Articles in this section

Grant the Azure App the Required API Permissions

The Azure App that was created must be given access permissions to the following Azure APIs:

  • Microsoft Graph
  • Azure Storage
  • Azure Key Vault
  • Windows Azure Active Directory

To grant the access permissions to the Azure APIs to the Azure App:

  1. In the left panel, select Azure Active Directory.
  2. Select App registrations.
  3. From the App registrations panel, select the Lacework SA Audit App created in the previous section.  
  4. Click API permissions and Add a permission.
  5. In the Request API permissions panel, select the Microsoft Graph tile.
  6. In the Request API permissions panel, click the Application permissions tile.
  7. In the Request API permissions panel, scroll down and expand User.
    Click the User.Read.All checkbox and Add permissions.
  8. Click Add a permission.
  9. In the Request API permissions panel, select the Azure Active Directory Graph tile or the Windows Azure Active Directory option in the APIs my organization uses tab.  Ignore the warning.
  10. In the Request API permissions panel, click the Application permissions tile.
    mceclip0.png
  11. In the Request API permissions panel, scroll down and expand Directory. Click the Directory.Read.All checkbox and Add permissions.
  12. Click Add a permission.
  13. In the Request API permissions panel, select the Azure Key Vault tile. NOTE: To see Azure Key Vault listed, the Microsoft.KeyVault provider may need to be registered as described in a previous step.
  14. In the Request API permissions panel, click the Delegated permissions tile, the user_impersonation Have Full Access to the Azure Key Vault service checkbox, and Add permissions.
  15. Click Add a permission.
  16. In the Request API permissions panel, select Azure Storage. You may have to select the APIs my organization uses tab to find Azure Storage. NOTE: To see Azure Storage listed, the Microsoft.Storage provider may need to be registered as described in a previous step.
  17. In the Request API permissions panel, click the Delegated permissions tile, the user_impersonation Access Azure Storage checkbox, and Add permissions. 
  18. Click Grant admin consent for YourDirectory and Yes.
    Screen_Shot_2019-09-03_at_5.36.23_PM.png
    You should see the following permissions.