Skip to content

Configuring Azure Cloud

To display your Azure Cloud resources and the access tied to them, you must first create policies and permissions in your cloud environment to allow Cloud Access Management to report on cloud access data.

Use an Azure account with administrative privileges to:

  1. Register Cloud Access Management as a new application with Azure AD.

  2. Grant permissions allowing Cloud Access Management to read your Azure Cloud policies and resources inventory.

  3. Create a client secret to use when registering your source with Cloud Access Management.

Registering Cloud Access Management with Azure

You must first register Cloud Access Management with Azure.

  1. Sign in to the Azure Cloud portal and select Azure Active Directory.

  2. Copy the tenant ID and save it somewhere accessible, as you'll need this information to register the cloud source with Cloud Access Management.

    Azure directory view with the tenant ID of the directory emphasized.

  3. Select App registrations in the left sidebar and select New registration.

  4. Enter a name for the new application, such as "SailPoint Cloud Access Management".

    Application registration form to enter the name, supported account types, and redirect URI.

  5. Under Supported account types, keep the default of allowing a single tenant to ensure that only accounts in the organizational directory can access this application.

  6. Select Register to register Cloud Access Management with Azure AD.
  7. Copy the Application (client) ID that's generated, as you'll need this information to register the cloud source with Cloud Access Management.

Granting Read Permissions to Cloud Access Management

After you’ve registered Cloud Access Management with Azure Cloud, you must grant it the permissions required to read the security policies configured for the Azure source and the resources inventory.

Setting Up the Global Admin Role

You must create a global admin role that can manage access at the root management group level. All subscriptions will inherit the custom role from their management group.

To set up the global admin role:

  1. Select Properties in Azure Active Directory.
  2. Set the toggle for Access management for Azure resources to Yes.
  3. Select Save.

This will allow you to manage access to all Azure subscriptions and management groups in the tenant.

Enabling Read Access to Microsoft Azure

You will need to enable the Directory.Read.All setting so that Cloud Access Management can read the Microsoft Azure inventory.

  1. Select App registrations in Azure Active Directory.
  2. Select the Cloud Access Management app you registered earlier.
  3. Select API permissions in the left sidebar and choose Add a permission.
  4. Select Microsoft Graph.
  5. Select Application permissions and expand the Directory category.

  6. Select Directory.Read.All to allow Cloud Access Management to read directory data on your Microsoft Azure source.

    7. Expand the Role Management category and select RoleManagement.Read.Directory to allow Cloud Access Management to read all directory role-based access control settings for the source.

  7. Select Add permissions and Grant admin consent to specify what the SailPoint app can request and to confirm the app is approved to make requests.

Creating Strict Custom Roles

Next, you will create custom roles with the minimum permissions required to allow Cloud Access Management to read your Azure Cloud data.

  1. Select Management groups in Azure Active Directory.
  2. Select the root management group to add the role to. The role will inherit the group’s subscriptions.
  3. In the sidebar, select Access control (IAM).
  4. Select Add and choose Add custom role from the dropdown menu.
  5. On the Basics tab, enter a custom role name, such as Resource Reader.

  6. Select the JSON tab.

    Window to enter a JSON to create a strict role.

