Microsoft Azure discoveries

Two types of Microsoft Azure discoveries are supported:

  1. Microsoft Azure virtual network discoveries, which browse resources hosted on Azure such as virtual machines. The discovered assets are listed by address and can be saved later as agentless mode connections

  2. Microsoft Entra ID (formerly Azure AD) discoveries, which list all the devices registered in the directory, wherever they are hosted. This discovery provides a broad view of available assets. It is also possible to perform external scans on devices managed by Microsoft Intune

Both types of discovery use the same type of credentials, although the required permissions are different.

Prerequisites

Microsoft Azure virtual network

  • Azure API credentials, i.e.:

    • Microsoft tenant ID
    • Application (client) ID
    • Customer secret
  • Application registration with park read access rights
  • To register discovered assets, the application must have the following roles:

    • Storage account contributor
    • Virtual machine contributor
    • Role Managed application contributor

Create a Microsoft Azure virtual network discovery

  1. From Discoveries, click Add. Click Microsoft Azure in the Cloud infrastructure category
  2. Enter the name of the scan
  3. Select optional groups that will be affected to the scan
  4. Choose the source of the scan (the Cyberwatch machine that will run the operation)
  5. Using the Credentials selector, pick the Microsoft Azure account registered in previous steps
  6. Select the discovery mode in order to choose which information will be used to list the discovered assets
  7. Choose a recurrence. The default value 0 days means the scan will be launched only once
  8. Optional - Select an agentless mode connection credential
  9. Click Confirm

When created, the discovery is immediately started as a background task. You may check state of the task any time from Discoveries.

Register discovered assets

Discovered assets may be registered as agentless connections as follows:

  1. From menu Discoveries, access to the list of assets discovered by clicking on the corresponding Display discovered assets link
  2. Select the assets to register
  3. Click on Bulk actions > Scan with agentless connections
  4. Select a connection of type Microsoft Azure API and a set of Microsoft Azure credentials This type of connection must be authorized in the Administration > Connectors menu by selecting the Microsoft Azure API checkbox

Notes:

  • To use the ‘Microsoft Azure API’ connector, the credential’s application must have the following roles:
    • Managed Application Contributor Role
    • Storage Account Contributor
    • Virtual Machine Contributor
  • The address, region and resource_group_name fields of the agentless connection will be pre-populated with the domain name, region and resource_group_name of the asset in the used Azure inventory
  • It is also possible to add the asset directly without using a discovery by going to Agentless connections > Add and selecting the type Microsoft Azure API

Back to top