Lucidum has been acquired by Cyderes → [Read the announcement]

Lucidum has been acquired by Cyderes → [Read the announcement]

View Categories

Microsoft Azure

Estimated Reading Time: 10 min read

What is Microsoft Azure? #

Microsoft Azure is a cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through a global network of Microsoft-managed data.

Why Should You use the Microsoft Azure Connector? #

Lucidum uses the Microsoft Azure connector to retrieve data from Microsoft Azure virtual machines and Azure services, including Azure Active Directory, Azure Blob Storage, Azure Cosmos DBs, and Azure SQL DBs.

  • ensure virtual machines and services are managed per your security policies
  • monitor each endpoint and its status

How Does This Connector Work? #

Lucidum executes read-only requests to the REST API for Microsoft Azure and ingests only meta-data about Azure instances and services. Lucidum does not retrieve any data stored on your systems.

Prerequisite: Creating an Azure Application #

Before configuring the Microsoft Azure connector in Lucidum, you must a create a read-only application in Azure Active Directory that allows Lucidum to retrieve information from Azure.

Creating a Client in Microsoft Azure (5 minutes) #

1. Log in to the Azure Portal (https://portal.azure.com/ ) with an Azure AD global administrator account.
  • https://portal.azure.com/
  • Log in with an Azure AD global administrator account
  • NOTE: Do not log in with the Application Administrator account. This Application Administrator account does not have the required privileges.
2. Click Home > Microsoft Entra ID.
  • If you have more than one directory (tenant), make sure you are logged in to the directory (tenant) you want to access with Lucidum.
3. In Overview page:
  • In the Left pane click App registrations
  • In the Main pane click New registration
4. In the Register an application page:
  • Name. Name of the new application (for example, lucidum_connector_app).
  • Click Accounts in this organizational directory only
  • Click Register
5. In the <app name> page
  • Note and copy Application (client) ID. You will need it later.
  • Note and copy Object ID. You will need it later.
  • Note and copy Directory (tenant) ID. You will need it later.
  • In the Left Pane click Manage > Certificates & secrets
6. In the <app name> | Certificates & secrets page:
  • In the Main pane click New Client Secret
  • In Add a client secret pane (far right)
    • Description. Provide name of the Azure application (for example, lucidum_connector_app)
    • Expires. Select 180 days (6 months
    • Click Add
  • In the Main pane, note and copy the Value and Secret ID. You will need them later.
  • In the Left  pane click Manage > API permissions
7. In the <app name> | API permissions page:
  • In the Main pane click Add a permission
  • In the Request API permissions pane (far right), add these required permissions:
    • Click AuditLogs> AuditLog.Read.All.
    • Click Directory > Directory.Read.All
    • Click User > User.Read.All
    • Click UserAuthenticationMethod > UserAuthenticationMethod.Read.All
    • Click Add permissions
  • In the Request API permissions pane (far right), add these additional permissions to retrieve identity and access data:
    • Click Groups > Group.Read.All
    • Click Groups > GroupMember.Read.All
    • Click Identity Governance > AccessReview.Read.All
    • Click Identity Governance > EntitlementManagement.Read.All
    • Click Identity Governance > LifecycleWorkflows.Read.All
    • Click Identity Protection > IdentityRiskyUser.Read.All
    • Click Management > Azure RBAC Reader
    • Click Reports > Reports.Read.All
    • Click Reports > AuditLog.Read.All
    • Click Reports > UserAuthenticationMethod.Read.All
    • Click Service Principals > Directory.Read.All
    • Click Service Principals > Application.Read.All
    • Click Service Principals > User.Read.All
    • Click Add permissions
  • In the Main pane, highlight each permission and click Grant admin consent for <your organization>
8. Click Home > Subscriptions.
9. In the Subscriptions page:
  • Copy the Subscription ID. You will need it later when configuring the Lucidum connector.
  • Click the link for your Azure subscription. Also copy the link. You will need it to configure a Role for Azure Blob Storage.
10.In the Main pane <azure subscription>:
  • Click Access Control (IAM)
  • Click Add > Role assignment.
11. In the Add role assignment page:
  • Search for Reader
  • Select Reader
  • Click Next
12. In the Add role assignment page:
  • Click Members
  • Click User, group, or service principal
  • Click Select Members
  • In the Select Members pane (far right)
    • Search for the app you created (for example, lucidum_connector_app)
    • Highlight the app.
    • Click Select
13. In the Add role assignment page:
  • Click Review + assign
  • Click Review + assign
14.In the Main pane <azure subscription>:
  • Click Access Control (IAM)
  • Click Add > Role assignment.
15. In the Add role assignment page:
  • Search for Storage Blob Data Reader
  • Select Storage Blob Data Reader
  • Click Next
16. In the Add role assignment page:
  • Click Members
  • Click User, group, or service principal
  • Click Select Members
  • In the Select Members pane (far right)
    • Search for the app you created (for example, lucidum_connector_app)
    • Highlight the app.
    • Click Select
17. In the Add role assignment page:
  • Click Review + assign
  • Click Review + assign

