Lacework creates an Azure App called LaceworkSAAudit. After creation, the LaceworkSAAudit App has two delegated and two application permissions.
Delegated permissions
In Azure, a delegated permission allows an application to act as a user. For example, a delegated permission could allow an application to send mail on behalf of a user. The two delegated permissions given to LaceworkSAAudit are:
- Azure Key Vault - Allow the application full access to the Azure Key Vault service on behalf of the signed-in user. This permission does not give Lacework full access to the Azure Key Vault. It essentially gives LaceworkSAAudit permission to use the Azure Key Vault API. Navigate to Azure Active Directory > App Registrations > LaceworkSAAudit > Settings > Required Permissions and double-click on Azure Key Vault to confirm that only this one level of permission exists. The key vault itself and the LaceworkSAAudit role of Reader in Subscriptions > Access Control (IAM) > Role Assignments limits Lacework access to the Key Vault.
- Azure Storage Access Azure Storage - This permission gives LaceworkSAAudit access to the Azure Storage REST APIs. However, Lacework access is limited by the role of Reader.
Application Permissions
In Azure, application permission means that an application may act as itself in the organization. The two application permissions given to LaceworkSAAudit are:
- Microsoft Graph - Read the full profiles for all users. To confirm this permission, navigate to Azure Active Directory > App Registrations > LaceworkSAAudit > Settings > Required permissions and double-click on Microsoft Graph.
- Windows Azure Active Directory - Read the directory data. To confirm this permission, navigate to Azure Active Directory > App Registrations > LaceworkSAAudit > Settings > Required permissions and double-click on Windows Azure Active Directory.