Skip to main content

Onboarding an Azure account

When adding an Azure subscription, you can choose between two methods of deployment:

  • ARM deployment

  • Manual

Select the method you want to use to integrate your account:

Create an Azure AD application from your Azure Portal

Important

If you have already created an Azure AD application from a previous integration, you can skip this section.

  1. Under Scan Configuration, select Add an Azure Subscription.

    CSPM_select_azure_412812_en.png

  2. Under Select a connection method, select the ARM Deployment method.

  3. Open a new browser tab or window and log in to the Azure Portal with an administrator account.

  4. Create an Azure AD application from your Azure Portal:

    1. Navigate to App registrations.

      CSPM_Azure_app_reg_412812_en.png

    2. Click New registration.

      CSPM_Azure_new_reg_412812_en.png

      The Register an application window is displayed.

    3. Type in a descriptive name for the application under Name.

    4. Click Register:

      CSPM_Azure__reg_name_412812_en.png

      The new application is displayed:

      CSPM_Azure__reg_created_412812_en.png

  5. Copy the Application (client) ID and Directory (tenant) ID.

  6. Go back to the Scan Configuration browser page and paste the information copied at step 5.

  7. Add API permissions to the application:

    1. Click the API permissions link in the menu on the left side of the page.

      The API permissions page is displayed.

    2. Click + Add permission.

      CSPM_Azure_API_permissions_412812_en.png

      The Request API permissions window is displayed.

    3. Select Microsoft Graph.

      CSPM_Azure_API_permissions_graph_412812_en.png

      The Microsoft Graph permissions page is displayed.

    4. Click on Application permissions.

      CSPM_Azure_API_permissions_graph_1_412812_en.png

      A list of available permissions is displayed.

    5. Add the following permissions:

      • User.Read.All

      • Group.Read.All

      • Application.Read.All

      • UserAuthenticationMethod.Read.All

    6. Click Add permissions.

      CSPM_Azure_API_permissions_graph_2_412812_en.png

      The Configured permissions window is displayed.

    7. Click Grant admin consent for Default Directory.

      CSPM_Azure_API_permissions_admin_412812_en.png

  8. Set up a Client secret:

    1. Click the Certificates & secrets link in the menu on the left side of the page.

    2. Click + New client secret.

      CSPM_Azure_API_add_secret_412812_en.png

      The Add a client secret window is displayed.

    3. Type in an easily identifiable description in the Description field.

    4. Set the Expires setting to 24 months.

      Note

      When the client secret expires you will have to create a new one and manually add it to the integration.

    5. Click Add.

      CSPM_Azure_API_add_secret_2_412812_en.png

      Important

      Do not close or refresh the window until the update is finished.

  9. Copy the value under the Value column of the newly created Client secret.

  10. Go back to the Scan Configuration browser page and paste the information copied at step 9.

  11. Click Add account.

ARM Deployment

  1. Under Select a connection method, select the ARM Deployment method.

  2. Open a new browser tab or window and log in to the Azure Portal with an administrator account.

  3. Go to Azure Active Directory > Enterprise applications.

  4. Search for your application name and click the value under Name column.

    CSPM_Azure_display_application_412812_en.png

    The Overview page is displayed.

  5. Copy the values under Application (client) ID and Object ID.

  6. Go back to the Scan Configuration browser page and paste the Application (client) ID information in the field with the same name.

    Keep the Object ID for later.

  7. Go to App registrations:

    CSPM_Azure_app_registrations_412812_en.png

  8. Open the application you want to use and copy the Directory (tenant) ID.

  9. Go back to the Scan Configuration browser page and paste the information in the field with the same name.

  10. Set up a Client secret:

    1. Click the Certificates & secrets link in the menu on the left side of the page.

    2. Click + New client secret.

      CSPM_Azure_API_add_secret_412812_en.png

      The Add a client secret window is displayed.

    3. Type in an easily identifiable description in the Description field.

    4. Set the Expires setting to 24 months.

      Note

      When the secret expires you will have to create a new one and manually add it to the integration.

    5. Click Add.

      CSPM_Azure_API_add_secret_2_412812_en.png

      Important

      Do not close or refresh the window until the update is finished.