Optional Prerequisite: Creating a Role for Azure Blob Storage #

NOTE: If the Azure connector ingests data from Azure Blob storage, ensure that your firewall safe-lists include the IP address of your Lucidum instance.

To access data about Microsoft Azure Blob Storage, you must define an additional role, Storage Blob Data Reader, and add it to the Lucidum read-only application in Azure Active Directory. To do this:

1. Log in to the Azure Portal (https://portal.azure.com/ ) with an Azure AD global administrator account.
  • https://portal.azure.com/
  • Log in with an Azure AD global administrator account
  • NOTE: Do not log in with the Application Administrator account. This Application Administrator account does not have the required privileges.
2. Click Home > Subscriptions.
  • Enter the link you saved in step #9 above.
3. In the Main pane <azure subscription>:
  • Click Access Control (IAM)
  • Click Add > Role assignment.
4. In the Add role assignment page:
  • Search for Storage Blob Data Reader
  • Select Storage Blob Data Reader
  • Click Next
5. In the Add role assignment page:
  • Click Members
  • Click User, group, or service principal
  • Click Select Members
  • In the Select Members pane (far right)
    • Search for the app you created (for example, lucidum_connector_app)
    • Highlight the app.
    • Click Select
6. In the Add role assignment page:
  • Click Review + assign
  • Click Review + assign
7. In the Main pane <azure subscription>:
  • Click Access Control (IAM)
  • You should see the new role assignment under “Storage Blob Data Reader”

Troubleshooting Azure Blob Storage #

NOTE: If the Azure connector ingests data from Azure Blob storage, ensure that your firewall safe-lists include the IP address of your Lucidum instance.

If you see the error:

Exception:Not authorized to perform list blobs for any container!"

you must safe-list the IP address of your Lucidum instance.

Configuring the Microsoft Azure Connector #

To configure Lucidum to retrieve data from Azure:

  1. Log in to Lucidum.
  2. In the left pane, select Connector.
  3. In the Connector page, select Add Connector.
  4. Scroll until you find the Connector for Microsoft Azure. Click Connect. The Settings page appears.

Field

Description

Example
Entra ID API Version Version of the Entra ID API. 1.0
Entra ID Password Age Threshold Specifies the aaximum allowed password age, in days. Users whose password is older than this are flagged as non-compliant for having a stale password. 365
Entra ID Last Certification Threshold Specifies the maximum allowed number of days since a user’s access was certified (reviewed). If their last certification is older than this, Meridian flags the account as out of date. 90
Entra ID Stale Account Threshold Specifies the maximum number of days without logging in before an account is considered stale. Accounts that have not logged in within that number of day, Meridian flags the account as higher risk. 90
Entra ID Campaign Overdue Grace Period Specifies the grace period, in days, after an access review’s due date before Meridian flags it as overdue. The default of 0 means a review is overdue as soon as its due date passes. 0
Entra ID On-Behalf Request Threshold Specifies the maximum number of access requests an account can submit on behalf of others before Meridian flags that account for excessive activity. If the access requests were unauthorized, Meridian flags the account as higher risk. 10
Entra ID Application Inactive Days Threshold Specifies the number of days since last log in before Meridian flags an application as inactive. 90
Entra ID Vault Activity Lookback Days Specifies the number of days of vault activity to include in reports. 90
Entra ID Nested Groups Toggle on to resolve nested groups in Entra ID. When enabled, accounts that inherit access indirectly through a group-within-a-group are retrieved. On/Off
Entra ID Maximum Group Members Maximum number of records to retrieve from each Group in Entra ID. 1000

