What is Microsoft Azure? #
Microsoft Azure is a cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through a global network of Microsoft-managed data.
Why Should You use the Microsoft Azure Connector? #
Lucidum uses the Microsoft Azure connector to retrieve data from Microsoft Azure virtual machines and Azure services, including Azure Active Directory, Azure Blob Storage, Azure Cosmos DBs, and Azure SQL DBs.
-
ensure virtual machines and services are managed per your security policies
-
monitor each endpoint and its status
How Does This Connector Work? #
Lucidum executes read-only requests to the REST API for Microsoft Azure and ingests only meta-data about Azure instances and services. Lucidum does not retrieve any data stored on your systems.
Prerequisite: Creating an Azure Application #
Before configuring the Microsoft Azure connector in Lucidum, you must a create a read-only application in Azure Active Directory that allows Lucidum to retrieve information from Azure.
-
Log in to the Azure Portal (https://portal.azure.com/ ) with an Azure AD global administrator account.
NOTE: Do not log in with the Application Administrator account. This Application Administrator account does not have the required privileges.
-
Select Azure Active Directory.
-
If you have more than one directory, make sure you are logged in to the directory you want to access with Lucidum.
-
If you want to change directories, click on the top-right account icon and then click Switch Directory.
-
In the left menu, select App registrations. In the main pane, click New registration. The Register an application page appears.
-
In the Register Applications page, enter values in these fields:
-
Name. Enter Lucidum.
-
Support account types. Select Accounts in this organizational directory only.
-
-
Click Register.
-
After you have created the application, the Azure portal displays the Application (client) ID and Directory (tenant) ID. Copy and save these values. You will need these values later to configure the Microsoft Azure connector in Lucidum.
-
In the left menu, click Certificates & Secrets. In the main pane, click New Client Secret. The Add a client secret pane appears on the right.
-
Supply values in the Add a client secret pane:
-
Description. Provide a description of the secret.
-
Expires. Select 24 months.
-
Click Add.
-
-
Copy and save the secret value and the secret ID. You will need these values later to configure the Microsoft Azure connector in Lucidum.
-
In the left menu, click API Permissions. In the main pane, click Add a permission. In the right pane, select Microsoft Graph.
-
Click Application permissions. The Request API Permissions pane appears.
-
In the Request API permission pane, select:
-
User > User.Read.All
-
Directory > Directory.Read.All
-
-
If you want to monitor audit log information, including whether a user used MFA in the last sign-in, you can add AuditLog> AuditLogs.Read.All.
-
If you want to monitor authentication methods, you can add UserAuthenticationMethod > UserAuthenticationMethod.Read.All.
-
Click Add permissions.
-
In the main pane, click Grant admin consent for {your-domain} and then click yes.
-
In the search box at the top bar of the panel, search for Subscriptions. Click Subscriptions.
-
In the Subscriptions page, copy and save the value of the Subscription ID. You will need this value later to configure the Microsoft Azure connector in Lucidum.
-
In the main pane, click Add and select Add role assignment. The Add role assignment pane appears.
-
In the Add role assignment pane, select:
-
Role. Select Reader.
-
Assign Access to. Select User, group, or service principal.
-
Select. Select the Lucidum application.
-
-
Click Save. Azure displays the application and its role assignments.
-
You can now use the settings for the Lucidum applications to configure the Microsoft Azure connector in Lucidum.
Optional Prerequisite: Creating a Role for Azure Blob Storage #
To access data about Microsoft Azure Blob Storage, you must define an additional role, Storage Blob Data Reader, and add it to the Lucidum read-only application in Azure Active Directory. To do this:
-
Go to the Microsoft subscription IAM console. The link willlook like:
https://portal.azure.com/#@lucidum.io/resource/subscriptions/{subscription_id}/users
-
Go to the Role assignments tab, click Add, and select Add role assignment.
-
In the Role page, search for the role Storage Blob Data Reader and select it. Click Next.
-
In the Members page, click Select members, search for the application name that is used by the Lucidum connector (usually Lucidum), and select it.
-
Skip Conditions and go to Review + assign. It should show something like this:
-
Click Review + assign to save the role assignment.
-
Return to the IAM console. You should see the new role assignment under “Storage Blob Data Reader”.
Configuring the Microsoft Azure Connector #
To configure Lucidum to retrieve data from Azure:
-
Log in to Lucidum.
-
In the left pane, select Connector.
-
In the Connector page, select Add Connector.
-
Scroll until you find the Connector for Microsoft Azure. Click Connect. The Settings page appears.
|
Field |
Description |
Example |
|---|---|---|
|
Azure AD API Version |
This is an optional parameter. Specify the version of the Azure AD API you are using with your Azure AD instance. |
2021-08-01 |
|
Client ID |
Enter the Client ID for the Lucidum application in Azure AD. Client ID is the unique identifier for the Lucidum application in Azure Active Directory. Client ID is also called Application ID. You captured this value in step #8 in the section above. If you select the KMS checkbox, Lucidum will use the URL specified in Settings > System Settings, in the Key Management page. |
5dab08ad-3948-4605-aa68-948333ee64819 |
|
Client Secret |
Enter the Client Secret ID for the Lucidum application in Azure AD. You captured this value in step #11 in the section above. If you select the KMS checkbox, Lucidum will use the URL specified in Settings > System Settings, in the Key Management page. |
************ |
|
Tenant ID |
Enter the tenant ID. Tenant ID is a unique identifier for your instance of Azure AD You captured this value in step #8 in the section above If you select the KMS checkbox, Lucidum will use the URL specified in Settings > System Settings, in the Key Management page. |
30930e4c-6cea-4c29-89d8-81e55978da47 |
|
Subscription ID |
This is an optional parameter. Subscription ID represents your account with Microsoft. You captured this value in step #20 in the section above. If you specify a value in this field, Lucidum will fetch data only from the specified subscription. The default behavior is for Lucidum to fetch data from all subscriptions associated with the specified Tenant ID. |
d25c1387-a93e-4a8e-a45a-8ed1298932c5 |
|
Services |
Select one or more Azure services from which you want to ingest data. Services include:
|
|
To test the configuration, click Test.
-
If the connector is configured correctly, Lucidum displays a list of services that are accessible with the connector.
-
If the connector is not configured correctly, Lucidum displays an error message.
Source Documentation #
Creating an Application in Azure #
Required Permissions are:
-
User > User.Read.All
-
Directory > Directory.Read.All
-
AuditLog> AuditLogs.Read.All.
-
UserAuthenticationMethod > UserAuthenticationMethod.Read.All
API Documentation #
-
https://learn.microsoft.com/en-us/graph/api/resources/users?view=graph-rest-1.0
-
https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0
-
https://learn.microsoft.com/en-us/graph/api/resources/directoryobject?view=graph-rest-1.0
-
https://learn.microsoft.com/en-us/graph/api/resources/directoryaudit?view=graph-rest-1.0
-
https://learn.microsoft.com/en-us/graph/api/resources/authenticationmethod?view=graph-rest-1.0
