Articles in this section

Manually Create an Azure App for Integration

The procedure below describes the common manual steps to create an Azure App for use in either an Azure Compliance Integration or Azure Activity Log Integration. For instructions on creating the entire Integration, see the topics that start with Azure Compliance Integration or Azure Activity Log Integration in Account Integration

To manually create integration between Lacework and Azure using the Azure Portal and the Lacework Console, you must have access to the following accounts:

  • You must have an Azure Portal account that has a Global Administrator role for your tenant's directory.
  • Your Azure Portal account must have Owner role in all the subscriptions that you want to monitor.
  • You must have Lacework account with administrator privileges.  

The following procedure describes how to manually create a new Azure App that is required for an integration between Lacework and Azure.

To manually create an Azure App:

  1. Log in to the Azure Portal.
  2. In the left panel, select Azure Active Directory.
  3. Select App registrations.
  4. Click + New registration.
  5. In the Register an application panel, enter the following values:
    1. In the Name field, enter Lacework SA Audit.
    2. For the Supported account types, leave the default Accounts in this organizational directory only (my_dir) option.
    3. For the Redirect URL, leave the URL blank.
  1. Click Register.
  2. Under Manage, click Branding. In the Home Page URL field, enter https://securityaudit.lacework.net and click Save.

The URL specified must be unique among all your applications. Lacework recommends specifying https://securityaudit.lacework.net to match the same URL expected by the Lacework scripts. If you run the scripts at a future date, the scripts will update the correct Azure App.

Register Providers for Key Vault and Storage

You can skip this procedure if your tenant does not have subscriptions.

For each subscription that uses the Key Vault service, you must register the Microsoft.KeyVault providers, as described in the steps below and for each subscription that uses storage accounts, you must register some providers, as described in the steps below.

NOTE: Some providers are automatically registered by default, however, the Microsoft.Storage and Microsoft.KeyVault providers are not automatically registered.

To register the Key Vault and Storage subscriptions:

  1. In the main search field, enter subscription and from select Subscriptions from the drop-down.
  2. Browse and click your subscription.
  3. Click Resource providers.
  4. If the subscription will use the Key Vault service, in the Filter by name… field enter Key.
  5. Click Microsoft.KeyVault and Register.
  6. Keep clicking Refresh until the status changes to Registered.
  7. If the subscription will use storage accounts, in the Filter by name… field enter Storage.
  8. Click Microsoft.Storage and click Register. 
  9. Keep clicking Refresh until the status changes to Registered.
  10. In the Filter by name… field enter Microsoft.Security.
  11. Click Microsoft.Security and click Register. 
  12. Keep clicking Refresh until the status changes to Registered.
  13. Repeat these steps for all the subscriptions that are using Key Vault service and/or storage accounts.

Give the App the Appropriate API Permissions

The Azure App you created in the previous section must be given access permissions to the following Azure APIs:

  • Microsoft Graph
  • Azure Storage
  • Azure Key Vault
  • Windows Azure Active Directory

To grant the access permissions to the Azure APIs to the Azure App:

  1. In the left panel, select Azure Active Directory.
  2. Select App registrations.
  3. From the App registrations panel, select the Lacework SA Audit App created in the previous section.  
  4. Click API permissions and Add a permission.
  5. In the Request API permissions panel, select the Microsoft Graph tile.
  6. In the Request API permissions panel, click the Application permissions tile.
  7. In the Request API permissions panel, scroll down and expand User.
    Click the User.Read.All checkbox and Add permissions.
  8. Click Add a permission.
  9. In the Request API permissions panel, select the Azure Active Directory Graph tile or the Windows Azure Active Directory option in the APIs my organization uses tab.  Ignore the warning.
  10. In the Request API permissions panel, click the Application permissions tile.
    mceclip0.png
  11. In the Request API permissions panel, scroll down and expand Directory. Click the Directory.Read.All checkbox and Add permissions.
  12. Click Add a permission.
  13. In the Request API permissions panel, select the Azure Key Vault tile.
    NOTE: To see Azure Key Vault listed, the Microsoft.KeyVault provider may need to be registered as described in a previous step. 
  14. In the Request API permissions panel, click the Delegated permissions tile, the user_impersonation Have Full Access to the Azure Key Vault service checkbox, and Add permissions.
  15. Click Add a permission.
  16. In the Request API permissions panel, select Azure Storage. You may have to select the APIs my organization uses tab to find Azure Storage.
    NOTE: To see Azure Storage listed, the Microsoft.Storage provider may need to be registered as described in a previous step. 
  17. In the Request API permissions panel, click the Delegated permissions tile, the user_impersonation Access Azure Storage checkbox, and Add permissions. 
  18. Click Grant admin consent for <your_dir> and Yes.
    Screen_Shot_2019-09-03_at_5.36.23_PM.png
    You should see the following permissions.

Additional Configuration of a Tenant with Subscriptions

The following procedure describes the additional configuration steps required for a tenant with subscriptions.

You can skip this procedure if your tenant does not have subscriptions.

Assign Roles to Subscriptions

You must give the Azure App permissions to access subscriptions that you want to be monitored.

To assign roles to all subscriptions: 

  1. In the main search field, enter subscription and from select Subscriptions from the drop-down.
  2. Browse and click your subscription.
  3. Click Access control (IAM).
    mceclip2.png
  4. In the Add a role assignment tile, click Add.
  5. In the Add role assignment panel, enter Reader in the Role field.
  6. Leave the Assign access to field set to Azure AD user, group, or service principal.
  7. In the Select field, enter the App name such as Lacework SA and under the Selected members field, click Lacework SA Audit.
  8. Click Save.
  9. Repeat these steps for all the subscriptions in your tenant.

Azure App Access to Key Vaults

If some of your subscriptions use Key Vault services, give your Azure App access to each Key Vault used in your subscriptions.

To give your Azure App access to each Key Vault used in your subscriptions:

  1. In the main search field, enter key and select Key vaults from the drop-down.
  2. Click a key vault and select Access policies.
  3. Click + Add new.
  4. Click Select principal >.
  5. Under Principal in the Select field, enter the App name such as Lacework SA Audit.
  6. Click Lacework SA Audit.
  7. Click Select.
  8. From the Key permissions drop-down, select List.
  9. From the Secret permissions drop-down, select List.
  10. Click OK.
  11. Repeat these steps for all the Key Vaults used in your subscriptions of your Azure App.