#
Microsoft Azure
The NetSPI Platform has a growing integration with Microsoft Azure (MSAzure).
This integration supports the Microsoft Azure product only.
Similar to our other integrations, the Microsoft Azure integration is read-only and does not perform actions to configure systems or otherwise change anything about your Microsoft Azure system.
#
Supported asset types
Thr Microsoft Azure integration provides the NetSPI Platform visibility into the following asset types:
- Systems
- Users
- IPV4 Addresses
#
Endpoints used
This integration needs access to the following API endpoints:
- https://management.azure.com/subscriptions//providers/Microsoft.Compute/virtualMachines
- https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Network/networkInterfaces/
#
Required permissions
This integration needs an API key with the following access permissions:
- DeviceManagementApps.Read.All
- DeviceManagementConfiguration.Read.All
- DeviceManagementManagedDevices.Read.All
- DeviceManagementRBAC.Read.All
- DeviceManagementServiceConfig.Read.All
- Device.Read.all
- Directory.read.all
- User.read.all
#
Configuration steps
Use the sections below for configuring Microsoft Azure to integrate with the NetSPI Platform.
#
Step one: Microsoft Azure system configuration
Sign in to the Microsoft Azure portal (https://portal.azure.com/), select the portal menu icon in the top left, and select Azure Active Directory as illustrated below.
Select App registrations in the left pane as illustrated below:
Note:
Although it is technically feasible to use the same MSAzure Enterprise Application or App for this integration, the MSGraph/DefenderATP integration, and SSO connectivity to the NetSPI Platform, NetSPI recommends the usage of different apps for each of these for security and functionality.
Select New registration along the top row of tabs as illustrated below:
Provide a descriptive name for the registration and select Register at the bottom as illustrated below:
Copy the values for Application (client) ID and Directory (tenant) ID as we will need these later when configuring the integration in the NetSPI Platform UI. Once copied, select Certificates & secrets in the left pane as illustrated below:
On the Client secrets tab, select New client secret as illustrated below:
Select an appropriate expiration period for the client secret and then select Add at the bottom as illustrated below:
Once the client secret has been created, select the Copy icon to the right of the Value field and record this as we will need it later when configuring the integration in the the NetSPI Platform UI:
Next, navigate to the API permissions link in the left pane and select Add a permission as illustrated below:
On the Request API Permissions modal, select Microsoft Graph as illustrated below:
- Select the Application permissions button and use the search box to find and select the individual permissions shown below.
- DeviceManagementApps.Read.All
- DeviceManagementConfiguration.Read.All
- DeviceManagementManagedDevices.Read.All
- DeviceManagementRBAC.Read.All
- DeviceManagementServiceConfig.Read.All
- Device.Read.all
- directory.read.all
- user.read.all
- When finished, select the Add permissions button at the bottom.
When complete, the permissions list should look like the following:
Select the Grant admin consent for <yourdomain> button and then select yes.
Assign a Read role to this application. Search for "Subscriptions" in the search box at the top bar of the panel and select Subscriptions.
Copy the Subscription ID to used when configuring the integration in the the NetSPI Platform in the section below.
Select your subscription and then Access Control (IAM).
Select the Add button and Add Role Assignment to add a new permission.
Select the Reader role, search for the application you just created, and select Save.
#
Step two: NetSPI Platform CAASM configuration
Use the steps below to configure the Microsoft Azure integration in the NetSPI Platform.
Log into the NetSPI Platform as a Client Admin user.
Navigate to Settings -> CAASM Integrations to display the Integrations page.
Select the Integration Library tab -> Integration Categories / Cloud -> Microsoft Azure Integration.
This brings the Azure integration card into focus.
Note
You can also locate the integration card by:
- Scrolling down the page on the Integration Library tab
- Filter the integration options displayed by selecting any of the other left navigation choices besides Integration Categories, e.g., by Modules or Integration Scopes (cloud or on premise)
- Enter the integration name in the Search integration bar
Select the Add button on the Azure card to display the Azure integration configuration page.
Select and enter values for the following fields.
Select the integration type from the Integration drop-down list. In this case, Azure, which is already selected by default.
Select the integration scope from the Integration Scope drop-down list. The Azure integration can only run on a cloud scope, which was configured by NetSPI and Cloud is the default value.
Enter an integration name and description in the Integration Name and Description fields.
Select the Enabled slider button to display as either on (blue) or off (light gray).
In the Microsoft Azure Parameters field group, enter the following values:
Enter the Directory (tenant) and Application (client) IDs created in step 5 in the section above in the Tenant ID and Client ID fields, respectively.
Enter the client secret created in step 8 in teh section above in the OAuth2 Secret field.
In the Azure Subscription ID(s) field group, enter the following values:
- Enter the Subscription ID copied from step 15 above into the Subscription IDs field.
- Enter the Subscription ID copied from step 15 above into the Subscription IDs field.
Select Add to add additional subscription IDs as needed.
Select Create to create the integration. The new integration now displays on the Applied Integrations tab with its statuses: current and last run, last run time, and status (enabled/disabled).