Microsoft Azure discoveries

Two types of Microsoft Azure discoveries are supported:

  1. Microsoft Azure virtual network discoveries, which browse resources hosted on Azure such as virtual machines. The discovered assets are listed by address and can be saved later as agentless mode connections.

  2. Microsoft Entra ID (formerly Azure AD) discoveries, which list all the devices registered in the directory, wherever they are hosted. This discovery provides a broad view of available assets. It is also possible to perform external scans on devices managed by Microsoft Intune.

Both types of discovery use the same type of credentials, although the required permissions are different.

Configure your API access

To connect Cyberwatch to the Microsoft Azure API, you need 3 pieces of information:

  1. your tenant ID,
  2. an application’s client ID,
  3. the application’s client secret.

To get an application client ID, you need to access the Microsoft Entra console, service Microsoft Entra ID, and create a new app registration. From its overview, you should be able to get your tenant ID and the applications’s client ID.

Once the app registration is created, you need to give it read access to your infrastructure, from the Subscriptions service, Access control (IAM) menu, Role assignments tab.

Back to the app registration, you may then create a client secret from menu Certificates & secrets.

With these 3 pieces of information, you will be able to create a Microsoft Azure credential in Cyberwatch from menu Stored credentials.

Notes:

To use the connector Microsoft Azure API, the application needs to have the following roles:

  • Managed Application Contributor Role
  • Storage Account Contributor
  • Virtual Machine Contributor

Create a Microsoft Azure virtual network discovery

  1. From Discoveries, click Add. Click Microsoft Azure in the Cloud infrastructure category.
  2. Enter the name of the scan.
  3. Select optional groups that will be affected to the scan.
  4. Choose the source of the scan (the Cyberwatch machine that will run the operation).
  5. Using the Credentials selector, pick the Microsoft Azure account registered in previous steps.
  6. Select the discovery mode in order to choose which information will be used to list the discovered assets.
  7. Choose a recurrence. The default value 0 days means the scan will be launched only once.
  8. Optional - Select an agentless mode connection credential.
  9. Click Confirm.

When created, the discovery is immediately started as a background task. You may check state of the task any time from Discoveries.

Register discovered assets

Discovered assets may be registered as agentless connections as follows:

  1. From menu Discoveries, access to the list of assets discovered by clicking on the corresponding List button on the right of the table.
  2. Select the assets to register.
  3. Click on Bulk actions > Scan with agentless connections.
  4. Select a connection of type Microsoft Azure API and a set of Microsoft Azure credentials. This type of connection must be authorized in the Administration > Connectors menu by selecting the Microsoft Azure API checkbox.

Notes:

  • To use the ‘Microsoft Azure API’ connector, the credential’s application must have the following roles:
    • Managed Application Contributor Role
    • Storage Account Contributor
    • Virtual Machine Contributor
  • The address, region and resource_group_name fields of the agentless connection will be pre-populated with the domain name, region and resource_group_name of the asset in the used Azure inventory.
  • It is also possible to add the asset directly without using a discovery by going to Agentless connections > Add and selecting the type Microsoft Azure API.

Create a Microsoft Entra ID discovery

Microsoft Entra ID discoveries require special permissions to the Microsoft Graph API. You can grant them using the Azure portal, service Microsoft Entra ID, menu App registrations, selecting your application, then in menu API permissions by clicking button Add a permission. The required permissions are:

  • Microsoft Graph > Application permissions > Device.Read.All to list the assets in the directory,
  • Microsoft Graph > Application permissions > DeviceManagementManagedDevices.Read.All to fetch the Intune ID of the devices managed by Microsoft Intune.

After granting the permissions, you need to validate them by granting admin consent, on the same page.

Back to Cyberwatch, section Assets:

  1. From Discoveries, click Add. Click Microsoft Entra ID in the Local infrastructure category.
  2. Enter the name of the scan.
  3. Select optional groups that will be affected to the scan.
  4. Choose the source of the scan (the Cyberwatch machine that will run the operation).
  5. Using the Credentials selector, pick the Microsoft Azure account registered in previous steps.
  6. Choose a recurrence. The default value 0 days means the scan will be launched only once.
  7. Click Confirm.

Assets are listed by display name, which is usually not enough for performing WinRM or SSH scans. However, the discovery detects assets managed by Microsoft Intune and obtains their device ID, which can be used to create Microsoft Intune agentless connections.

Creation of Microsoft Intune agentless connections requires the activation of this connections type in the Administration > Connectors management menu.

Assets can be added to Cyberwatch manually from the list of discovered assets, or by selecting an agentless mode connection credential of type Microsoft Azure in the discovery edit form.

Assets scanned through Microsoft Intune detect the Windows version and the installed applications, providing a quick and easy way to scan a set of assets without having an account on the assets. However, without the ability to run code on the assets, the scanning capabilities are limited.