Azure integration

Overview

Azure integration enables you to scan your Azure cloud infrastructure for runtime misconfigurations. Integration with multiple concurrent subscriptions is not supported.

Though it does not require the integration steps below, Jit recommends that you also activate the Scan IaC for Misconfigurations security requirement for complete infrastructure protection.

Prerequisites

The following are required before you can proceed with Azure integration—

• A subscription to Azure Security.
• Microsoft Defender.

Steps for integrating with Azure

To integrate Jit with Microsoft Azure—

1. Create and configure an Azure app using the instructions in Azure app setup.
2. From the Jit platform, select Secrets in the menu bar under Settings.
3. Follow the instructions in Secrets to create secrets for your Azure client ID and Azure client secret named azure_client_id, azure_client_secret, and azure_subscription_ids, respectively. You must use these exact names.

4. Select Integrations.
5. Locate the Azure tile and select integrate-as-code. You are taken to the jit-integration.yml file. Add the information below to this file. If the option to integrate as-code is not available, you may need to manually addjit-integration.yml to the repo containing Jit's configuration files.

azure:
  <integration_id>:
    type: azure_account
    name: "<your account name>"
    auth:
      client_id: "${{ jit_secrets.azure_client_id }}"
      client_secret: "${{ jit_secrets.azure_client_secret }}"
    tenant_id: <your Azure tenant ID>
    subscription_id: "${{ jit_secrets.azure_subscription_ids }}"

Azure app setup

Create an app

1. From the Microsoft Azure console, select App registrations.
2. Select New registration.
3. Enter a Name.
4. Select Register.

Add API permissions

1. Select API permissions from the Manage menu.
2. Select Add a permission.
3. Select APIs my organization uses and select Windows Azure Active Directory from the list.
4. Select Delegated permissions and use the collapsing menus and check boxes to select the following--
   • Directory.Read.All
   • Group.Read.All
   • Policy.Read.All
   • User.Read.All
5. Select Add permissions.
6. Repeat these steps to add the user_impersonation permission for the Azure Service Management API and the User.Read permission for the Microsoft Graph API.

Create an app role

1. Select App roles from the Manage menu.
2. Select Create app role.
3. Add a Display name, Value, and description. Set Allowed member types to Both. Select the check box to enable this app role.
4. Select Create.

Create a client secret

1. Select Certificates & secrets from the Manage menu.
2. Select New client secret.
3. Enter a Description and Expiration.
4. Select Add. The secret value displays on the Certificates & secrets page. Please note this value, as this is your only opportunity to view this information and you will need it later in the Azure integration process.

Assign the app role to your subscription

1. From the Microsoft Azure console, select your subscription from the Resources list.
2. Select Overview and note the subscription ID. You will need it later in the integration process.
3. Select Access control (IAM) and select Add.
4. Use the search bar to locate the job function role you created previously and select it.
5. Select the Members tab and select Select members.
6. Select your app.
7. Select Review + assign.