Cloud environments only exist within Organizations, so it is important to make sure you setup your organizational structure first before onboarding cloud environments to those specific Organizations.

Click here to Setup Organizations.

Roles and permissions in Azure

Step 1. Create a new application

  1. Go to your Azure Portal and navigate to Azure Active Directory using the Search bar.
Navigate to 'Azure Active Directory' using the 'Search Bar'

Navigate to 'Azure Active Directory' using the 'Search Bar'

  1. From Azure Active Directory | Overview select App registrations.
Select 'App registrations' from the 'Azure Active Directory | Overview'

Select 'App registrations' from the 'Azure Active Directory | Overview'

  1. From Azure Active Directory | App registrations select + New registration.
Select '+ New registration' from 'Azure Active Directory | Overview'

Select '+ New registration' from 'Azure Active Directory | Overview'

  1. From the Register an application page use the Name field to name the application. The name should signify the app is authorizing Secberus platform (e.g. 'secberus-app'). Leave the rest of the page unchanged and click the Register button.

  1. You will be returned to Azure Active Directory | App registrations. Observe that the new registration is created.
Observe the new application registration

Observe the new application registration

Step 2. Create a custom role

  1. Navigate to the Subscriptions page using the Search bar.
Navigate to 'Subscriptions' from the 'Search bar'

Navigate to 'Subscriptions' from the 'Search bar'

  1. Select a Subscription to authorize from the Subscriptions page.
Select a subscription

Select a subscription

  1. Select Access Control (IAM) for the Subscription.
Select 'Access Control (IAM)' for the 'Subscription'

Select 'Access Control (IAM)' for the 'Subscription'

  1. Select the Add button under Create a custom Role on the Subscription | Access control (IAM) page.
Select 'Add' under 'Create a custom role'

Select 'Add' under 'Create a custom role'

  1. Use the Custom role name field on the Create a custom role page to name the new role. Name the custom role to indicate a Secberus connection (e.g. 'secberus-role'). Optionally describe the role. Leave Baseline permissions set to Start from scratch. Select the Next button.
Populate the 'Name' field and select

Populate the 'Name' field and select 'Next'

  1. From the Create a custom role page select the Permissions tab and click Add permissions.
Select the 'Permissions' tab and click 'Add permissions'

Select the 'Permissions' tab and click 'Add permissions'

  1. Using the Search bar under Add permissions search for 'Microsoft.Web/sites/config/list/action' and select Microsoft Web App.
Search for 'Microsoft.Web/sites/config/list/action' and select 'Microsoft Web App'

Search for 'Microsoft.Web/sites/config/list/action' and select 'Microsoft Web App'

  1. From the microsoft.web permissions screen select the Other checkbox and click Add.
Select 'Other: List Web App Security Sensitive Settings' checkbox and click 'Add'

Select 'Other: List Web App Security Sensitive Settings' checkbox and click 'Add'

  1. Observe the permission has been added.
Observe the permission has been added.

Observe the permission has been added.

  1. From the Create a custom role screen choose + Add permissions.
Select '+ Add permissions'

Select '+ Add permissions'

  1. Using the Search bar under Add permissions search for 'Microsoft.Storage/storageAccounts/listkeys/action' and select Microsoft Storage.
Search for 'Microsoft.Storage/storageAccounts/listkeys/action' and select 'Microsoft Storage'

Search for 'Microsoft.Storage/storageAccounts/listkeys/action' and select 'Microsoft Storage'

  1. From the Microsoft.Storage permissions screen select the Other checkbox and click Add.
Select the 'Other List Web App Security Sensitive Settings' checkbox and click 'Add'

Select the 'Other List Web App Security Sensitive Settings' checkbox and click 'Add'

  1. Observe the permission has been added.
Observe the permission has been added

Observe the permission has been added

  1. With both permissions in place, select Review + create.
Select 'Review + create'

Select 'Review + create'

  1. From the Review + create screen choose Create
Select 'Create'

Select 'Create'

