Skip to content

Azure Onboarding Guide

The purpose of this document is to outline the concept of Cloudneeti application integration with the customer’s Microsoft Azure subscriptions, the required preparations and prerequisites, and the specific onboarding steps.

Azure Overview

Follow these steps to onboard the Azure subscription:

Step No Description Portal
1 Prerequisites
2 Register Cloudneeti Service Principal in the Azure AD and grant admin consent to Cloudneeti Service Principal Powershell or Azure AD portal
3 Assigning Role on Azure Subscription to Cloudneeti Service Principal Azure AD portal
4 Activating Cloudneeti License and Onboarding Azure Account Cloudneeti application portal
5 Verification of Data Collection Cloudneeti application portal
6 Notification Configuration Cloudneeti application portal

1. Prerequisites

Upon customer request, Cloudneeti license(s) will be configured and email invitation(s) will be sent to License Administrator(s). Additional users within Cloudneeti applications will be provisioned by the customer’s License Administrator.

The following activities need to be completed by the customer prior to onboarding. Prerequisite steps 6 to 10 are required only if onboarding automation scripts are used in 2.1 Register Cloudneeti Service Principal in the Azure AD.

Activity Description
1. Engage a user with Global AD administrator rights Azure administrator must have enough permissions in the Azure AD to create the required service principal for Cloudneeti.
2. Engage a user with owner access permissions to the Azure subscription Assign ‘Reader’ permission to the Cloudneeti Service Principal into the Azure subscription.
3. Engage a user with owner access permissions to the Azure subscription Assign ‘Website Contributor’ permission to the Cloudneeti Service Principal into the Azure subscription.

Cloudneeti Service Principal needs Website Contributor role access to the Subscription in order to view application settings. This step is optional, if the Website Contributor Role is not assigned then 15 policies (Refer Section 3.2.2) will show "No Data" on Cloudneeti portal.
4. Have the Azure Subscription ID This is a mandatory field for onboarding an Azure Subscription to Cloudneeti.
5. Have the Azure Subscription ID This is a mandatory field for onboarding an Azure Subscription to Cloudneeti.
6. Download and review PowerShell script for creation of Cloudneeti Service Principal The PowerShell script is used to create a Cloudneeti Service Principal in Azure Tenant AD: Download Link.
7. Have the Azure Directory/Tenant ID This is a mandatory field for onboarding an Azure Subscription to Cloudneeti.
8. Workstation: Ensure you have the latest PowerShell version (v5 and above) Verify PowerShell version by running the below command on the workstation where you will run the Cloudneeti Service Principal creation script.
$PSVersionTable.PSVersion
If PowerShell version is lower than 5, then follow this link for installation of a later version: Download Link
9. Workstation: Before executing the script, make sure there are no restrictions in running the PowerShell script Use this command:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
PowerShell contains built-in execution policies that limit its use as an attack vector. By default, the execution policy is set to Restricted, which is the primary policy for script execution. The bypass allows for running scripts and keeps the lowered permissions isolated to just the current running process.
10. Workstation: Install Azure Modules to execute PowerShell commands within service principal automation script Install-Module -Name AzureAD -MinimumVersion 2.0.0.131
It is a roll-up module for the Azure Resource Manager cmdlets.

1.1 Getting Azure Tenant ID and Domain name

  1. Login to the Azure Portal, choose your Azure AD tenant by selecting your account in the top right corner of the page

    Azure Overview

  2. Click on Azure Active Directory from in the primary menu. Click on Properties in the secondary menu. Copy Directory ID to a notepad.

    Azure Overview

  3. Click on Azure Active Directory from left pane and click on Custom domain names to get the domain name.

    Azure Overview

2. Register Cloudneeti Service Principal in the Azure AD

Registering Cloudneeti Service Principal in the Azure AD can be done manually or using automation script.