  7. Select the Edit button. Enter the following JSON schema, replacing the managementGroups ID with your own.

    Display required permissions 
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
    {
    "properties": {
        "roleName": "Resource Reader",
        "description": "View strict list of resources, doesn't allow you to make any changes.",
        "assignableScopes": [
            "/providers/Microsoft.Management/managementGroups/aaaaaaa-9999-1234-5678-d1dd0000c000"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.ManagedIdentity/userAssignedIdentities/read",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/listAssociatedResources/action",
                    "Microsoft.ApiManagement/service/subscriptions/read",
                    "Microsoft.ApiManagement/service/groups/users/read",
                    "Microsoft.ApiManagement/service/users/groups/read",
                    "Microsoft.Authorization/*/read",
                    "Microsoft.Storage/storageAccounts/blobServices/containers/read",
                    "Microsoft.Storage/storageAccounts/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Cache/redis/read",
                    "Microsoft.Sql/managedInstances/databases/read",
                    "Microsoft.Sql/servers/administrators/read",
                    "Microsoft.Sql/servers/read",
                    "Microsoft.Sql/servers/databases/read",
                    "Microsoft.Sql/servers/keys/read",
                    "Microsoft.Sql/managedInstances/administrators/read",
                    "Microsoft.Sql/servers/failoverGroups/read",
                    "Microsoft.Sql/servers/firewallRules/read",
                    "Microsoft.DBforMariaDB/servers/databases/read",
                    "Microsoft.DBforPostgreSQL/servers/databases/read",
                    "Microsoft.DBforMySQL/servers/databases/read",
                    "Microsoft.ClassicNetwork/networkSecurityGroups/read",
                    "Microsoft.Network/networkSecurityGroups/read",
                    "Microsoft.ClassicNetwork/virtualNetworks/read",
                    "Microsoft.Network/virtualNetworks/read",
                    "Microsoft.Network/virtualNetworks/subnets/read",
                    "Microsoft.Network/routeTables/read",
                    "Microsoft.ClassicCompute/virtualMachines/read",
                    "Microsoft.Compute/virtualMachines/read",
                    "Microsoft.DocumentDB/databaseAccounts/read",
                    "Microsoft.Network/loadBalancers/read",
                    "Microsoft.Compute/disks/read",
                    "Microsoft.Sql/servers/databases/auditingSettings/read",
                    "Microsoft.Sql/servers/databases/securityAlertPolicies/read",
                    "Microsoft.Network/networkWatchers/read",
                    "Microsoft.Security/autoProvisioningSettings/read",
                    "Microsoft.Security/pricings/read",
                    "Microsoft.Insights/LogProfiles/Read",
                    "Microsoft.Insights/ActivityLogAlerts/Read",
                    "Microsoft.Security/securityContacts/read",
                    "Microsoft.Insights/eventtypes/values/Read",
                    "Microsoft.KeyVault/vaults/keys/read",
                    "Microsoft.KeyVault/vaults/read",
                    "Microsoft.KeyVault/vaults/secrets/read",
                    "Microsoft.KeyVault/vaults/providers/Microsoft.Insights/diagnosticSettings/Read",
                    "Microsoft.Network/networkInterfaces/read",
                    "Microsoft.Web/sites/Read",
                    "Microsoft.Network/networkWatchers/queryFlowLogStatus/action"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

  8. Select Save to update the JSON schema and Review + create to create the custom role.

  9. In the Select field, search for the application you registered.

  10. Select Save to assign the custom role to Cloud Access Management.

You will use this role to grant access to the management groups tree.

Privileged Identity Management

If you have an Azure AD Privileged Identity Management Premium P2 license, Cloud Access Management will display access users have to Azure resources from their PIM eligible assignments.

Granting Access to the Management Groups Tree

Once you have the correct permissions, you must grant access to the entire management groups tree.

  1. Select Management groups in the Azure Cloud portal.

  2. Select the root group name and select Access control (IAM) from the left sidebar.

  3. Select Add and select Add role assignment from the dropdown menu.

  4. In the role section, search for and select the custom role you created earlier. Select Next.

    Role assignment window.

  5. In the Members tab, select the radio button next to User, group, or service principal.

  6. Select Select members. Search for and select the application you registered.

    Role assignment setting to assign access to the selected SailPoint member.

  7. Confirm your selection using the Select button.

  8. Select Review + Assign to assign the role to Cloud Access Management.

Creating a Client Secret for Cloud Access Management

To finish registering your Azure Cloud accounts, you'll need to create a client secret for Cloud Access Management.

  1. Select App registrations in Azure Active Directory and choose the application you named earlier.
  2. Select Certificates & secrets.

  3. Under Client secrets, select + New client secret and add a description and expiration date.

    Best Practice

    Set an expiration date of 6 months.

  4. Select Add.

  5. Save the Value and Secret ID in a safe place. You will enter the client secret in the Application Secret field when you register the cloud source with Cloud Access Management.

Comments