  1. Select OK to confirm the custom role has been created.
Select 'OK'

Select 'OK'

Step 3. Assign roles

  1. Navigate to the Subscriptions page using the Search bar.
Navigate to 'Subscriptions' from the 'Search bar'

Navigate to 'Subscriptions' from the 'Search bar'

  1. From the Subscriptions screen select the Subscription used in step 1.
Select the subscription

Select the subscription from step 1

  1. From the Subscription screen select Access control (IAM)
Select 'Access control (IAM)' for the subscription

Select 'Access control (IAM)' for the subscription

  1. Under the Subscription | Access control (IAM) screen select Add role assignment from Grant access to this resource.
Select 'Add role assignment' from 'Grant access to this resource'

Select 'Add role assignment' from 'Grant access to this resource'

  1. From the Add role assignment screen leave the Assignment type as Job function roles and select Next.
Select 'Next'

Select 'Next'

  1. Use the Table Search bar under the Role section to find and select the Reader role.
Search for and select the 'Reader' role

Search for and select the 'Reader' role

  1. With the Reader role selected (it will be highlighted in grey) click the Next button.
Click 'Next' with the 'Reader' role selected

Click 'Next' with the 'Reader' role selected

  1. Choose + Select members under the Members section of the Add role assignment screen.
Under 'Members' choose '+ Select members'

Under 'Members' choose '+ Select members'

  1. Use the Select field under the Select members section to search for the application created in step 1.
Search for and select the Secberus application from step 1

Search for and select the Secberus application from step 1

  1. Confirm the application is under Selected members and click Select.
Click the 'Select' button

Click the 'Select' button

  1. Confirm the application is listed under the Members tab on the Add role assignment screen and click Review + assign.
Confirm the Secberus application is listed under 'Members' and then click 'Review + assign'

Confirm the Secberus application is listed under 'Members' and then click 'Review + assign'

  1. Choose Review + assign from the Review + assign tab of the Add role assignment screen to complete the assignment of the Reader role to the application.
Click 'Review + assign' to complete the assignment

Click 'Review + assign' to complete the assignment

  1. Repeat steps 1-12 for the Key Vault Reader role.
  2. Repeat steps 1-12 for the Custom role you created earlier in step 2. (e.g. 'secberus-role').
  3. From the Subscription | Access control (IAM) select the Role assignments tab and confirm that your application has been assigned the three roles.
Confirm the Role assignments for the Secberus application

Confirm the Role assignments for the Secberus application

Step 4: Add API permissions for IAM Graph

  1. Using the Search bar navigate to App registrations.
Navigate to 'App registrations'

Navigate to 'App registrations'

  1. Choose the Secberus application we created in step 1.
Choose the Secberus application from step 1

Choose the Secberus application from step 1

  1. Under the Secberus application screen select API permissions.
Select 'API permissions'

Select 'API permissions'

  1. From the Secberus application | API Permissions screen Select Add a permission.
Select 'Add a permission'

Select 'Add a permission'

  1. Select Microsoft Graph under Request API permissions.
Select 'Microsoft Graph' under 'Request API permissions'

Select 'Microsoft Graph' under 'Request API permissions'

  1. Select Application permissions and use the Select permissions field to search for and select the User.Read.All permission. With the permission selected click Add permissions.
Search for and select the 'User.Read.All' permission then click 'Add permissions'

Search for and select the 'User.Read.All' permission then click 'Add permissions'

  1. Repeat steps 5-6 for the Group.Read.All permission.
  2. Repeat steps 5-6 for the Directory.Read.All permission.
  3. From the Secberus app screen choose + Add a permission.
From the Secberus app screen select '+ Add a permission'

From the Secberus app screen select '+ Add a permission'

  1. Under the Request API permissions select the APIs my organization uses tab and click Windows Azure Active Directory.
Under 'Request API permissions' select 'APIs my organization uses' and click 'Windows Azure Active Directory

Under 'Request API permissions' select 'APIs my organization uses' and click 'Windows Azure Active Directory

  1. Select Application permissions and use the Select permissions field to select the Directory.Read.All permission.
Select 'Application permissions' and search for and choose the 'Directory.Read.All' permission.

