Skip to content

Configuring Azure Cloud

To configure Cloud Access Management for Azure Cloud, you'll need to register Cloud Access Management and give it the permissions required to read your Azure policies and resources inventory.

Note

You'll need Azure admin privileges to configure the access required by Cloud Access Management to govern Azure Cloud.

Follow these high-level steps:

  1. Register Cloud Access Management as a new application with Azure Cloud.

  2. Grant the permissions required to read your Azure Cloud policies and resources inventory.

  3. Create a client secret to use when registering your source in Cloud Access Management.

Registering Cloud Access Management with Azure Cloud

The first thing you need to do is register Cloud Access Management with Azure Cloud to begin connecting the two services.

  1. Log in to the Azure Cloud portal and select Azure Active Directory.

  2. Select Properties in the left sidebar.

  3. Copy the tenant ID that's displayed and save it somewhere accessible, as you'll need this information to register the cloud source with Cloud Access Management.

  4. Select App registrations in the left sidebar and select New registration to register Cloud Access Management.

  5. Enter an appropriate user-facing name for the new application (e.g., "SailPoint Cloud Access Management"), and keep the default single tenant option checked to ensure that only accounts in the organizational directory can access this application.

  6. Under Redirect URI, select Web from the dropdown menu, and enter https://cam.sailpoint.com in the field provided.

  7. Select Register to register Cloud Access Management with Azure Cloud.

  8. Copy the Application ID that's generated, as you'll need this information to register the cloud source with Cloud Access Management.

Granting Read Permissions to Cloud Access Management

After you've registered Cloud Access Management with Azure Cloud, you must grant it the permissions required to read the security policies configured for the Azure source and the resources inventory. Specifically, you'll need to set up a global admin role to enable read settings for your Microsoft Azure sources.

Setting Up the Global Admin Role

Using a global admin role, you can enable this at the root management group level so that all subscriptions inherit the custom role from their management group.

Role assignments showing the resource reader role in the Management Group scope.

To set up the global admin role:

  1. Select Properties in Azure Active Directory.
  2. Set the toggle for "Access management for Azure resources" to Yes. This will allow you to manage access to all Azure subscriptions and management groups in the tenant.

Enabling Read Access to Microsoft Azure

You will need to enable the Directory.Read.All setting so that Cloud Access Management can read the Microsoft Azure inventory.

In the Azure Cloud portal:

  1. Select API Permissions in the left sidebar and choose Add a permission.
  2. In the list of APIs, select Microsoft Graph.
  3. Select Application permissions and expand the Directory category.
  4. Select the Directory.Read.All option to allow Cloud Access Management to read directory data on your Microsoft Azure source.
  5. Select Add permissions and Grant admin consent for SailPoint to add the permissions to Cloud Access Management.

Creating Strict Custom Roles

You can create custom roles with a more limited set of permissions.

In the Azure Cloud portal:

  1. Select the Management groups service.
  2. Select the root management group in which the role will be inherited by the group's subscriptions.
  3. Next to the group's name, select (details).
  4. In the sidebar, select Access control (IAM).

