Knowledge base
Knowledge base
Breadcrumbs

Azure Cloud Discovery



Purpose

This article describes how to set up Microsoft Azure the App for Discovery on OUTSCAN.

Introduction

Azure Cloud Discovery enables Outpost24 to enumerate and import Azure virtual machine instances by querying the Azure API using provided credentials. It captures identifiers such as tenant, subscription, resource group, and any associated IPs, hostnames or MAC addresses, and applies import tags based on those attributes. This capability enhances visibility into Azure environments and ensures that dynamically changing infrastructure is reliably reflected within the vulnerability management system.

Prerequisites

  • Microsoft Azure account (Home - Microsoft Azure)

  • An application in Microsoft Entra ID (formerly Azure Active Directory) with the client secret credential created

Setup the App for Discovery in Azure

Create a Role

To discover resources, we must create a role in IAM, which is belongs to a subscription, you can read more about it in Organize your Azure resources effectively.

  1. Go to the current subscription > IAM.

    Cloudsec_Azure_Discovery_Access_Control_IAM.png


  2. Click Add followed by Add custom role.

    Cloudsec_Azure_Discovery_Add_Custom_Role.png


  3. In Create a custom role, provide the JSON with the necessary permissions, replace your role name and your subscription ID.

    Create a custom role

    JavaScript
    {
    "properties": {
        "roleName": "<Your role name here>",
        "description": "",
        "assignableScopes": [
            "/subscriptions/<Your subscription ID here>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Compute/virtualMachines/*/read",
                    "Microsoft.Compute/virtualMachines/read",
                    "Microsoft.Network/networkInterfaces/read",
                    "Microsoft.Network/networkInterfaces/*/read",
                    "Microsoft.Network/publicIPAddresses/read",
                    "Microsoft.Network/publicIPAddresses/*/read",
                    "Microsoft.Resources/subscriptions/read",
                    "Microsoft.Resources/subscriptions/*/read",
                    "Microsoft.Network/dnszones/read",
                    "Microsoft.Network/dnszones/*/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}


    Cloudsec_Azure_Discovery_Create_Custom_Role.png


  1. After saving the changes, press Review + Create and create the role with the necessary permissions.

    Cloudsec_Azure_Discovery_Custom_Role_Review_Create.png


Assign the Role to the App

  1. Go to the newly created role in Subscription > IAM > Add > Add role assignment.

    Cloudsec_Azure_Discovery_Add_Role_Assignment.png


  2. Filter by type Custom Role and select that role.

    Cloudsec_Azure_Discovery_Filter_Custom_Role.png


  3. Select a member in Select members, which is the app name previously created.

    Cloudsec_Azure_Discovery_Select_Members.png


  4. Review + Assign to finish the process.

    image2024-1-22_18-52-18.png

Create Azure credential in Portal

  1. Obtain application’s information in Microsoft Entra ID > Applications.

    Cloudsec_Azure_Discovery_App.png


  2. Fill it in the Portal’s new credential. See Generate Azure Credentials for more information.

    1. In the drop-down menu select Microsoft Azure.

      Portal_Auth_Add_Credentials_Azure.png


    2. Add the Name of your Azure account.

    3. Add the Tenant ID.

    4. Add the Client ID.

    5. Add the Secret.


    1. Click the blue Add button.

      Portal_Auth_Credentials_Azure.png


Run Discovery

Create a new discovery scan, with selected credential and perform the scan.

  1. Create a scan configuration. You can provide subscription directly by input string inside input Subscriptions, or you can leave empty and trigger scan for the first time to get all subscription.

    Portal_Scan_Config_Cloud_Discovery.png


  2. Click on the Scan icon to run the first time to get all the subscriptions.

    Portal_Scan_Config_First_Run.png


  3. Wait till the scan is finished.

🕘 …

scan_running_1.png
Scan is running.


check mark

scan_finished_1.png
Scan is finished.


  1. Go back to scan configuration and update scan configuration with subscription.

    Portal_Scan_Config_General_Settings.png


  2. Click on the Scan icon to run the scan. Trigger the scan and wait till the scan is finished.

    Portal_Scan_Config_With_Subscriptions_Added.png


  3. Wait till the scan is finished.

🕘 …

scan_running_2.png
Scan is running.


check mark

scan_finished_2.png
Scan is finished.

Trouble shooting

Scan Ended with Issues

If the user lacks some permissions to scan against AZURE resources, the scan results will report an Issue.

Cloudsec_Azure_Discovery_Cred_Issues.png

Scan Ended with Failed

If the credentials for AZURE discovery is invalid, the scan results will report the scan as Failed.

Cloudsec_Azure_Discovery_Cred_Failed.png

Reference

  1. https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources

  2. Organize your Azure resources effectively.


Related Articles