Microsoft Azure Onboarding Guide

Updated 3 months ago by admin

This feature is in Early Access preview.

This guide provides the steps you need to follow in order to onboard Microsoft Azure accounts onto the Posture Management service.

This article will guide you through the following steps:

  • Create and configure an Azure AD Application for Posture Management
  • Assign read-only permissions to the new Azure AD application for Posture Management
  • Add the Azure AD application to the Posture Management service
You will need to be a Global Administrator of the Azure account, or have sufficient admin privileges, to perform these steps
  1. Log in to the Azure portal
  2. Search for App Registrations and open the panel
  3. Click New Registration
  4. In the Name field, enter something to identify the new application, such as "Posture Management"
  5. In the Supported account types section select Accounts in this organizational directory only (Single tenant)
  6. Click Register
  7. From the new app Overview page, make a note of the Application (client) ID and Directory (tenant) ID. These are required in the last step.
  8. From the left navigation menu, select Certificates & Secrets
  9. Click New Client Secret
  10. Enter a name for the secret and select the expiry time to suit your company policy
  11. Click Add
  12. Copy the Value of the new secret from the table and keep it safe. Once you leave this section the secret will not be visible again. You will need the secret in the last step
  13. Click API Permissions on the left
  14. Remove the default User.Read permission and then click Add a permission and then Microsoft Graph and Application Permissions. Add the following one-by-one to the selector:
  • Application.Read.All
  • ConsentRequest.Read.All 
  • Policy.Read.All
  • Reports.Read.All 
  • User.Read.All
  • UserAuthenticationMethod.Read.All
  • RoleManagement.Read.Directory (not shown in screenshot below)
  1. Click Add Permissions
  2. Now click Grant admin consent for XXX Directory
  3. For a subset of checks, further permissions must be added to the Azure Subscription Storage Accounts.
    1. Open the Subscriptions blade and select the Azure subscription used for Azure Virtual Machines management.
    2. Open the current account subscription page and go to the Access Control (IAM) menu.
    3. On the Azure subscription page, click the Add button and then Add Role Assignment.
    4. In the Job function roles list, find the Reader role and, on the bottom of the this page, click the Next button.
    5. On the opened Members tab, click the Select members button and, in the side-bar menu, select the Posture Management application you created earlier. The Posture Management application will be added to the Members list.
    6. Click Review + Assign
  4. Repeat steps A-F again to add the Storage Account Key Operator Service Role
  5. Now we can configure the Posture Management service with your new Azure application. Log in to the USS Dashboard and navigate to Products -> Posture Management.
  6. The Posture Management dashboard will open in a new tab. From the top ribbon, select Service Integration and then +
  7. Click Microsoft Azure
  8. In the Tenant ID field paste in the Directory ID from step 7. In the Client ID field paste in the Application ID from step 7. In the Secret value field paste in the value from step 12
  9. Click Submit
  10. Click Scan Now to begin scanning the application immediately, or wait for it to automatically scan on a daily basis
  11. One the first scan has finished you will be able to view the results in the Charts and Activity report tabs

How did we do?