Skip to main content

Onboarding an Azure account

Follow these steps to integrate your account:

  1. Under Scan Configuration, select Add an Azure Subscription.

    CSPM_select_azure_412812_en.png

    The Setting up Azure AD application and permissions window is displayed.

  2. If you do not have a pre-existing Azure AD application you want to use, follow this procedure to set up a new one and manually fill in the required information.

  3. If you have a pre-existing Azure AD application, click the drop-down menu under Select a pre-existing Azure AD application and select the application you want to use.

  4. Click Next.

    The Selecting an Azure subscription window is displayed.

  5. Select one of the following options:

    • ARM Deployment

    • Manual

ARM Deployment

  1. Click the Deploy ARM template button.

    The Custom deployment page is displayed.

  2. Under Project details, select the Subscription you want to use.

  3. Fill in the information under the Instance details section:

    • Select the region where your cloud account is located.

    • Type in a descriptive name for the role.

  4. Click Review + create.

    CSPM_Azure_deploy_1_412812_en.png
  5. Review the displayed information and click Create.

  6. Go back to the Selecting an Azure subscription browser page.

  7. Select the Azure subscription you want to use from the Select an Azure subscription option.

    Tip

    Click the refresh button if you cannot see the subscription in the list.

  8. Click on the Add account button.

Manual

  1. Open a new browser tab or window and log in to the Azure Portal with an administrator account.

  2. Go to the Subscriptions page and select the subscription you would like to configure.

  3. Go to the Access control (IAM) page.

  4. Click the + Add button and select Add custom role:

    CSPM_Azure_add_custom_role_412812_en.png
  5. In the Basics tab fill in the following information:

    • Under Custom role name type in a unique identifier for the role.

    • In the Description field add in information that will make the role easily identifiable.

  6. Go to the JSON tab and click the Edit button.

  7. Go back to the Selecting an Azure subscription browser page and copy the JSON link.

  8. Go back to the JSON tab and paste it over the same parameter.

  9. Click the Save button on the upper right side of section.

    CSPM_Azure_add_JSON_412812_en.png
  10. Click the Review + create button on the lower left side of the page.

  11. Click the Create button on the lower left side of the page.

    The Access control (IAM) page is displayed.

  12. Click the + Add button and select Add role assignment.

    CSPM_Azure_add_role_assignment_412812_en.png

    The Add role assignment page is displayed.

  13. Click on the name of the role you created earlier in step 5.

  14. Click the Next button in the lower side of the page.

    CSPM_Azure_add_role_assignment_2_412812_en.png

    The Add role assignment page is displayed.

  15. Under the Members tab, click + Select members.

    CSPM_Azure_select_members_412812_en.png
  16. Select the name of the application for this connection.

  17. Click the Review + assign button on the lower left side of the page.

  18. Go back to the Selecting an Azure subscription browser page.

  19. Select the Azure subscription you want to use from the Select an Azure subscription option.

    Tip

    Click the refresh button if you cannot see the subscription in the list.

  20. Click the Add account button.

Create a new Azure AD application

  1. Under Scan Configuration, select Add an Azure Subscription.

    CSPM_select_azure_412812_en.png
  2. Under Setting up Azure AD application and permissions, select the Create a new Azure AD application method.

  3. Open a new browser tab or window and log in to the Azure Portal with an administrator account.

  4. Create an Azure AD application from your Azure Portal:

    1. Navigate to App registrations.

      CSPM_Azure_app_reg_412812_en.png
    2. Click New registration.

      CSPM_Azure_new_reg_412812_en.png

      The Register an application window is displayed.

    3. Type in a descriptive name for the application under Name.

    4. Click Register:

      CSPM_Azure__reg_name_412812_en.png

      The new application is displayed:

      CSPM_Azure__reg_created_412812_en.png
  5. Copy the Display name, Application (client) ID, and Directory (tenant) ID.

  6. Go back to the Scan Configuration browser page and paste the information copied at step 5.

  7. Add API permissions to the application:

    1. Click the API permissions link in the menu on the left side of the page.

      The API permissions page is displayed.

    2. Click + Add permission.

      CSPM_Azure_API_permissions_412812_en.png

      The Request API permissions window is displayed.

    3. Select Microsoft Graph.

      CSPM_Azure_API_permissions_graph_412812_en.png

      The Microsoft Graph permissions page is displayed.

    4. Click on Application permissions.

      CSPM_Azure_API_permissions_graph_1_412812_en.png

      A list of available permissions is displayed.

    5. Add the following permissions:

      • User.Read.All

      • Group.Read.All

      • Application.Read.All

      • UserAuthenticationMethod.Read.All

    6. Click Add permissions.

      CSPM_Azure_API_permissions_graph_2_412812_en.png

      The Configured permissions window is displayed.

    7. Click Grant admin consent for Default Directory.

      CSPM_Azure_API_permissions_admin_412812_en.png
  8. Set up a Client secret:

    1. Click the Certificates & secrets link in the menu on the left side of the page.

    2. Click + New client secret.

      CSPM_Azure_API_add_secret_412812_en.png

      The Add a client secret window is displayed.

    3. Type in an easily identifiable description in the Description field.

    4. Set the Expires setting to 24 months.

      Note

      When the client secret expires you will have to create a new one and manually add it to the integration.

    5. Click Add.

      CSPM_Azure_API_add_secret_2_412812_en.png

      Important

      Do not close or refresh the window until the update is finished.

  9. Copy the value under the Value column of the newly created Client secret.

  10. Go back to the Scan Configuration browser page and paste the information copied at step 9.

  11. Click Next