# Microsoft Azure (cloud) The NetSPI Platform has a growing integration with Microsoft Azure (MSAzure). This integration supports the Microsoft Azure product only. Similar to our other integrations, the Microsoft Azure integration is read-only and does not perform actions to configure systems or otherwise change anything about your Microsoft Azure system. ## Supported asset types Thr Microsoft Azure integration provides the NetSPI Platform visibility into the following asset types: - Systems - Users - IPV4 Addresses ## Data run frequency The Microsoft Azure integration pulls data every six hours. ## Endpoints used This integration needs access to the following API endpoints: - [https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/virtualMachines](https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/virtualMachines) - [https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkInterfaces/{networkInterfaceName}](https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkInterfaces/{networkInterfaceName}) ## Required permissions This integration needs an API key with the following access permissions: - DeviceManagementApps.Read.All - DeviceManagementConfiguration.Read.All - DeviceManagementManagedDevices.Read.All - DeviceManagementRBAC.Read.All - DeviceManagementServiceConfig.Read.All - Device.Read.all - Directory.read.all - User.read.all ## Configuration steps Use the sections below for configuring Microsoft Azure to integrate with the NetSPI Platform. ### Step one: Microsoft Azure system configuration 1. Sign in to the Microsoft Azure portal ([https://portal.azure.com/](https://portal.azure.com)), select the portal menu icon in the top left, and select Azure Active Directory as illustrated below. ![Azure Step 1](/static/caasm/azure_integration.png "Azure Step 1") 2. Select App registrations in the left pane as illustrated below: ![Azure Step 2](/static/caasm/azure_integration_2.png "Azure Step 2") !!! **Note:** Although it is technically feasible to use the same MSAzure Enterprise Application or App for this integration, the MSGraph/DefenderATP integration, and SSO connectivity to the NetSPI Platform, NetSPI recommends the usage of different apps for each of these for security and functionality. !!! 3. Select New registration along the top row of tabs as illustrated below: ![Azure Step 3](/static/caasm/azure_integration_3.png "Azure Step 3") 4. Provide a descriptive name for the registration and select Register at the bottom as illustrated below: ![Azure Step 4](/static/caasm/azure_integration_4.png "Azure Step 4") 5. Copy the values for Application (client) ID and Directory (tenant) ID as we will need these later when configuring the integration in the NetSPI Platform UI. Once copied, select Certificates & secrets in the left pane as illustrated below: ![Azure Step 5](/static/caasm/azure_integration_5.png "Azure Step 5") 6. On the Client secrets tab, select New client secret as illustrated below: ![Azure Step 6](/static/caasm/azure_integration_6.png "Azure Step 6") 7. Select an appropriate expiration period for the client secret and then select Add at the bottom as illustrated below: ![Azure Step 7](/static/caasm/azure_integration_7.png "Azure Step 7") 8. Once the client secret has been created, select the Copy icon to the right of the Value field and record this as we will need it later when configuring the integration in the the NetSPI Platform UI: ![Azure Step 8](/static/caasm/azure_integration_8.png "Azure Step 8") 9. Next, navigate to the API permissions link in the left pane and select Add a permission as illustrated below: ![Azure Step 9](/static/caasm/azure_integration_9.png "Azure Step 9") 10. On the Request API Permissions modal, select Microsoft Graph as illustrated below: ![Azure Step 10](/static/caasm/azure_integration_10.png "Azure Step 10") 11. Select the Application permissions button and use the search box to find and select the individual permissions shown below. - DeviceManagementApps.Read.All - DeviceManagementConfiguration.Read.All - DeviceManagementManagedDevices.Read.All - DeviceManagementRBAC.Read.All - DeviceManagementServiceConfig.Read.All - Device.Read.all - directory.read.all - user.read.all 12. When finished, select the **Add permissions** button at the bottom. ![Azure Step 11](/static/azure_integration_11.png "Azure configuration") When complete, the permissions list should look like the following: ![Azure Step 11](/static/azure_permission_list.png "Azure configuration") 13. Select the **Grant admin consent for \** button and then select **yes**. 14. In the top most search box, search for Subscriptions and click on the **Subscriptions**. 15. Click on the Subscription that will have the permissions. 16. Copy the Subscription ID to used when configuring the integration in the the NetSPI Platform in the section below. 17. Click on **IAM** in the selected Subscription. 18. Click on **Add -> Add role assignment**. 19. In the Role tab, select **Reader** role then click on **Next**. 20. In the Select members search box, search for the name of the application (NetSPI Integration in this example), highlight, then choose **Select**, then click on **Next**. 21. Select **Review + assign**. (Once selected the permissions should show up under the Reader role). ### Step two: NetSPI Platform CAASM configuration Use the steps below to configure the Microsoft Azure integration in the NetSPI Platform. 1. Log into the NetSPI Platform as a Client Admin user. 2. Navigate to *Settings -> CAASM Integrations* to display the Integrations page. ![Platform Integrations page](/static/caasm/integrations/integrations_landing.png "Platform Integrations page") 3. Select the *Integration Library tab -> Integration Categories / Cloud -> Microsoft Azure Integration*. ![Integration Library tab](/static/caasm/integrations/platform_azure_1.png "Integration Library tab") This brings the Azure integration card into focus. !!!Note You can also locate the integration card by: - Scrolling down the page on the *Integration Library* tab - Filter the integration options displayed by selecting any of the other left navigation choices besides *Integration Categories*, e.g., by *Modules* or *Integration Scopes* (cloud or on premise) - Enter the integration name in the Search integration bar !!! 4. Select the **Add** button on the Azure card to display the Azure integration configuration page. ![Azure integration page](/static/caasm/integrations/platform_azure_2.png "Azure integration page") 5. Select and enter values for the following fields. 1. Select the integration type from the *Integration* drop-down list. In this case, *Azure*, which is already selected by default. 2. Select the integration scope from the *Integration Scope* drop-down list. The Azure integration can only run on a cloud scope, which was configured by NetSPI and *Cloud* is the default value. 3. Enter an integration name and description in the *Integration Name* and *Description* fields. 4. Select the *Enabled* slider button to display as either on (blue) or off (light gray). 5. In the *Microsoft Azure Parameters* field group, enter the following values: - Enter the Directory (tenant) and Application (client) IDs created in step 5 in the section above in the *Tenant* ID and *Client ID* fields, respectively. - Enter the client secret created in step 8 in the section above in the OAuth2 Secret field. 6. In the *Azure Subscription ID(s)* field group, enter the following values: - Enter the Subscription ID copied from step 15 above into the *Subscription IDs* field.

7. Select **Add** to add additional subscription IDs as needed. 6. Select **Create** to create the integration. The new integration now displays on the Applied Integrations tab with its statuses: current and last run, last run time, and status (enabled/disabled).