#Microsoft Azure AD
The NetSPI Platform has a broad integration with the Microsoft Azure AD.
Similar to our other integrations, the Microsoft Azure AD integration is read-only and does not perform actions to configure systems or otherwise change anything about your Microsoft Azure AD system.
#Supported asset types
Thr Microsoft Azure AD integration provides the NetSPI Platform visibility into the following asset types:
- Systems
- Users
#Endpoints used
This integration needs access to the following API endpoints:
- https://graph.microsoft.com/v1.0/devices
- https://graph.microsoft.com/v1.0/devices/{system['id']}/registeredUsers
#Required permissions
This integration needs the following permissions:
#Configuration steps
Use the section below for configuring Microsoft Azure AD to integrate with the NetSPI Platform.
#Step one: Microsoft AD System configuration
Create a Domain service account using the following guidelines.
This account:
Must have a password of at least eight characters; however, we recommend a complex password of at least 16 characters or even longer
Should be set to never expire (to prevent the integration from failing over time). Additionally, you may wish to exempt the account from password expiration
In most domains, a basic service account with no special privileges is all that is needed. However, if your domain has OU hardening and you wish the NetSPI Platform to be able to see Users and Machines within these protected OU's (recommended), then the service account should be given explicit Read-Only access to those OU's.
Similarly, if you wish to exempt specific users or machines from appearing in the NetSPI Platform via this integration, then the service account should be denied all access to the corresponding Active Directory objects or OU's.
This integration only captures information for one domain at a time. For multiple domains, create one service account and one integration for each domain.
#Step two: NetSPI Platform CAASM configuration
Use the steps below to configure the Microsoft Azure AD Integration in the NetSPI Platform.
Log into the NetSPI Platform as a Client Admin user.
Navigate to Settings -> CAASM Integrations to display the Integrations page.
Select the Integration Library tab -> Integration Categories / Identity and Access Management (IAM) -> Microsoft Azure AD Integration.
This brings the Microsoft Azure AD integration card into focus.
Note
You can also locate the integration card by:
- Scrolling down the page on the Integration Library tab
- Filter the integration options displayed by selecting any of the other left navigation choices besides Integration Categories, e.g., by Modules or Integration Scopes (cloud or on premise)
- Enter the integration name in the Search integration bar
Select the Add button on the Microsoft Azure AD Integration card to display the Microsoft Azure AD integration configuration page.
Select and enter values for the following fields.
Select the integration type from the Integration drop-down list. In this case, Microsoft Azure AD Integration, which is already selected by default.
Select the integration scope from the Integration Scope drop-down list. The Microsoft Azure AD integration can only run on a cloud scope, which was configured by NetSPI, and Cloud displays as the default value.
Enter an integration name and description in the Integration Name and Description fields.
Select the Enabled slider button to display as either on (blue) or off (light gray).
Enter or copy/paste the Microsoft Azure AD tenant ID, client ID, and OAuth2 secret in the Microsoft Azure AD Parameters field group, for the domain that you configured in the Microsoft Azure AD System configuration step above.
Select Create to create the integration. The new integration now displays on the Applied Integrations tab with its statuses: current and last run, last run time, and status (enabled/disabled).