After creation, the LaceworkSAAudit will be have two delegated and two application permissions.
Delegated permissions
In Azure a delegated permission allows an application to act as a user. For example, a delegated permission could allow an application to send mail on behalf of a user. The two delegated permissions given to LaceworkSAAudit are:
-
Azure Key Vault - allow the application full access to the Azure Key Vault service on behalf of the signed-in user.
This permission does not give Lacework full access to the Azure Key Vault. It essentially gives LaceworkSAAudit permission to use the Azure Key Vault API. Navigate to Azure Active Directory > App Registrations > LaceworkSAAudit > Settings > Required Permissions and double-click on Azure Key Vault to confirm that only this one level of permission exists.
The key vault itself and the LaceworkSAAudit role of Reader in Subscriptions > Access Control (IAM) > Role Assignments limits Lacework access to the Key Vault.
-
Azure Storage Access Azure Storage
This permission gives LaceworkSAAudit access to the Azure Storage REST APIs. However, the Lacework access is limited by the role of Reader.
Application Permissions
In Azure, an application permission means that an application may act as itself in the organization. The two application permissions given to LaceworkSAAudit are:
-
Microsoft Graph - read all users' full profiles
To confirm this permission, navigate to Azure Active Directory > App Registrations > LaceworkSAAudit > Settings > Required permissions and double-click on Microsoft Graph.
-
Windows Azure Active Directory - read directory data
To confirm this permission, navigate to Azure Active Directory > App Registrations > LaceworkSAAudit > Settings > Required permissions and double-click on Windows Azure Active Directory.