All Collections
Connectors
Older Release
Microsoft Azure Connector (previous revision)
Microsoft Azure Connector (previous revision)

Getting started with Azure connector

Updated over a week ago

Am I reading the right user guide?

Certain connectors have more than one user guide. It depends on the environment's setup and on the connector's available releases (new vs. older revisions).

To access the user guide that is relevant to your environment, simply click on the "How to connect" button located on the connector's setup page. By doing so, you will be directed to the user guide that aligns with your specific environment, ensuring relevancy and accuracy.

Pre-requisite

Before you can use the integration, there are several steps that need to be performed in Microsoft Azure.

  1. Create an Azure Application

  2. Obtain the required parameters for the connector's configuration

  3. Grant the Azure Application API permissions

Create an Azure Application

  1. Log in into Microsoft Azure Portal

  2. Go to Azure Active Directory --> App registrations --> New registration

  3. In the Name box, enter the name for the application.

  4.  In the Supported account types section, choose one of the three options to specify the type of accounts that can access the API.

  5.  (Optional) In the Redirect URI section, select either Web or Public client (mobile & desktop) from the drop-down, and then enter the URI in the text box.

  6. Click Register to finish the settings and create the application.

Obtain the required parameters for the connector's configuration

On the Overview page of the new application, obtain the following values which will be used when configuring the connector itself. 

  • Application (client) ID

  • Directory (tenant) ID

On the left pane of the application you've created, go to Certificates & secrets --> New client secret. Add description for the client secret and set expiration date. Click on Add and obtain the client secret key.

The last required parameter is the Subscription ID. In the top search bar, Search for Subscriptions --> Copy the Subscription ID of the relevant subscription.

Note that at the end of these steps you should hold the following values:

  • Application (client) ID

  • Directory (tenant) ID

  • Client Secret

  • Subscription ID

Grant the Azure Application API permissions

  1. In the Microsoft Azure Portal, go to Subscriptions

  2. Click the applicable subscription

  3. In the Overview page of the chosen subscription, click on Access Control (IAM) and click on Add

  4. Clic on Add role assignment

  5. In the Role drop-down choose Reader

  6. In the Assign access to drop-down, select Azure AD user, group, or service principal

  7. In the Select drop-down. select you Azure Application

  8. Click on Save

At the end of this step, when you go to the application's API permission, you will see the following state:

Defining a connector

In the Connectors page, click on Add a Connector.

Click on Azure connector.

Fill in all the relevant fields you got from section 1:

  • Client Id 

  • Tenant Id (Directory ID)

  • Subscription Id

  • Service Principal Password (Client Secret) 

Click on Create

You can see the connector’s progress in the Log tab:

Please note: if the provided credentials have 0 virtual machines available, the API call will fail and we will display the following message in the log: "Failed to fetch any Virtual Machine with given credentials"

View data from Microsoft Azure in Vulcan

In the Assets page, new assets from your Azure account will be added to Vulcan

  • Click on an asset to view its Asset Card.

  • The data came from other products s.a vulnerability scanners, will be displayed under Vulnerabilities.

  • All the relevant data from Azure is pulled and can be viewed under Details.

Microsoft Azure API Permissions

API

Use in Vulcan

Permission required

{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Compute/virtualMachines

Scopes: user_impersonation

{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Network/networkInterfaces/

Scopes: user_impersonation

{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Network/publicIPAddresses/

Scopes: user_impersonation

{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Compute/disks/

Scopes: user_impersonation

{subscription_id}/resourcegroups

Scopes: user_impersonation

Did this answer your question?