  5. On the Add a role assignment card, select + Add and choose Add Custom Role.

  6. On the Basics tab, enter a custom role name, such as Resource Reader.

  7. Select the JSON tab.

  8. Select the Edit button. Enter the following JSON schema, replacing the managementGroups ID with your own.

    Display required permissions
    {
        "properties": {
            "roleName": "Resource Reader",
            "description": "View strict list of resources, doesn't allow you to make any changes.",
            "assignableScopes": [
            "/providers/Microsoft.Management/managementGroups/aaaaaaa-9999-1234-5678-d1dd0000c000"
            ],  
            "permissions": [
                {
                    "actions": [
                        "Microsoft.ManagedIdentity/userAssignedIdentities/read",
                        "Microsoft.ManagedIdentity/userAssignedIdentities/listAssociatedResources/action",
                        "Microsoft.ApiManagement/service/subscriptions/read",
                        "Microsoft.ApiManagement/service/groups/users/read",
                        "Microsoft.ApiManagement/service/users/groups/read",
                        "Microsoft.Authorization/roleAssignments/read",
                        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
                        "Microsoft.Web/sites/Read",
                        "Microsoft.Storage/storageAccounts/read",
                        "Microsoft.Resources/subscriptions/resourceGroups/read",
                        "Microsoft.Cache/redis/read",
                        "Microsoft.Sql/managedInstances/databases/read",
                        "Microsoft.Sql/servers/read",
                        "Microsoft.Sql/servers/databases/read",
                        "Microsoft.Sql/servers/keys/read",
                        "Microsoft.Sql/managedInstances/administrators/read",
                        "Microsoft.Sql/servers/failoverGroups/read",
                        "Microsoft.Sql/servers/firewallRules/read",
                        "Microsoft.DBforMariaDB/servers/databases/read",
                        "Microsoft.DBforPostgreSQL/servers/databases/read",
                        "Microsoft.DBforMySQL/servers/databases/read",
                        "Microsoft.ClassicNetwork/networkSecurityGroups/read",
                        "Microsoft.Network/networkSecurityGroups/read",
                        "Microsoft.ClassicNetwork/virtualNetworks/read",
                        "Microsoft.Network/virtualNetworks/read",
                        "Microsoft.Network/virtualNetworks/subnets/read",
                        "Microsoft.Network/routeTables/read",
                        "Microsoft.ClassicCompute/virtualMachines/read",
                        "Microsoft.Compute/virtualMachines/read",
                        "Microsoft.DocumentDB/databaseAccounts/read",
                        "Microsoft.Network/loadBalancers/read",
                        "Microsoft.Compute/disks/read",
                        "Microsoft.Sql/servers/databases/auditingSettings/read",
                        "Microsoft.Sql/servers/databases/securityAlertPolicies/read",
                        "Microsoft.KeyVault/vaults/keys/read",
                        "Microsoft.KeyVault/vaults/read",
                        "Microsoft.KeyVault/vaults/secrets/read",
                        "Microsoft.Authorization/policyAssignments/read",
                        "Microsoft.Network/networkWatchers/read",
                        "Microsoft.Security/autoProvisioningSettings/read",
                        "Microsoft.Security/pricings/read",
                        "Microsoft.Insights/LogProfiles/Read",
                        "Microsoft.Insights/ActivityLogAlerts/Read",
                        "Microsoft.Security/securityContacts/read",
                        "Microsoft.KeyVault/vaults/providers/Microsoft.Insights/diagnosticSettings/Read",
                        "Microsoft.Insights/eventtypes/values/Read",
                        "Microsoft.Authorization/*/read"
                    ],
                    "notActions": [],
                    "dataActions": [],
                    "notDataActions": []
                }
            ]
        }
    }
    
  9. Select Save to update the JSON schema.

  10. Select Review + create to create the custom role.

  11. In the Select field, search for the application name you created earlier, such as SailPoint Cloud Access Management.

  12. Select Save to assign the custom role to Cloud Access Management.

Using Privileged Identity Management

If you are using Privileged Identity Management, or PIM, the permissions above will allow Cloud Access Management to detect access to Azure resources through eligible assignments.

Granting Access to the Management Groups Tree

Once you have the correct permissions, you will need to grant access to the entire management groups tree.

  1. Select Management groups service in the Azure Cloud portal.
  2. Select (details) next to the Tenant Root Group.
  3. In the sidebar, select Access control (IAM).
  4. Select + Add.

  5. On the Add a role assignment page, select the name of the custom role you created earlier.

  6. In the Role field, select the custom role.
  7. In the Select field, search for the application name you created earlier, such as SailPoint Cloud Access Management.
  8. Select Save to assign the custom role to Cloud Access Management.

Creating a Client Secret for Cloud Access Management

Lastly, you'll need to create a client (application) secret for Cloud Access Management.

  1. Remaining in the Azure Cloud portal, select Certificates and secrets in the left sidebar.

  2. Under Client secrets, select + New client secret and add a description and expiration date.

  3. Copy the client secret value that's generated and enter the client secret in the Application Secret field when you register the cloud source with Cloud Access Management.