The procedure below describes the common manual steps to create an Azure App for use in either an Azure Compliance Integration or Azure Activity Log Integration. For instructions on creating the entire Integration, see the topics that start with Azure Compliance Integration or Azure Activity Log Integration in Account Integration.
To manually create integration between Lacework and Azure using the Azure Portal and the Lacework Console, you must have access to the following accounts:
- You must have an Azure Portal account that has a Global Administrator role for your tenant's directory.
- Your Azure Portal account must have Owner role in all the subscriptions that you want to monitor.
- You must have Lacework account with administrator privileges.
The following procedure describes how to manually create a new Azure App that is required for an integration between Lacework and Azure.
To manually create an Azure App:
Log in to the Azure Portal.
In the left panel, select Azure Active Directory.
Select App registrations.
Click + New registration.
- In the Register an application panel, enter the following values:
- In the Name field, enter Lacework SA Audit.
- For the Supported account types, leave the default Accounts in this organizational directory only (my_dir) option.
- For the Redirect URL, leave the URL blank.
- Click Register.
- Under Manage, click Branding. In the Home Page URL field, enter https://securityaudit.lacework.net and click Save.
The URL specified must be unique among all your applications. Lacework recommends specifying https://securityaudit.lacework.net to match the same URL expected by the Lacework scripts. If you run the scripts at a future date, the scripts will update the correct Azure App.
Register Providers for Key Vault and Storage
You can skip this procedure if your tenant does not have subscriptions.
For each subscription that uses the Key Vault service, you must register the Microsoft.KeyVault providers, as described in the steps below and for each subscription that uses storage accounts, you must register some providers, as described in the steps below.
NOTE: Some providers are automatically registered by default, however, the Microsoft.Storage and Microsoft.KeyVault providers are not automatically registered.
To register the Key Vault and Storage subscriptions:
In the main search field, enter subscription and from select Subscriptions from the drop-down.
Browse and click your subscription.
Click Resource providers.
If the subscription will use the Key Vault service, in the Filter by name… field enter Key.
Click Microsoft.KeyVault and Register.
Keep clicking Refresh until the status changes to Registered.
- If the subscription will use storage accounts, in the Filter by name… field enter Storage.
Click Microsoft.Storage and click Register.
Keep clicking Refresh until the status changes to Registered.
- In the Filter by name… field enter Microsoft.Security.
- Click Microsoft.Security and click Register.
- Keep clicking Refresh until the status changes to Registered.
- Repeat these steps for all the subscriptions that are using Key Vault service and/or storage accounts.
Grant the Azure App the Required API Permissions
The Azure App you created in the previous section must be given access permissions to the following Azure APIs:
- Microsoft Graph
- Azure Storage
- Azure Key Vault
- Windows Azure Active Directory
To grant the Azure App the required API permissions, follow the steps in Grant the Azure App the Required API Permissions.
Additional Configuration of a Tenant with Subscriptions
The following procedure describes the additional configuration steps required for a tenant with subscriptions.
You can skip this procedure if your tenant does not have subscriptions.
Assign Roles to Subscriptions
You must give the Azure App permissions to access subscriptions that you want to be monitored.
To assign roles to all subscriptions:
In the main search field, enter subscription and from select Subscriptions from the drop-down.
Browse and click your subscription.
Click Access control (IAM).
In the Add a role assignment tile, click Add.
In the Add role assignment panel, enter Reader in the Role field.
- Leave the Assign access to field set to Azure AD user, group, or service principal.
In the Select field, enter the App name such as Lacework SA and under the Selected members field, click Lacework SA Audit.
Click Save.
- Repeat these steps for all the subscriptions in your tenant.
Give Azure App List Access to Key Vaults
If some of your subscriptions use Key Vault services, give your Azure App 'list' access to each Key Vault used in your subscriptions. NOTE: You are giving your Azure App permissions to only list the vaults, key permissions, and secret permissions. The Azure App does not have permission to access the contents of vaults, keys, or secrets.
To give your Azure App 'list' access to each Key Vault used in your subscriptions:
In the main search field, enter key and select Key vaults from the drop-down.
Click a key vault and select Access policies.
- Click + Add Access Policy.
- Click Select principal >.
- Under Principal in the Select field, enter the App name such as Lacework SA Audit.
Click Lacework SA Audit.
Click Select.
- From the Key permissions drop-down, select List.
From the Secret permissions drop-down, select List.
Click OK.
- Repeat these steps for all the Key Vaults used in your subscriptions of your Azure App.