If you're having trouble at any stage please contact us at support@skyformation.com. 

Preface

The goal of this guide is to show you how to add an Azure AD application that could be used by the SkyFormation's Azure Cloud App Connector in your SkyFormation Platform.

 

Process Steps

1. Log into your Azure account (https://portal.azure.com).

2. Open Azure Active Directory

3. Navigate to Properties, keep aside the value of Directory ID, a.k.a Tenant ID

4. Navigate to App registrations, create a new app by clicking + New registration

 

5. Fill application details:
    Name: SkyFormationApp;
    Supported account types: Choose "Accounts int this organizational directory only([Your organization ID])"
    

6. Click "Register"

7. From the page of the just created app keep aside the value of Application ID, a.k.a Client ID

8. Navigate to  Certificates & secrets  from the just created app page

9. Starting from release 2.4.108, 2 authentication methods are available:
     1) oauth2
     2) certificate

Choose one of the above:

9a. For oauth2  create a Key (a.k.a Secret), insert a name for the key, and select Expiration of Never, click Add (only then will the key/secret be generated)

10a. Copy the new client secret value(a.k.a Secret). You won't be able to retrieve it after you leave this blade. 

Continue to step 11.

9b. For certificate, you need to attach a certificate to the app. 

First, create a certificate + private key.

If you don't have the certificate + private key files, you can generate it as follows:

Generate an X.509 asymmetric key by typing the following command in your terminal:

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 3650 -out certificate.pem

2 files will be created in the directory where you ran the command:

• certificate.pem , which is the certificate or public key,
• key.pem, which is the private key. 

Remember where these files are located as we will need them in the next steps.

10b. Click on "upload certificate": Browse for your certificate file and upload it to the app. 

 

Continue to step 11.

11. Add permissions for the application by navigating to API Permissions link in the app page

12. In the  API Permissions:
      - Click Add a permission
      - Click Select an API you need to add the app permissions to according to the below table.
        (e.g. Microsoft Graph API)
      - Check the needed permissions to the API according to the below table 
        (e.g. In the Application permissions check the "read all users full profiles" permission)
      - Repeat this for each permission needed in the API page  
      - Click "Add permissions"

        You should now see in the "Request API permissions" table the just added permissions to
       the specific API you added permissions to.

      Repeat the above step in section 12 for each API you need to add permissions to
      according to the table below.
 

For CC version 2.4.254 and above, for Graph Security Alerts endpoint, grant the Application permission "SecurityEvents.Read.All" as well.

    API Permissions needed table:

 

13. Click Grant admin consent to really save all the permissions added above

 

Make sure you see a message that verifies the permissions were successfully granted

 

14. Navigate to Subscriptions in the Main Azure services menu by searching for "Subscriptions"
      in the "All Services" page  

 

15. Select a subscription you wish to monitor (you need to repeat the below process for each subscription you would like the SkyFormation Azure connector to monitor).

 

Assign roles and subscription scope to the application

Option 1: Set minimal permissions via CLI/PowerShell

Create a JSON file with this minimal permissions -

> Make sure to assign in the last row all the IDs of the subscriptions that you want to attach.

> Make sure NOT to suffix the subscription ID with trailing / character

 

{
    "Name": "SK4 FlowLogs",
    "IsCustom": true,
    "Description": "SkyFormation role for pulling flow logs.",
    "Actions": [
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Network/networkWatchers/queryFlowLogStatus/action"
    ],
    "NotActions": [

    ],
    "DataActions": [

    ],
    "NotDataActions": [

    ],
    "AssignableScopes": [
        "/subscriptions/<id>"
    ]
}

 

Option 2: Assign roles manually

> The Azure built-in roles are more permissive than required, but the below are the minimal subset that contain the required permissions

1. Click Access control (IAM) -> click Role assignments tab 

NOTE: If the UI shows an error where it states the user does not have permission to set permissions, it could be caused by either:
a. The user is not an administrator of the Subscription
b. The subscription was generated by Office365. This is a bug with Office365. To overcome it create a new Subscription. Free or Pay-As-You-Go is sufficient.

2. For each of the following Roles:

() Log Analytics Reader 
() Network Contributor  
() Storage Account Contributor

      Repeat the below steps:

      a. Press the  "+ Add" link
      b. In the "Add permissions" page put the following values:
          () "Role": Choose from the list role we are adding permissions to
              (e.g. Log Analytics Reader)
          () "Assign access to": Choose "Azure AD user, group, or application
          () "Select": Put the name of the added Azure app name 
              (e.g. AzureAuditSK4)

          Press "Save"

          After adding the Roles to the Azure app you should see a screen as below:

Make sure you see the new Role assigned to the Azure app in the IAM window.

    
 NOTE: The application will only have the permissions granted to it in step 11.

 

You are done!

Next Steps

Now you are ready to add a SkyFormation Azure Connector to your SkyFormation Platform.

Please make sure you keep your:
- client ID of your new created Azure app
- Your tenant ID and generated secret ID