Azure

Discover, catalog and map your cloud resources from Microsoft Azure within your service catalog.

Summary - Creating an Azure Credential

  1. Register an application on Azure portal in the appropriate tenant and subscription.

  2. Add a client secret for configure8 discovery app. Copy the Value to a secure location.

  3. Add Read permissions for your Registered App.

  4. Go to configure8 app -> Settings -> Credentials -> Add Credential and select Azure credential provider.

  5. Set up name for the Credential and fill info based on this.

  6. Hit Save. The credentials will be checked and a discovery job will start. Done!

Cloud computing is the on-demand delivery of IT resources over the Internet with pay-as-you-go pricing. Instead of buying, owning, and maintaining physical data centers and servers, you can access technology services, such as computing power, storage, and databases, on an as-needed basis from a cloud provider like Microsoft Azure.

Azure allows organizations to achieve goals with the freedom and flexibility to build, manage, and deploy their applications anywhere.

Azure Resource Discovery

The Microsoft identity platform performs identity and access management (IAM) only for registered applications. Whether it's a client application like a web or mobile app, or it's a web API that backs a client app, registering it establishes a trust relationship between your application and the identity provider, the Microsoft identity platform.

To perform auto discovery of your Microsoft Azure resources for your service catalog, configure8 utilizes a registered application that delegates read-only permission for the configure8 discovery workers to read the Azure service metadata. That metadata is then recorded within your configure8 catalog for service mapping and drift detection. Each discovery worker runs in its own isolated container to ensure there is no cross pollination of resources for an organization.

Prerequisite

In order to get started with auto discovery for you Microsoft Azure resources, you must register a new application in the Azure portal.

You can review the full instructions for registering an application with the Microsoft identity platform here.

In order to complete these steps, your Azure account must have permission to manage applications in Azure Active Directory (Azure AD). Any of the following Azure AD roles include the required permissions:

Register an application

To get started, sign in to the Azure portal and select the appropriate tenant and subscription where you want to register your configure8 discovery application.

Next, in the top search bar, search for Azure Active Directory and open the service. Once you are in the Azure Active Directory service, under the Manage heading select App Registrations > New Registrations.

In the Register an application, enter a display Name (ex. configure8 discovery app) for your application and select the Accounts in this organizational directory only (Default Directory only - Single tenant) for the supported account types.

Finally, click Register to complete the application registration for your selected tenant and subscription.

Add a client secret

A client secret is a string value your registered app can use to identity itself. To create a client secret for your configure8 discovery app, start by navigating to your newly registered application.

From your registered app, select Certificates & secrets > Client secrets > New client secret.

Next, add a Description for your client secret and select a value for Expires from the dropdown list on for how long you would like the secret to be valid. To create the client secret, click Add.

Once you have added the new secret, make sure you copy the client secret Value to a secure location. This value will be used to connect the configure8 auto discovery to your Azure account.

Client secret values cannot be viewed, except for immediately after creation. Be sure to save the secret when created before leaving the page.

Add Read permissions for your Registered App

Next, in the top search bar, search for Subscriptions and open the service. Once you are in the Subscriptions, select your subscription that contains the resources you would like configure8 to discover.

From your Subscription page, select Access Control (IAM) and the Add > Add role assignment menu option to assign a role to your registered application.

From the available list of roles, select Reader and select Next.

Next, click the Select members link to display the flyout dialog. From the dialog, search for you registered applications name. When you see it in the search results, click the registered app and it will move under the Selected Members list. Then click Select to add it to the Members list on the Add role assignment wizard.

Verify the registered application is now displayed under the Members and select Next to continue.

Review your completed role assignment and click Review + assign to complete adding the registered application to the Reader role.

Creating an Azure Credential

To connect your Microsoft Azure account to configure8, perform the following steps.

Get started by navigating to the Credentials page by clicking on the "lock" icon on the menu bar.

Next, select the Add Credential button.

From the Add Credential pop-up, select AZURE from the list of available providers.

Next, enter the information required for your credential.

  • Name: a recognizable alias for the new credential

  • Client Secret: This is the value you copied when creating your client secret in the prerequisites above.

  • Subscription ID: This is your subscription ID GUID that the configure8 discovery worker will scan for resources.

Select Save to create your Azure credential in configure8. The configure8 app will automatically validate the credentials to make sure they work. If they do not, the credentials will not be saved and you will be prompted to fix them.

If the credentials pass, your credentials will be saved and the configure8 discovery service will automatically run a one-time auto discovery to get a baseline of your Azure account resources.

Scheduling a discovery

configure8 can auto discover the Cloud resources within your Microsoft Azure account on an ad-hoc basis or by leveraging our scheduling engine to scan for new resources on a 24/48 hour interval.

To create a discovery job for your Azure account, start by navigating to the Credentials page by navigating to the Settings (gear) icon on the left hand side navigation.

Find the credentials you would like to schedule for auto discovery, select the ellipse button to display the context menu and select the View option.

From the pop-up under the Discovery section, you can schedule an on-going auto discovery of your resources by toggling on the Auto Discovery switch if not enabled, then choosing a frequency from the Schedule dropdown and selecting Save.

From the pop-up under the Manual Discovery section, you can also run an ad-hoc discovery simply by clicking Run Now.

Supported Auto Discovery Resources

The current supported Azure resources that are auto discoverable by configure8 are:

  • Azure Application Gateway

  • Azure Application Security Groups

  • Azure Application Services

  • Azure Application Services Plans

  • Azure Containers

  • Azure Container Groups

  • Azure Cosmos DB - Core

  • Azure Cosmos DB - MongoDB

  • Azure Cosmos DB - Cassandra

  • Azure Cosmos DB - Gremlin

  • Azure Cosmos DB - Table

  • Azure Disk Storage

  • Azure Functions

  • Azure Kubernetes Service (AKS)

  • Azure Load Balancer

  • Azure MySql

  • Azure Network Security Groups

  • Azure Public IP Addresses

  • Azure Redis

  • Azure SQL

  • Azure Storage Accounts

  • Azure Virtual Machine

PreviousAWS Security HubNextAzure DevOps

Last updated

Copyright © 2023 configure8, Inc. All rights reserved.