Microsoft Azure

What is Microsoft Azure? #

Microsoft Azure is a cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through a global network of Microsoft-managed data.

Why Should You use the Microsoft Azure Connector? #

Lucidum uses the Microsoft Azure connector to retrieve data from Microsoft Azure virtual machines and Azure services, including Azure Active Directory, Azure Blob Storage, Azure Cosmos DBs, and Azure SQL DBs.

• ensure virtual machines and services are managed per your security policies

• monitor each endpoint and its status

How Does This Connector Work? #

Lucidum executes read-only requests to the REST API for Microsoft Azure and ingests only meta-data about Azure instances and services. Lucidum does not retrieve any data stored on your systems.

Prerequisite: Creating an Azure Application #

Before configuring the Microsoft Azure connector in Lucidum, you must a create a read-only application in Azure Active Directory that allows Lucidum to retrieve information from Azure.

Creating a Client in Microsoft Azure (5 minutes) #

1. Log in to the Azure Portal (https://portal.azure.com/ ) with an Azure AD global administrator account.	https://portal.azure.com/ Log in with an Azure AD global administrator account NOTE: Do not log in with the Application Administrator account. This Application Administrator account does not have the required privileges.
2. Click Home > Microsoft Entra ID.	If you have more than one directory, make sure you are logged in to the directory you want to access with Lucidum.
3. In Overview page:	In the Left pane click App registrations In the Main pane click New registration
4. In the Register an application page:	Name. Name of the new application (for example, lucidum_connector_app). Click Accounts in this organizational directory only Click Register
5. In the <app name> page	Note and copy Application (client) ID. You will need it later. Note and copy Object ID. You will need it later. Note and copy Directory (tenant) ID. You will need it later. In the Left Pane click Manage > Certificates & secrets
6. In the <app name> | Certificates & secrets page:	In the Main pane click New Client Secret In Add a client secret pane (far right) Description. Provide name of the Azure application (for example, lucidum_connector_app) Expires. Select 180 days (6 months Click Add In the Main pane, note and copy the Value and Secret ID. You will need them later. In the Left  pane click Manage > API permissions
7. In the <app name> | API permissions page:	In the Main pane click Add a permission In the Request API permissions pane (far right): Click AuditLogs> AuditLog.Read.All. Click Directory > Directory.Read.All Click User > User.Read.All Click UserAuthenticationMethod > UserAuthenticationMethod.Read.All Click Add permissions In the Main pane, highlight each permission and click Grant admin consent for <your organization>
8. Click Home > Subscriptions.
9. In the Subscriptions page:	Copy the Subscription ID. You will need it later. Click the link for your Azure subscription. Alsso copy the link. You will need it to configure a Role for Azure Blob Storage.
10.In the Main pane <azure subscription>:	Click Access Control (IAM) Click Add > Role assignment.
11. In the Add role assignment page:	Search for Reader Select Reader Click Next
12. In the Add role assignment page:	Click Members Click User, group, or service principal Click Select Members In the Select Members pane (far right) Search for the app you created (for example, lucidum_connector_app) Highlight the app. Click Select
13. In the Add role assignment page:	Click Review + assign Click Review + assign
14.In the Main pane <azure subscription>:	Click Access Control (IAM) Click Add > Role assignment.
15. In the Add role assignment page:	Search for Storage Blob Data Reader Select Storage Blob Data Reader Click Next
16. In the Add role assignment page:	Click Members Click User, group, or service principal Click Select Members In the Select Members pane (far right) Search for the app you created (for example, lucidum_connector_app) Highlight the app. Click Select
17. In the Add role assignment page:	Click Review + assign Click Review + assign

Optional Prerequisite: Creating a Role for Azure Blob Storage #

NOTE: If the Azure connector ingests data from Azure Blob storage, ensure that your firewall safe-lists include the IP address of your Lucidum instance.

To access data about Microsoft Azure Blob Storage, you must define an additional role, Storage Blob Data Reader, and add it to the Lucidum read-only application in Azure Active Directory. To do this:

1.      Log in to the Azure Portal (https://portal.azure.com/ ) with an Azure AD global administrator account.	https://portal.azure.com/ Log in with an Azure AD global administrator account NOTE: Do not log in with the Application Administrator account. This Application Administrator account does not have the required privileges.
2.      Click Home > Subscriptions.	Enter the link you saved in step #9 above.
3.      In the Main pane <azure subscription>:	Click Access Control (IAM) Click Add > Role assignment.
4.      In the Add role assignment page:	Search for Storage Blob Data Reader Select Storage Blob Data Reader Click Next
5.      In the Add role assignment page:	Click Members Click User, group, or service principal Click Select Members In the Select Members pane (far right) Search for the app you created (for example, lucidum_connector_app) Highlight the app. Click Select
6.      In the Add role assignment page:	Click Review + assign Click Review + assign
7.      In the Main pane <azure subscription>:	Click Access Control (IAM) You should see the new role assignment under “Storage Blob Data Reader”

Troubleshooting Azure Blob Storage #

NOTE: If the Azure connector ingests data from Azure Blob storage, ensure that your firewall safe-lists include the IP address of your Lucidum instance.

If you see the error:

Exception:Not authorized to perform list blobs for any container!"

you must safe-list the IP address of your Lucidum instance.

Configuring the Microsoft Azure Connector #

To configure Lucidum to retrieve data from Azure:

1. Log in to Lucidum.

2. In the left pane, select Connector.

3. In the Connector page, select Add Connector.

4. Scroll until you find the Connector for Microsoft Azure. Click Connect. The Settings page appears.

 To test the configuration, click Test.

• If the connector is configured correctly, Lucidum displays a list of services that are accessible with the connector.

• If the connector is not configured correctly, Lucidum displays an error message.

Source Documentation #

Creating an Application in Azure #

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-worldwide

Required Permissions are:

• User > User.Read.All

• Directory > Directory.Read.All

• AuditLog> AuditLogs.Read.All.

• UserAuthenticationMethod > UserAuthenticationMethod.Read.All

API Documentation #

• https://learn.microsoft.com/en-us/graph/api/resources/users?view=graph-rest-1.0

• https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0

• https://learn.microsoft.com/en-us/graph/api/resources/directoryobject?view=graph-rest-1.0

• https://learn.microsoft.com/en-us/graph/api/resources/directoryaudit?view=graph-rest-1.0

• https://learn.microsoft.com/en-us/graph/api/resources/authenticationmethods-overview?view=graph-rest-1.0

• https://learn.microsoft.com/en-us/graph/api/resources/authenticationmethod?view=graph-rest-1.0