2.1 Manual

  1. Register Cloudneeti Service Principal

    a. Login to Azure Portal with Global Administrator role

    b. Go to Azure Active Directory in the in the primary menu. Select App Registrations in the secondary menu Click on New registration

    Service Principal - Azure Portal

    c. Enter the name (for example "Cloudneeti")

    d. Click on Register button to create Cloudneeti Service Principal.

    e. Copy the Cloudneeti Service Principal id

    Service Principal - Azure Portal

  2. Add Client Secret to Cloudneeti Service Principal

    a. Click on new client secret in "Client Secret" section

    Client Secret

    b. Add Description and select expiry time

    c. Click on Add button

    d. Please copy to clipboard and paste the Client Secret in your notepad

    Client Secret

  3. Add the Microsoft Graph permissions

    This step is needed to gain access to Azure AD related policies. If customer doesn’t want to grant Cloudneeti application access to customer’s Azure AD, Cloudneeti application will not be able to provider Azure AD related security posture information.

    a. Click on API Permissions

    b. Add below permission

    API Permission Name Type
    Microsoft.Graph Directory.Read.All
    Refer here
    Application

    c. Click on the 'Grant admin consent’ button in the ‘Grant consent’ section. d. Verify success message showing Successfully granted admin consent for the requested permissions.

    Service Principal - Azure Portal

2.2 Automation

Use the Create-ServicePrincipal-AzureOnboarding.ps1 script to create and register a Cloudneeti Service Principal.

  1. Open PowerShell in administrator mode. An administrative prompt is needed only to install missing Azure PowerShell modules.

  2. Go to the directory where Create-ServicePrincipal-AzureOnboarding.ps1 was downloaded earlier.

  3. Run the below command to create a service principal:

    .\Create-ServicePrincipal-AzureOnboarding.ps1 -azureActiveDirectoryId <Active_Directory_Id> -servicePrincipalName <data_collector_name> -expirationPeriod 1year
    
    

  4. The script will prompt the login screen; you need to log in with Global AD Administrator or Application Administrator user credentials.

  5. Store service principal information from the output in a secure place. This information will be needed while onboarding the Azure account in the Cloudneeti application.

    Service Principal Screenshot

    In case the user doesn’t want to provide the Microsoft Graph permissions given in section Azure Active Directory Permissions, you can use the disableADPolicies switch in the Create-ServicePrincipal-AzureOnboarding.ps1 command:

    .\Create-ServicePrincipal-AzureOnboarding.ps1 -azureActiveDirectoryId <Active_Directory_Id> -disableADPolicies -servicePrincipalName <data_collector_name> -expirationPeriod 1year
    
    

  6. Grant admin consent to Cloudneeti Service Principal

This step is needed to gain access to Azure AD related policies. If customer doesn’t want to grant Cloudneeti application access to customer’s Azure AD, Cloudneeti application will not be able to provider Azure AD related security posture information.

Click on the 'Grant admin consent’ button in the ‘Grant consent’ section.

Follow the steps below to grant permission: a. Sign in to the Azure portal as a global administrator.
b. Click on Azure Active Directory.
c. Navigate to the App Registrations blade.
d. Select Cloudneeti Service Principal.

Service Principal - Azure Portal

e. Go to API permissions and confirm Microsoft Graph permissions.

f. Click on the 'Grant admin consent’ button in the ‘Grant consent’ section for the listed permissions.

Grant permission

3 Assigning Role

Assign required roles Cloudneeti Service Principal to on Customer Subscription

3.1 Reader and backup reader

Follow the steps below to assign reader and backup reader roles to Cloudneeti Service Principal on the Azure subscription:

  1. Go to the subscription’s Access control (IAM) in the third level menu..

  2. Click on the Add button and select Add role assignment.

  3. Select Reader role and Cloudneeti service principal.

  4. Select Save to complete the role assignment.

    Assign role

3.2 Website Contributor

This step is needed to gain access to application settings. If customer doesn’t want to grant the Website Contributor Role is not assigned then below 15 policies will show "No Data" on Cloudneeti portal.