  11. Copy the value under the Value column of the newly created Client secret.

  12. Go back to the Scan Configuration browser page and paste the information copied at step 9.

  13. Go to the Subscriptions service.

    CSPM_Azure_display_services_412812_en.png

  14. Copy the Subscription ID you want to use.

  15. Go back to the Scan Configuration browser page and paste the information in the field with the same name.

  16. Type in a descriptive name for the account.

  17. Click the Deploy to Azure button.

    CSPM_Azure_deploy_412812_en.png

    The Custom deployment page is displayed.

  18. Under Project details, select the Subscription you want to use.

  19. Fill in the information under the Instance details section:

    • Select the region where your cloud account is located.

    • Paste the Object ID value copied at step 5 to the Principal Id field.

    • Type in a descriptive name for the role.

  20. Click Review + create.

    CSPM_Azure_deploy_1_412812_en.png

  21. Review the displayed information and click Create.

  22. Go back to the Scan Configuration browser page.

  23. Click on the Add account button.

    CSPM_Azure_add_412812_en.png

Manual

  1. Under Select a connection method, select the Manual method.

  2. Open a new browser tab or window and log in to the Azure Portal with an administrator account.

  3. Go to Azure Active Directory > Enterprise applications.

  4. Search for your application name and click the value under Name column.

    CSPM_Azure_display_application_412812_en.png

    The Overview page is displayed.

  5. Copy the values under Application (client) ID and Object ID.

  6. Go back to the Scan Configuration browser page and paste the Application (client) ID information in the field with the same name.

    Keep the Object ID for later.

  7. Go to App registrations:

    CSPM_Azure_app_registrations_412812_en.png

  8. Open the application you want to use and copy the Directory (tenant) ID.

  9. Go back to the Scan Configuration browser page and paste the information in the field with the same name.

  10. Set up a Client secret:

    1. Click the Certificates & secrets link in the menu on the left side of the page.

    2. Click + New client secret.

      CSPM_Azure_API_add_secret_412812_en.png

      The Add a client secret window is displayed.

    3. Type in an easily identifiable description in the Description field.

    4. Set the Expires setting to 24 months.

      Note

      When the secret expires you will have to create a new one and manually add it to the integration.

    5. Click Add.

      CSPM_Azure_API_add_secret_2_412812_en.png

      Important

      Do not close or refresh the window until the update is finished.

  11. Copy the value under the Value column of the newly created Client secret.

  12. Go back to the Scan Configuration browser page and paste the information copied at step 9.

  13. Go to the Subscriptions service.

    CSPM_Azure_display_services_412812_en.png

  14. Copy the Subscription ID you want to use.

  15. Go back to the Scan Configuration browser page and paste the information in the field with the same name.

  16. Click on the link under the Name column for the subscription you want to use.

    The Subscription details window is displayed.

  17. Go to the Access control (IAM) page.

  18. Click the + Add button and select Add custom role:

    CSPM_Azure_add_custom_role_412812_en.png

  19. In the Basics tab fill in the following information:

    • Under Custom role name type in a unique identifier for the role.

    • In the Description field add in information that will make the role easily identifiable.

  20. Go to the JSON tab.

  21. Go back to the Scan Configuration browser page and access the JSON link.

  22. Copy the "permissions" parameter.

  23. Go back to the JSON tab and paste it over the same parameter.

  24. Click the Save button on the upper right side of section.

    CSPM_Azure_add_JSON_412812_en.png

  25. Click the Review + create button on the lower left side of the page.

  26. Click the Create button on the lower left side of the page.

    The Access control (IAM) page is displayed.

  27. Click the + Add button and select Add role assignment.

    CSPM_Azure_add_role_assignment_412812_en.png

    The Add role assignment page is displayed.

  28. Click on the name of the role you created earlier.

    Note

    The role page is displayed.

  29. Click the Next button in the lower side of the page.

    CSPM_Azure_add_role_assignment_2_412812_en.png

    The Add role assignment page is displayed.

  30. Under the Members tab, click + Select members.

    CSPM_Azure_select_members_412812_en.png

  31. Select the name of the application for this connection.

  32. Click the Review + assign button on the lower left side of the page.

  33. Go back to the Scan Configuration browser page.

  34. Type in a descriptive name for the account.

  35. Click the Add account button.

    CSPM_Azure_add_412812_en.png
In this section: