How to Onboard Microsoft Azure Account

CloudDefense.AI Azure Single Onboarding Process

Log in to Cloud Security portal using the link received in email from us to complete the registration process and login. 

Once you successfully logged in for the first time. You will be able to see the "Environment" page only under Global Tenant Setting (please refer to the screenshot below). 

You will be able to see all of the pages once you add an Azure account. 

Now, Click the Microsoft Azure account Icon in the above screenshot to start the onboarding process.

Input the necessary credentials for

1. Microsoft Azure account Client id
2. Client secret key
3. Subscription ID
4. Tenant ID,

then verify. Then click next to input other information.

Once you click on “Verify Keys” you will have the option to add Account and Organization details, 
following which the account is connected, the scan will get automatically started.

- User Who will be proceeding with addition of app registration and allocation of role to app must have below permission attached.

 Microsoft Entra ID level Access : 

Subscription level Access (Role attached to User) : 

- Owner

- Co-Administrator

Step 1: Create an App Registration

Go to Azure Active Directory > App registrations > New registration

 For CSPM and CIEM Module – Please follow below steps to have Cloud Security Posture and Infrastructure Access Management working

Step 2: Give API permissions to App Registration

1.Search for all the above permissions listed below and add it to the created app.

Step 3: Attach a custom built Role with Below role definition to the app for Subscription

Go to Subscription > Access control (IAM) > Add > Add role assignment then add custom built role and assign the role to app. Please make sure to replace the value of {subscriptionId} in assignable scopes of custom role.

{

    "properties": {

        "roleName": "ReadOnlyCustomRole",

        "description": "A custom role to view all resources, but does not allow you to make any changes in the infrastructure.",

        "assignableScopes": [

            "/subscriptions/{subscriptionId}"

        ],

        "permissions": [

            {

                "actions": [

                    "*/read",

                     "Microsoft.KeyVault/checkNameAvailability/read",

                     "Microsoft.KeyVault/deletedVaults/read",

                     "Microsoft.KeyVault/locations/*/read",

                     "Microsoft.KeyVault/vaults/*/read",

                     "Microsoft.KeyVault/operations/read",

                     "Microsoft.Web/sites/config/list/action",

                     "Microsoft.Storage/storageAccounts/listKeys/action",

                ],

                "notActions": [],

                "dataActions": [],

                "notDataActions": []

            }

        ]

    }

}

 

Additional

kubernetes scanning prerequisite

You Need to complete below steps:
 

1. Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
   (this permission need to be present in clouddefense read only custom role)
   
   
2. Go to Subscription > Access control (IAM) > Add > Add role assignment  for adding Azure Kubernetes Service RBAC Reader role
   (Assign Azure Kubernetes Service RBAC Reader role to CloudDefense Service Principal)

Step 4: Create a client secret for the App

Go to App registration select your app and click on Certificates & secrets > New client secret

Step 5: Copy Required Credentials

1.Copy Client ID and Tenant ID

Go to Azure Active Directory > App registrations. Then click on the application.

2.Copy Client Secret

Go to Azure Active Directory > App registrations > Certificates & secrets. Then copy the Client Secret.

3. Copy the Subscription ID

Go to Subscriptions. Copy the Subscription ID.

For CWPP Module - Attach below mentioned roles to the same app registration.

- Virtual Machine Contributor

- Disk Snapshot Contributor

- Network Contributor

For Threat Detection Module - Attach below mentioned roles to the same app registration. 

- Storage blob data reader

CloudDefense.AI Azure Multi Onboarding Process

MULTI ONBOARDING STEP 1:

Login to CloudDefense portal using your credentials.

From the Sidebar, navigate to Admin -> Environments.

Now Click on Add New Environment and then choose Microsoft Azure provider as below.

MULTI ONBOARDING STEP 2:

Select Management Group option if you wish to onboard your Azure management group.

MULTI ONBOARDING STEP 3:

Now select your Organization from the drop down menu and click next.

MULTI ONBOARDING STEP 4:

Enter your Azure Management Group ID in the given input box.

In order to find your management group ID, do the following:

• Login and Open your Azure shell

• In the Azure Shell, run the following command to retrieve the list of management group IDs.
  az account management-group entities list --query "[?type=='Microsoft.Management/managementGroups' && inheritedPermissions!='noaccess' && permissions!='noaccess'].{Name:displayName, Id:id}" --output table

• After running the command, you'll see a list of management groups. Locate the ID of the group you wish to onboard, then copy and paste it into the input box.

• Now, click on Next.

MULTI ONBOARDING STEP 5:

Based on the above management ID, we first verify its validity and create personalised commands for the customer to execute in this step.

• Create Role: Copy and paste the custom command shown on the right side of the portal into your Azure Shell to generate a custom role. This is just a sample representative code. Do not copy the below command. We generate custom commands which will be available on the right side of your screen in this step.
  

• az role definition create --role-definition '{"Name":"CDAIReadOnlyCustomRole","IsCustom":true,"Description":"A custom role to view all resources within a management group, but does not allow to make any changes in the infrastructure.","Actions":["*/read","Microsoft.KeyVault/checkNameAvailability/read","Microsoft.KeyVault/deletedVaults/read","Microsoft.KeyVault/locations/*/read","Microsoft.KeyVault/vaults/*/read","Microsoft.KeyVault/operations/read", "Microsoft.Web/sites/config/list/action", "Microsoft.Storage/storageAccounts/listKeys/action",],"NotActions":[],"AssignableScopes":["/providers/Microsoft.Management/managementGroups/{management_group_id}"]}'

Permissions assigned to this role: Application.Read.All, AuditLog.Read.All, Directory.Read.All, Domain.Read.All, Group.Read.All, IdentityProvider.Read.All, Policy.Read.All, User.Read.All, Reports.Read.All

• Create Service Principal: Copy and paste the custom command on the right side of the portal into your Azure Shell to generate a Service Principle.
  az ad sp create-for-rbac --role "CDAIReadOnlyCustomRole" --scopes /providers/Microsoft.Management/managementGroups/{management_group_id} --name "CDAI Service Principal"

• Copy appId value from above command result & paste in Client ID input box

• Copy password value from above command result & paste in Client Secret input box

• Copy tenant value from above command result & paste in Tenant ID input box

Now, click next.

Additional

kubernetes scanning prerequisite

You Need to complete below steps:
 

1. Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
   (this permission need to be present in clouddefense read only custom role)
   
   
2. Go to Subscription > Access control (IAM) > Add > Add role assignment  for adding Azure Kubernetes Service RBAC Reader role
   (Assign Azure Kubernetes Service RBAC Reader role to CloudDefense Service Principal)

MULTI ONBOARDING  STEP 6:

We now create custom commands for you to run similarly as above.

• Command that grants the required API permissions

• Command to Grant admin consent

• Lastly, the command to get the IDs of all the subscriptions under the selected management group. 

The last command will output a list of the subscription IDs. Copy and paste them into the given input box on the left.

Now, just click on Connect Subscriptions and the Management Group onboarding is completed!