# Azure

EASM supports Azure integrations to expand the functionality of various EASM capabilities. EASM is can
identify a range of exposures and cloud security vulnerabilities including:

- Public domain and IP address exposures across multiple Azure services
- Azure Storage accounts with weak security configurations such as use of Shared Key authorization or use
of insecure, weak, or deprecated communication and encryption protocols
- Azure Storage accounts with overly permissive network access policies
- Azure Storage Containers and Blobs with overly permissive access policies

## Azure Audit Scanner

The Azure Audit Security Scanner runs in addition to our existing Azure integrations
and performs in-depth security checks on your Tenant and Subscription accounts.
When the scanner no longer detects a vulnerability, the associated finding is
automatically marked as remediated.

To enable the Azure Audit Security Scanner, contact your client delivery manager after following the integration steps below.

The following services are audited:

**Entra-ID (Tenant-level):**

- App Registrations
- Service Principals
- Groups
- Privileged Identity Management (PIM)
- Entra Roles
- Authorization Policies
- Guest Users

**Azure Subscription Services:**

- API Management
- App Configuration
- Application Gateway
- Automation Accounts
- Virtual Machines
- Container Instances
- Container Registry (ACR)
- Azure Kubernetes Service (AKS)
- Cosmos DB
- Key Vault
- Logic Apps
- Azure Monitor
- Network Security Groups
- PostgreSQL Flexible Server
- Azure SQL
- Storage Accounts
- Synapse Analytics
- App Services / Functions
- Resource Groups
- RBAC / IAM

These and future Azure-focused EASM capabilities can be enabled by following the integration steps below.

## Create an app registration

1. Login to your Azure portal.
1. Navigate to Azure Active Directory.
1. Select App registrations
1. Add a new registration:
   1. Leave `Accounts in this organizational directory only` as the default
   1. Leave `Redirect URI` empty
1. Select Register.
1. Select "Overview" on the app registration you just created.
1. Copy the Application (client) ID and Directory (tenant) IDs to your notepad.

!!!
If your organization uses Conditional Access Policies that restrict App Registration
sign-ins, you will need to add an exception for this App Registration before proceeding.
Contact your Azure administrator to configure this exception using the Application (client) ID.
!!!

## Grant permissions

1. Search for and select "Subscriptions" or "Management Groups".
1. Select the subscription or management group you want to grant access for.
1. Select Access Control (IAM).
1. Select Add > Add Role Assignment.
1. Search for and select `Reader`.
1. Select next.
1. Leave Assign Access to as `User, group, or service principal`.
1. Add the app registration as a member.
1. Select Review + Assign.
1. Repeat for all subscriptions you want integrated.

## Generate a Secret

1. In the Azure portal, navigate to your created App Registration.
1. Select certificates & secrets > New client secret.
1. Set an expiration date suitable for your organization. You will be notified when your
secret is 1 week from expiration.
1. Copy the client secret value and expiration to your notepad.

## Integrate with EASM

1. Log into the NetSPI Platform.
2. Select or hover EASM in the left navigation and select Assets to display the [Assets page](/EASM/assets/).
3. Select Cloud Account from the Assets list on the left side of the page and then select the **Add Cloud Account** button.
4. Supply the information from your notepad saved from the previous steps.
5. Select Add.