Articles in this section

Manually Create an Azure App for Integration

This topic contains the following sections.

The following procedure describes the common manual steps to create an Azure App for use in either an Azure Compliance Integration or Azure Activity Log Integration. For instructions on creating the entire Integration, see the topics that start with Azure Compliance Integration or Azure Activity Log Integration in Account Integration.

To manually create integration between Lacework and Azure using the Azure Portal and the Lacework Console, you must have access to the following accounts:

  • You must have an Azure AD account that has a Global Administrator directory role for your tenant (or equivalent administrator rights to create App Registrations).
  • Your account must have Owner permissions role in all the Azure subscriptions that you want to monitor.
  • You must have Lacework account with administrator privileges (not covered in this document, see Azure Compliance Integration on the Lacework Console)

This integration procedure will show you how to do the following

  1. Create a new App Registration ("Lacework SA Audit").
  2. Grant it Azure AD permissions to read information from your directory.
  3. Grant it Azure permissions to read resource configurations from your subscriptions.

Create an Azure App Registration

  1. Log in to the Azure Portal.
    In the left panel, select Azure Active Directory.
    azure_ad_select.png

  2. Select App registrations.
    azure_app_registration.png

  3. Click + New registration.

  4. In the Register an application panel, enter the following values:
    1. In the Name field, enter Lacework SA Audit.
    2. For the Supported account types, leave the default Accounts in this organizational directory only (my_dir) option.
    3. For the Redirect URL, leave the URL blank.
  5. Click Register.

Grant the Azure App the Directory Reader Role

The Azure App you created in the previous section must be given basic permissions to read Users information from your Directory.

  1. Go to Azure Active Directory.
  2. Click Roles and administrators.

  3. Click on Directory Reader (do not select, click the name). AD_roles.png

  4. Click on Add assignments.

  5. Go to the Add assignments menu, then search your App Registration name, such as Lacework SA Audit, then click Add.
    AD_add_assignments.png

If you are using Privileged Identity Management, the flow is slightly different after step 4:

  1. Go to Azure Active Directory.
  2. Click Roles and administrators.
  3. Click on Directory Reader (do not select, click the name).

  4. Click on Add assignments. PIM_AD_role.png

  5. Click on Select members(s) No member selected, then search your App Registration name, such as Lacework SA Audit, then click Select
    PIM_AD_membership.png

  6. Confirm Membership by clicking Next >

  7. Confirm Setting with assignment type Active, permanently assigned, and you'll have to enter a justification. Azure will notify other Azure AD admins about this assignment via email. PIM_AD__setting.png

An alternative, older way to grant permissions to the directory involve more steps and low-level API roles. The deprecated procedure is documented in Grant the Azure App the Required API Permissions for reference only (do not use, some of those APIs are deprecated by Azure).

Assign Permissions to Subscriptions

You must give the Azure App Reader permissions to access subscriptions that you want to monitor for proper configuration and compliance. For future CIS compliance checks, extra permissions may be needed. For instance Key Vault Reader permissions, which would only allow reading Key Vault metadata: list the vaults, key permissions, and secret permissions, but no access the key or secret contents. For more information, see the detailed RBAC description of each role in Azure built-in roles documentation page

How to Assign Permissions to a Single Subscription

  1. In the main search field, enter subscription and from select Subscriptions from the drop-down.
    azure_subscriptions.png

  2. Browse and click your subscription.

  3. Click Access control (IAM).
    mceclip2.png

  4. In the Add a role assignment tile, click Add.
    azure_add_role.png

  5. In the Add role assignment panel, enter Reader in the Role field.

  6. Leave the Assign access to field set to Azure AD user, group, or service principal.
  7. In the Select field, enter the App name such as Lacework SA and under the Selected members field, click Lacework SA Audit.
    azure_sa_audit.png

How to Assign Permissions to All Subscriptions

Repeat the previous steps for all the subscriptions in your tenant. Lacework will automatically detect all visible subscriptions with a single Config integration.

Optionally, you can assign those permissions to a Management Group. Lacework will discover every subscription where the Reader permission has been inherited. This is an interesting choice for organizations with dozens of subscriptions, avoiding this manual process. For more information, visit Azure documentation.