Select 'Application permissions' and search for and choose the 'Directory.Read.All' permission.

  1. Click Add Permissions.
Click 'Add Permissions'

Click 'Add Permissions'

  1. From the Secberus app | API permissions screen click Grant Admin Consent for [Tenant Name].
Click 'Grand Admin Consent for [Tenant Name] '

Click 'Grand Admin Consent for {
"i

'

  1. Finally, Click Yes under Grant admin consent confirmation.
Click 'Yes' under 'Grant admin consent confirmation'

Click 'Yes' under 'Grant admin consent confirmation'

  1. From the Secberus app | API permissions screen confirm that these permissions are attached to your Application:
ApiPermissions name
Azure Active Directory GraphDirectory.Read.All
Microsoft GraphGroup.Read.All
Microsoft GraphUser.Read.All
Microsoft GraphDirectory.Read.All
Confirm permissions

Confirm permissions

Add Azure subscription to Secberus

  1. In the Secberus application, navigate to Settings and select Data Sources and click the Azure data source icon.
Select 'Data sources' under 'Settings' and click the 'Azure' data source icon.

Select 'Data sources' under 'Settings' and click the 'Azure' data source icon.

  1. Populate the Name field in the Add Azure data source form.
Name the data source

Name the data source

  1. Navigate to the Azure Portal and user the Search bar to select Azure Active Directory.
Search for and select 'Azure Active Directory' in Azure

Search for and select 'Azure Active Directory' in Azure

  1. From the Directory | Overview screen select App registrations and click the application.
Select 'App registrations'

Select 'App registrations'

  1. Copy the Application (client) ID from Azure.
Copy the 'Application (client) ID' from Azure

Copy the 'Application (client) ID' from Azure

  1. Paste this value into the Secberus application Add Azure data source window under Application Client ID.
Paste to 'Application Client ID' in Secberus

Paste to 'Application Client ID' in Secberus

  1. Copy the Directory (tenant) ID from Azure.
Copy the 'Directory (tenant) ID' from Azure

Copy the 'Directory (tenant) ID' from Azure

  1. Paste this value into the Secberus application Add Azure data source window under Tenant ID.
Paste to 'Tenant ID' in Secberus

Paste to 'Tenant ID' in Secberus

  1. Return to the Seberus app screen in Azure, select Certificates & secrets, and click New client secret.
Select 'Certificates & secrets' for the Secberus app and click '+ New client secret'

Select 'Certificates & secrets' for the Secberus app and click '+ New client secret'

  1. Populate the Description field under Add a client secret and click the Add button.
Describe the secret and click 'Add'

Describe the secret and click 'Add'

  1. Copy the client secret Value.
Copy the 'Value' of the Client secret in Azure

Copy the 'Value' of the Client secret in Azure

  1. Paste this value into the Secberus application Add Azure data source window under Secret value.
Paste to 'Secret value' in Secberus

Paste to 'Secret value' in Secberus

  1. Return to the Azure portal and use the Search bar to locate and select Subscriptions.
Navigate to 'Subscriptions' in Azure

Navigate to 'Subscriptions' in Azure

  1. Copy the Subscription ID for the subscription used in the previous steps.
Copy the 'Subscription ID' from Azure

Copy the 'Subscription ID' from Azure

  1. Paste this value into the Secberus application Add Azure data source window under Subscription ID.
Paste to 'Subscription ID' in Secberus

Paste to 'Subscription ID' in Secberus

  1. Finally, click Connect to verify your credentials and connect Secberus to your data source.

👍

Your Azure Account is Connected!

Permissions can take a 5-10 minutes to propagate in Azure. You will see the result of your initial scan in Secberus after that. If you have any issues, please reach out via the in-app chat or [email protected].

Updated 10 months ago

What’s Next