Azure Cloud Discovery

Purpose

This document describes how to set up Microsoft Azure the App for Discovery on OUTSCAN.

Introduction

The Azure Cloud Discovery scan identifies your Azure instances in cloud environments with provided Azure credentials and querying the Azure API. It enumerates assets via Azure API and get asset identifiers populated describing the tenant, subscription, resource group and instance as well as any assigned IP, hostname or MAC possible to enumerate in the API. Import tags are assigned to the discovered virtual machine instances.

Prerequisites

Microsoft Azure account (Home - Microsoft Azure)
An application in Microsoft Entra ID (formerly Azure Active Directory) with the client secret credential created

Setup the App for Discovery in Azure

Create a Role

To discover resources, we must create a role in IAM, which is belongs to a subscription, you can read more about it in Organize your Azure resources effectively.

Go to the current subscription > IAM.
Click Add followed by Add custom role.

In Create a custom role, provide the JSON with the necessary permissions, replace your role name and your subscription ID.

Create a custom role

JS

{
    "properties": {
        "roleName": "<Your role name here>",
        "description": "",
        "assignableScopes": [
            "/subscriptions/<Your subscription ID here>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Compute/virtualMachines/*/read",
                    "Microsoft.Compute/virtualMachines/read",
                    "Microsoft.Network/networkInterfaces/read",
                    "Microsoft.Network/networkInterfaces/*/read",
                    "Microsoft.Network/publicIPAddresses/read",
                    "Microsoft.Network/publicIPAddresses/*/read",
                    "Microsoft.Resources/subscriptions/read",
                    "Microsoft.Resources/subscriptions/*/read",
                    "Microsoft.Network/dnszones/read",
                    "Microsoft.Network/dnszones/*/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

After saving the changes, press Review + Create and create the role with the necessary permissions.

Assign the Role to the App

Go to the newly created role in Subscription > IAM > Add > Add role assignment.
Filter by type Custom Role and select that role.
Select a member in Select members, which is the app name previously created.
Review + Assign to finish the process.

Create Azure credential in Portal

Obtain application’s information in Microsoft Entra ID > Applications.
Fill it in the Portal’s new credential. See Generate Azure Credentials for more information.
1. In the drop-down menu select Microsoft Azure.
2. Add the Name of your Azure account.
3. Add the Tenant ID.
4. Add the Client ID.
5. Add the Secret.
  
  See Steps to Find Azure Parameters in the Azure Console for reference.
6. Click blue Add button.

Run Discovery

Create a new discovery scan, with selected credential and perform the scan.

Create a scan configuration. You can provide subscription directly by input string inside input "Subscriptions", or you can leave empty and trigger scan for the first time to get all subscription.
Run the first time to get all the subscriptions.
Wait till the scan finished.
Go back to scan configuration and update scan configuration with subscription.
Trigger the scan and wait till the scan is finished.