Articles on: Compliance

Microsoft Cloud Scan Setup

Prerequisites to Perform Cloud Scan using Enterprise App



Before you can initiate the Cloud Scan, you must first set up an Enterprise App in the Microsoft Azure tenant to be assessed. The Enterprise App provides the credentials and permissions necessary to perform the scan. You may need to enlist the help of an on-site IT administrator to assist you.

Follow these steps to set up the Enterprise App in the Azure environment to be assessed. This walk-through covers how to do this using the Microsoft Azure Portal (portal.azure.com).

Note on Scanning and Azure Subscription Types
NOTE You must have an active Azure subscription in the Azure tenant to be assessed.
IMPORTANT The Cloud Scan will work with Microsoft Entra ID Free, Entra ID P1, and Entra ID P2 subscriptions. However, obtaining MFA data and Sign In data requires at least Premium P1 or greater. With the Free subscription, MFA enabled status, last login for users, and control issues scores for AdminMFAV2, MFARegistrationV2, and Inactive Accounts will not be reported.
NOTE If you are not using a paid subscription, your Azure environment may not look like what is presented in the instructions below.

Step 1 — Create Enterprise App in Azure Tenant to be Assessed


From the Azure Portal home page, search for and open Microsoft Entra ID.



From the left screen, click Manage > App Registrations. Then click New Registration.



Enter a name for the application. Choose the Supported account types for the app. A Redirect URL is not required. Then click Register.



Step 2 — Grant API Permissions to Enterprise App


From your app, click Manage > API permissions from the left menu. Next click Add a permission.



From Microsoft APIs, choose the Microsoft Graph API.



From Application Permissions, select and assign the permissions detailed in the list below. When you are finished, click Add Permissions.



- AdministrativeUnit.Read.All
- AuditLog.Read.All
- Device.Read.All
- Directory.Read.All
- Domain.Read.All
- Group.Read.All
- GroupMember.Read.All
- IdentityProvider.Read.All
- Notes.Read.All
- Organization.Read.All
- Reports.Read.All
- SecurityEvents.Read.All
- Sites.Read.All
- User.Read.All
- Subscription.Read.All (*located under Delegated Permissions)
- User.ReadBasic.All (*located under Delegated Permissions)

NOTE Select Delegated Permissions to access the two permissions above.

Finally, click Grant admin consent for the app permissions. Some permissions require admin consent to be added. Work with your on-site Azure administrator to grant admin consent.



Step 3 — Create Secret Key for Enterprise App


From your app, click Manage > Certificates & Secrets from the left-menu.
From Client secrets, click New client secret.



Enter a description for the secret and select an expiration period. Click Add.
Take note of the secret Value. You can copy it to your clipboard.



Step 4 — Add App as Reader to Root Management Group or Subscription


In this step, you will add the App you created as a Reader to either the Root Management Group or your active Subscription.

From your Azure tenant, navigate to Microsoft Entra ID > Manage > Properties. Switch Access management for Azure resources to Yes.



Next, navigate to Microsoft Entra ID > Manage > App registrations. Find and click on the app you created earlier. Copy the complete display name of the app to your clipboard.



Next, choose whether to add the App you created as a Reader to either the Root Management Group or your active Subscription.



Option A (preferred) : Add App as Reader to Subscription
Option B: Add App as Reader to Root Management Group

Option A (preferred): Add App as Reader to Subscription



From the search bar, search for and open Subscriptions.



Select your Subscription.



Select Access Control (IAM).



Click on ‘+ Add’ and ‘Add role assignment’.



Select the ‘Reader’ role and then click on Next.



With ‘User, group, or service principal’ selected, click on ‘+ Select Members’.



In the Select members box, paste the Display name of the app that you copied earlier. Then click Select.



Click Next and then click Review + assign.



You can find the app that you added under Role assignments.



Option B: Add App as Reader to Root Management Group



From the search bar, search for and open Management Groups.



Click on and open the Tenant Root Group.



Select Access Control (IAM).



Click on ‘+ Add’ and ‘Add role assignment’.



Select the ‘Reader’ role and then click on Next.



With ‘User, group, or service principal’ selected, click on ‘+ Select Members’.



In the Select members box, paste the Display name of the app that you copied earlier. Then click Select.



Click Next and then click Review + assign.



You can find the app that you added under Role assignments.




Step 5 — Gather Credentials and Perform Scan


To perform a combined Microsoft Cloud and Azure Scan, you will need 3 separate credentials.
- Tenant ID
- Client ID (also called "Application ID")
- Client secret Value (also called "Value")

IMPORTANT Share credentials in a safe way with CloudConnected

You can find the Tenant ID and Client ID in the Azure Portal from Microsoft Entra ID > Manage > App registrations > [Your App] > Overview.



Also, from App registrations > [Your App] > Certificates & secrets > Client secrets, copy the client secret value.

Updated on: 10/12/2024

Was this article helpful?

Share your feedback

Cancel

Thank you!