HomeGuidesTerms & ConceptsAPI DocumentationRelease NotesStatus
Guides

Azure Data Source

This page explains how to setup & onboard an Azure account as a data source.

Suggest Edits

Azure setup overview

Secberus is completely agentless and uses a read-only API permission to securely access your AWS metadata. In order to create a data source for an AWS account you will need administrative access to the Azure Portal

❗️

SETUP ORGANIZATIONS FIRST

Secberus uses "Organizations" to allow users to segment visibility, posture, teams, and actions within the platform.

Cloud environments only exist within Organizations, so it is important to make sure you setup your organizational structure first before onboarding cloud environments to those specific Organizations.

Click here to Setup Organizations.

Roles and permissions in Azure

1. Create a new app registration

  1. Go to your Azure Portal and navigate to App registrations using the Search bar.
  1. From App registrations select + New registration.
  1. From the Register an application page use the Name field to name the application. The name should signify the app is authorizing Secberus platform (e.g. 'secberus-app'). Leave the rest of the page unchanged and click the Register button.
  1. Observe that the new registration is created.

2. Create a custom role

  1. Navigate to the Subscriptions page using the Search bar.
  1. Click on the subscription you want to authorize Secberus to connect to from the Subscriptions page.
  2. In the left-hand navigation menu, click on Access Control (IAM) for the Subscription.
  1. Click the + Add dropdown button and click on Add custom role.
  1. Give a meaningful name to the custom role in the Custom role name field (e.g. 'secberus-role'). Optionally describe the role. Leave Baseline permissions set to Start from scratch. Select the Next button.
  2. In the Permissions tab, click Add permissions.
  1. Using the Search bar under Add permissions search for Microsoft.Web/sites/config/list/action and select Microsoft Web App.
  1. From the microsoft.web permissions screen select the Other : List Web App Security Sensitive Settings checkbox and click Add.
  1. Observe the permission has been added.
  2. Repeat steps 6-9 to add the following permissions:
    1. search for Microsoft.Storage/storageAccounts/listkeys/action. From the Microsoft.Storage permissions screen select the Other : List Storage Account Keys.
    2. search for Microsoft.Storage/storageAccounts/queueServices/queues/getAcl/action. From the Microsoft.Storage permissions screen select the Other : Process message.
  3. With the permissions in place, select Review + create.
  1. From the Review + create screen choose Create
  2. Select OK to confirm the custom role has been created.

3. Assign roles to app registration

  1. From the Subscription screen select Access control (IAM).
  2. Under the Subscription | Access control (IAM) screen select Add role assignment from Grant access to this resource.
  1. From the Add role assignment screen, under Job function roles, type Reader in the search bar and select the Reader built in role (it will be highlighted in gray when selected). Click the Next button.
  1. Choose + Select members under the Members section of the Add role assignment screen.
  2. Use the Select field under the Select members section to search for the application created in step 1.
  3. Confirm the application is under Selected members and click Select.

  1. Confirm the application is listed under the Members tab on the Add role assignment screen and click Review + assign.
  2. Complete the assignment of the Reader role by clicking Review + assign.
Click 'Review + assign' to complete the assignment

Click 'Review + assign' to complete the assignment

  1. Repeat steps 1-8 for the Key Vault Reader role.
  2. Repeat steps 1-8 for the Custom role you created earlier in step 2. (e.g. 'secberus-role').
  3. From the Subscription | Access control (IAM) select the Role assignments tab and confirm that your application has been assigned the three roles.

Add Azure subscription to Secberus

  1. Log into Secberus and select the org you want to create the datasource connection in.
  2. Click on Settings and then click on Data sources.
  3. Choose the Azure data source type in the Add new data source section.
  1. Populate the Name field in the Add Azure data source form.
  1. You can get your Application Client ID and Tenant ID when viewing your app registration's overview page in the Azure portal.
  2. You can get the Subscription ID from the Subscriptions page in the Azure portal.
  3. For the Secret value, we need to create a new secret for your app registration. Return to the Secberus app screen in Azure, select Certificates & secrets, click New client secret, set an appropriate expiration date, finally click on Add.
  1. Copy the client secret Value (not the Secret ID).
  1. Paste this value into the Secberus application Add Azure data source window under Secret value.
  2. Finally, click Connect to verify your credentials and connect Secberus to your data source.

👍

CONGRATULATIONS 🎉

You successfully onboarded an Azure account. You can add more Azure accounts, onboard other cloud provider accounts, or apply a policy to this Azure account. Additionally, you can view the connection status once Secberus begins collecting resource data for evaluation.

Note: Permissions changes can take a 5-10 minutes to propagate in Azure.

Updated 24 days ago

What’s Next