Integrating with Azure
Overview
Azure integration enables you to scan your Azure cloud infrastructure for runtime misconfigurations. Integration with multiple concurrent subscriptions is not supported.
Prerequisites
The following are required before you can proceed with Azure integration—
- A subscription to Azure Security.
- Microsoft Defender.
Steps for integrating with Azure
To integrate Jit with Microsoft Azure—
- Create and configure an Azure app using the instructions in Azure app setup.
- From the Jit platform, select Secrets in the menu bar under Settings.
- Follow the instructions in Secrets to create secrets for your Azure client ID and Azure client secret named
azure_client_idandazure_client_secret, respectively. You must use these exact names. - Select Integrations.
- Locate the Azure tile and select integrate-as-code. You are taken to the
jit-integration.ymlfile. Add the information below to this file. If the option to integrate as-code is not available, you may need to manually addjit-integration.ymlto the repo containing Jit's configuration files.
azure:
<integration_id>:
type: azure_account
name: "<your account name>"
auth:
client_id: "${{ jit_secrets.azure_client_id }}"
client_secret: "${{ jit_secrets.azure_client_secret }}"
tenant_id: <your Azure tenant ID>
subscription_id: <your Azure subscription ID>
| Key | Value/description |
|---|---|
| azure: | Integration type. Key must be azure:. The Azure integration is nested in this mapping. |
| <integration_id>: | This key is the name you choose for your Azure integration. |
| type: | Enter azure_account as shown in the example. |
| name: | Enter the name of your Azure account. |
| client_id: | Enter exactly as shown in the example. To view this information in the Azure console, navigate to App registrations > (the app you created in step 1) > Overview. |
| client_secret: | Enter exactly as shown in the example. |
| tenant_id: | Enter your Azure tenant ID as shown in the example. To view this information in the Azure console, navigate to App registrations > (the app you created in step 1) > Overview. |
| subscription_id: | Enter your Azure subscription ID as shown in the example. To view this information in the Azure console, select your subscription from the Resources list on the home page, and then select Overview. |
Azure app setup
Create an app
- From the Microsoft Azure console, select App registrations.
- Select New registration.
- Enter a Name.
- Select Register.
Add API permissions
- Select API permissions from the Manage menu.
- Select Add a permission.
- Select APIs my organization uses and select Windows Azure Active Directory from the list.
- Select Delegated permissions and use the collapsing menus and check boxes to select the following--
Directory.Read.AllGroup.Read.AllPolicy.Read.AllUser.Read.All
- Select Add permissions.
- Repeat these steps to add the
user_impersonationpermission for the Azure Service Management API and theUser.Readpermission for the Microsoft Graph API.
Create an app role
- Select App roles from the Manage menu.
- Select Create app role.
- Add a Display name, Value, and description. Set Allowed member types to Both. Select the check box to enable this app role.
- Select Create.
Create a client secret
- Select Certificates & secrets from the Manage menu.
- Select New client secret.
- Enter a Description and Expiration.
- Select Add. The secret value displays on the Certificates & secrets page. Please note this value, as this is your only opportunity to view this information and you will need it later in the Azure integration process.
Assign the app role to your subscription
- From the Microsoft Azure console, select your subscription from the Resources list.
- Select Overview and note the subscription ID. You will need it later in the integration process.
- Select Access control (IAM) and select Add.
- Use the search bar to locate the job function role you created previously and select it.
- Select the Members tab and select Select members.
- Select your app.
- Select Review + assign.
Updated 15 days ago