This procedure is deprecated. Visit Manually Create an Azure App for Integration for the updated procedure.

The Azure App that was created must be given access permissions to the following Azure APIs:

• Microsoft Graph
• Azure Storage
• Azure Key Vault
• Windows Azure Active Directory

To grant the access permissions to the Azure APIs to the Azure App:

1. In the left panel, select Azure Active Directory.
   

2. Select App registrations.
   

3. From the App registrations panel, select the Lacework SA Audit App created in the previous section.
   

4. Click API permissions and Add a permission.

5. In the Request API permissions panel, select the Microsoft Graph tile.

6. In the Request API permissions panel, click the Application permissions tile.
   

7. In the Request API permissions panel, scroll down and expand User.
   Click the User.Read.All checkbox.

8. In the Request API permissions panel, scroll down and expand Azure Active Directory Graph.
   Click the Directory.Read.All checkbox and Add permissions.
   UPDATE As part of Azure's plan to deprecate this API (June 2022), the Portal may not allow you to select Azure Active Directory Graph API (so it'll be greyed out). As a workaround, you can execute the following in your shell (you may need to do 'az login' again if using Azure Cloud Shell)

   Directory.read permission using old Azure AD Graph API

   client=YOUR_APPLICATION_ID az ad app permission add --id $client --api 00000002-0000-0000-c000-000000000000 --api-permissions 5778995a-e1bf-45b8-affa-663a9f3f4d04=Role az ad app permission grant --id $client --api 00000002-0000-0000-c000-000000000000

9. Click Add a permission.

10. In the Request API permissions panel, select the Azure Key Vault tile. NOTE: To see Azure Key Vault listed, the Microsoft.KeyVault provider may need to be registered as described in a previous step.

11. In the Request API permissions panel, click the Delegated permissions tile, the user_impersonation - Have Full Access to the Azure Key Vault service checkbox, and Add permissions.
    

12. Click Add a permission.

13. In the Request API permissions panel, select Azure Storage. You may have to select the APIs my organization uses tab to find Azure Storage. NOTE: To see Azure Storage listed, the Microsoft.Storage provider may need to be registered as described in a previous step.
14. In the Request API permissions panel, click the Delegated permissions tile, the user_impersonation Access Azure Storage checkbox, and Add permissions.
15. Click Grant admin consent for YourDirectory and Yes.
    

You should see the following permissions.