Connecting to Azure (Azure AD, Microsoft 365 Defender, and Intune)

Comments Off on Connecting to Azure (Azure AD, Microsoft 365 Defender, and Intune)

Summary

Here is a short summary of the guide for those who are experienced with Azure:

  1. Create App Registration
  2. Add permissions:
  • AuditLog: AuditLog.Read.All (Read all audit log data)
  • DeviceManagementConfiguration: DeviceManagementConfiguration.Read.All (Read Microsoft Intune device configuration and policies)
  • DeviceManagementManagedDevices: DeviceManagementManagedDevices.Read.All (Read Microsoft Intune devices)
  • Directory: Directory.Read.All (Read Azure AD data)
  • Reports: Reports.Read.All (Read all usage reports)
  • AdvancedQuery: AdvancedQuery.Read.All (365 Defender)
  • Machine: Machine.Read.All (365 Defender)

3. Ensure to grant permission to the subscriptions you want to discover.

Adding Azure RM

To inventory your Azure Resource Manager environment, vScope needs read permissions to your subscription(s). In this guide, we will create a vScope application in Azure, generate a key, and apply these to the Azure RM credential in vScope. Before getting started, make sure your role has the right permissions for setting up this application. Read more about roles and permissions here.

1. Create the application

1.1 Log in to Azure Resource Manager (https://portal.azure.com/), type “App registrations” in the search bar and click on the icon that appears.

1.2 Click the “+ New registration” button to create the vScope application.

1.3 Name the application with something easy to remember, such as “vScope”. Under “Supported account types”, choose “Accounts in this organizational directory only” and click “Register”.

2. Add API permissions for Microsoft Graph

2.1 Go to the API permission section and click the “+Add a permission” button.

2.2 In the “Microsft APIs” tab, select “Microsoft Graph”.

2.3 Now select “Application permissions”

2.4 Select the following permissions and click “Add permissions”:

  • AuditLog – AuditLog.Read.All (Read all audit log data)
  • DeviceManagementConfiguration – DeviceManagementConfiguration.Read.All (Read Microsoft Intune device configuration and policies)
  • DeviceManagementManagedDevices – DeviceManagementManagedDevices.Read.All (Read Microsoft Intune devices)
  • Directory – Directory.Read.All (Read directory data)
  • Reports – Reports.Read.All (Read all usage reports)
  • AdvancedQuery: AdvancedQuery.Read.All (365 Defender)
  • Machine: Machine.Read.All (365 Defender)

2.5 Now you need to grant these permissions:

3. Add API permissions for Defender

3.1 Click + Add a permission.

3.2 Select “APIs my organization uses” and search for “WindowsDefenderATP”.

4. Select Application permissions and toggle AdvancedQuery.Read.All under AdvancedQuery and Machine.Read.All under Machine. Then, click Add Permissions.

8. Click Grant “admin consent for...” button to commit changes.

4. Grant access to subscriptions

4.1 If you have Azure resources to inventory (such as “App services”, storage accounts etc.) you need to grant access to your subscription(s). In the search bar, type “Subscriptions” and click on the yellow key that appears.

4.2 Click on the subscription name

4.3 Go to the Access Control (IAM) section and click on “Add role assignment”.

4.4 In the “Role” tab, select “Reader” under “Name”.

4.5 Move on to the “Members” tab, make sure it says “Reader” as “Selected role”, and click on “+ Select members”

4.6 In the search bar, type in the name of the Application that we created in step 2 (in this example: vScope) and click “Select”.

4.7 Click “Review + assign”.

5. Set up the Azure RM probe in vScope

5.1 Now that we have the permissions we need, we only have to add the credentials in the Azure RM probe to start the inventory. In the “Overview” section, Copy the Application (client) ID.

5.2 Open up a new tab and go to the Discovery Manager in vScope, create an Azure probe (+ Credential), and paste the “Application (client) ID” in the “Application ID” bar.

5.3 Go back to the App registration in Azure Portal, enter “Certificates & secrets” and create a “New client secret”:

5.4 Add a description, i.e. vScope, then choose the expiry date and click “add”.

5.5 Copy the value from the client secret (the value will only appear once and will later be encrypted so it’s important not to miss this step).

5.6 Paste it to the “Key” bar in the Azure RM probe in vScope. Before saving, you can click on “Test Credential” to make sure the credentials are correct (it should turn green).

Common errors

  • SSLHandshakeException: Issue connecting to Azure. Check the connection between vScope and Azure.