Skip to main content
Skip table of contents

Azure Cloud Discovery



Purpose

This document describes how to set up Microsoft Azure the App for Discovery on OUTSCAN.

Introduction

The Azure Cloud Discovery scan identifies your Azure instances in cloud environments with provided Azure credentials and querying the Azure API. It enumerates assets via Azure API and get asset identifiers populated describing the tenant, subscription, resource group and instance as well as any assigned IP, hostname or MAC possible to enumerate in the API. Import tags are assigned to the discovered virtual machine instances.

Prerequisites

  • Microsoft Azure account (Home - Microsoft Azure)

  • An application in Microsoft Entra ID (formerly Azure Active Directory) with the client secret credential created

Setup the App for Discovery in Azure

Create a Role

To discover resources, we must create a role in IAM, which is belongs to a subscription, you can read more about it in Organize your Azure resources effectively.

  1. Go to the current subscription > IAM.



  2. Click Add followed by Add custom role.



  3. In Create a custom role, provide the JSON with the necessary permissions, replace your role name and your subscription ID.

    Create a custom role

    JS
    {
        "properties": {
            "roleName": "<Your role name here>",
            "description": "",
            "assignableScopes": [
                "/subscriptions/<Your subscription ID here>"
            ],
            "permissions": [
                {
                    "actions": [
                        "Microsoft.Compute/virtualMachines/*/read",
                        "Microsoft.Compute/virtualMachines/read",
                        "Microsoft.Network/networkInterfaces/read",
                        "Microsoft.Network/networkInterfaces/*/read",
                        "Microsoft.Network/publicIPAddresses/read",
                        "Microsoft.Network/publicIPAddresses/*/read",
                        "Microsoft.Resources/subscriptions/read",
                        "Microsoft.Resources/subscriptions/*/read",
                        "Microsoft.Network/dnszones/read",
                        "Microsoft.Network/dnszones/*/read"
                    ],
                    "notActions": [],
                    "dataActions": [],
                    "notDataActions": []
                }
            ]
        }
    }




  4. After saving the changes, press Review + Create and create the role with the necessary permissions.

Assign the Role to the App

  1. Go to the newly created role in Subscription > IAM > Add > Add role assignment.



  2. Filter by type Custom Role and select that role.


  3. Select a member in Select members, which is the app name previously created.




  4. Review + Assign to finish the process.

Create Azure credential in Portal

  1. Obtain application’s information in Microsoft Entra ID > Applications.



  2. Fill it in the Portal’s new credential. See Generate Azure Credentials for more information.

    1. In the drop-down menu select Microsoft Azure.



    2. Add the Name of your Azure account.
    3. Add the Tenant ID.
    4. Add the Client ID.
    5. Add the Secret.



    6. Click blue Add button.

Run Discovery

Create a new discovery scan, with selected credential and perform the scan.

  1. Create a scan configuration. You can provide subscription directly by input string inside input "Subscriptions", or you can leave empty and trigger scan for the first time to get all subscription.



  2. Run the first time to get all the subscriptions.



  3. Wait till the scan finished.





  4. Go back to scan configuration and update scan configuration with subscription.



  5. Trigger the scan and wait till the scan is finished.




Reference

  1. https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources
  2. Organize your Azure resources effectively.





Copyright

© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.