Policy ID Policy Name Category
1900.42 Ensure that 'App Insights' are configured for Azure Web Apps Azure - Compute (PaaS and Serverless)
1900.43 Ensure that WEBSITE_LOAD_CERTIFICATES parameter is not set to '*' for Mobile Apps Azure - Compute (PaaS and Serverless)
1900.44 Ensure that WEBSITE_LOAD_CERTIFICATES parameter is not set to '*' for API Apps Azure - Compute (PaaS and Serverless)
1900.51 Ensure that latest supported Node.js version is used for Web Application Azure - Compute (PaaS and Serverless)
1900.63 Ensure that WEBSITE_LOAD_CERTIFICATES parameter is not set to '*' for Function Apps Azure - Compute (PaaS and Serverless)
1900.72 Ensure that 'App Service Authentication' is enabled for Function apps Azure - Compute (PaaS and Serverless)
1900.73 Ensure that 'App Service Authentication' is enabled for API apps Azure - Compute (PaaS and Serverless)
1900.74 Ensure that 'App Service Authentication' is enabled for Mobile apps Azure - Compute (PaaS and Serverless)
1900.75 Ensure that 'App Service Authentication' is enabled for Web apps Azure - Compute (PaaS and Serverless)
1900.78 Ensure that latest supported Node.js version is used for Function Apps Azure - Compute (PaaS and Serverless)
1900.79 Ensure that latest supported Node.js version is used for API Apps Azure - Compute (PaaS and Serverless)
1900.80 Ensure that latest supported Node.js version is used for Mobile Apps Azure - Compute (PaaS and Serverless)
1900.84 Ensure that 'App Insights' are configured for Azure Mobile Apps Azure - Compute (PaaS and Serverless)
1900.85 Ensure that 'App Insights' are configured for Azure Function Apps Azure - Compute (PaaS and Serverless)
1900.86 Ensure that 'App Insights' are configured for Azure API Apps Azure - Compute (PaaS and Serverless)

Follow the steps below to assign Website Contributor role to Cloudneeti Service Principal on the Azure subscription.

  1. Go to the subscription’s Access control (IAM) in third level menu.

  2. Click on the Add button and select Add role assignment.

  3. Select Website Contributor role and Cloudneeti service principal.

  4. Select Save to complete the role assignment.

    Assign role

4 Onboarding Azure Subscription

  1. Log in to the Cloudneeti portal using the license admin user credentials.

  2. If the license is not activated, click on the ‘Activate License’ button to activate the license.

    Activate License

    OR

    If the license is already activated,

    a. Please go to Settings > Manage Accounts on Cloudneeti portal Activate License

    b. Click on Add Cloud Account button Activate License

    c. Select License to add cloud account Select License

  3. Select Azure connector.

    Azure connector

  4. Fill in the account and service principal information displayed in step 2.1 or 2.2 output.

    Add account

  5. Click on ‘Get Subscriptions’ to get the list of subscriptions on which Cloudneeti service principal has reader access.

  6. Select the Azure subscription to onboard and click Save & Continue.

    Add Account - save and continue

5 Verification of Data Collection

Once account is onboarded to Cloudneeti, it requires few minutes for the data to be collected, processed, and rendered to the Cloudneeti Dashboard. Please perform steps under section 2.6 for setting up the Cloudneeti account notifications.

  1. Click on ‘Go To Dashboard’ to see the data.

    Dashborad

  2. Verify data on dashboard

    Dashboard

Congratulations! You have just on-boarded an Azure subscription to Cloudneeti. Subsequent onboardings will take less time (usually less than 10 minutes).

6 Notification Configuration

To receive email notifications from Cloudneeti Bot, please refer following steps.

  1. On Cloudneeti portal, navigate to settings
  2. Select desired License and Account
  3. Click on configure button to select Configure Notifications
  4. Enter comma separated email addresses.

    Configure Notifications

  5. Click on save button.