Client ID

Enter the Client ID for the Lucidum application in Azure AD. Client ID is the unique identifier for the Lucidum application in Azure Active Directory. Client ID is also called Application ID. You captured this value in step #5 in the section above.

5dab08ad-3948-4605-aa68-948333ee64819

Client Secret

Enter the Client Secret ID for the Lucidum application in Azure AD. You captured this value in step #6 the section above.

 ************

Tenant ID

Enter the tenant ID. Tenant ID is a unique identifier for your instance of Azure AD. Tenant ID is also called Directory ID. You captured this value in step #5 in the section above.

30930e4c-6cea-4c29-89d8-81e55978da47

Subscription ID

Subscription ID represents your account with Microsoft. You captured this value in step #5 in the section above.

Even if you choose not to retrieve data from Azure Blob Storage, you must still provide the Subscription ID to the Lucidum connector.

d25c1387-a93e-4a8e-a45a-8ed1298932c5

Services

Select one or more Azure services from which you want to ingest data. Services include:

  • Azure Active Directory.

  • Azure Blob Storage

  • Azure Cosmos DB

  • Azure Functions

  • Azure SQL DB

  • Azure Virtual Machines

 To test the configuration, click Test.

  • If the connector is configured correctly, Lucidum displays a list of services that are accessible with the connector.
  • If the connector is not configured correctly, Lucidum displays an error message.

Source Documentation #

Creating an Application in Azure #

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-worldwide

Required Permissions #

Required Permissions are:

  • AuditLogs> AuditLog.Read.All.
  • Directory > Directory.Read.All
  • User > User.Read.All
  • UserAuthenticationMethod > UserAuthenticationMethod.Read.All

Optional Permissions for identity and access data are:

  • Groups > Group.Read.All
  • Groups > GroupMember.Read.All
  • Identity Governance > AccessReview.Read.All
  • Identity Governance > EntitlementManagement.Read.All
  • Identity Governance > LifecycleWorkflows.Read.All
  • Identity Protection > IdentityRiskyUser.Read.All
  • Management > Azure RBAC Reader
  • Reports > Reports.Read.All
  • Reports > AuditLog.Read.All
  • Reports > UserAuthenticationMethod.Read.All
  • Service Principals > Directory.Read.All
  • Service Principals > Application.Read.All
  • Service Principals > User.Read.All
  • Add permissions

Permissions for Retrieving All Azure Subscriptions #

To set permissions to retrieve all Azure subscriptions:

  1. Login to the Azure portal as Global Administrator
  2. Follow these steps to Elevate access: https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal%2Centra-audit-logs#step-2-remove-elevated-access
  3. Set Access management for Azure resources to Yes.
  4. Sign out of the Azure portal.
  5. Sign in to the Azure portal.
  6. Navigate to Microsoft Entra ID > Enterprise Applications.
  7. Search for the name of the Azure application you created.
  8. Select the application.
  9. The Object ID shown here is the service principal’s object ID.
  10. In the search bar at the top, type Management Groups and select it.
  11. Find and select the Tenant Root Group from the list of management groups.
  12. Select Access Control (IAM) in the left-hand menu.
  13. Click Add > Add role assignment. 
  14. On the Role tab, search for and select Reader.
  15. Click Next.
  16. On the Members tab, search for the service principal for the Meridian application in Azure.
  17. Click Select, then Review + assign.
  18. Follow these steps to remove elevated access: https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal%2Centra-audit-logs#step-2-remove-elevated-access.

Subscription ID #

Microsoft requires the Subscription ID when making API requests, even if you choose not to retrieve data from Azure Blob Storage. Likewise, Lucidum uses the Subscription ID to control scope and security:

API Documentation #

What are your Feelings