Azure Active Directory Support

Note: You must have a Tenable Vulnerability Management account to use the Azure AD support feature. The Tenable Vulnerability Management account allows you to configure Tenable scans for your Azure AD and collect the result of these scans.
Permission: To access the configuration and data visualization for Azure Active Directory, your user role must have the appropriate permissions. For more information, see Set Permissions for a Role.

In addition to Active Directory, Tenable Identity Exposure supports Azure AD (AAD) to expand the scope of identities in an organization. This capability leverages new Indicators of Exposure that focus on risks specific to AAD.

The support of Azure AD requires the collecting of data from AAD such as users, groups, applications, service principals, roles, permissions, policies, logs, etc. It collects this data using Microsoft Graph API and service principal credentials following Microsoft recommendations.

Prerequisites: You must sign in to Azure AD as a user with permissions to grant tenant-wide administrator consent on Microsoft Graph, which must have the Global Administrator or Privileged Role Administrator role (or any custom role with appropriate permissions), according to Microsoft.

Use the following procedures (adapted from the Microsoft Quickstart: Register an application with the Microsoft identity platform documentation) to configure all required settings in Azure AD.

    1. In the Azure Admin portal, open the App registrations page.

    2. Click + New registration.

    3. Give the application a name (Example: "Tenable Identity Collector"). For the other options, you can leave the default values as they are.

    4. Click Register.

    5. On the Overview page for this newly created app, make a note of the "Application (client) ID" and the "Directory (tenant) ID".

    1. In the Azure Admin portal, open the App registrations page.

    2. Click on the application you created.

    3. In the left-hand menu, click Certificates & secrets.

    4. Click + New client secret.

    5. In the Description box, give a practical name to this secret and an Expiry value compliant with your policies. Remember to renew this secret near its expiry date.

    6. Save the secret value in a secure location because Azure only shows this once, and you must recreate it if you lose it.

    1. In the Azure Admin portal, open the App registrations page.

    2. Click on the application you created.

    3. In the left-hand menu, click API permissions.

    4. Click + Add a permission.

    5. Select Microsoft Graph.

    6. Select Application permissions.

    7. Use the list or the search bar to find and select all the following permissions:

      • AuditLog.Read.All

      • Directory.Read.All

      • IdentityProvider.Read.All

      • Policy.Read.All

      • Reports.Read.All

      • RoleManagement.Read.All

      • UserAuthenticationMethod.Read.All

    8. Click Add permissions.

    9. Click Grant admin consent for <tenant name> and click Yes to confirm.

  1. After you configure all required settings in Azure AD:

    1. Create a new credential in Tenable Vulnerability Management of type "Microsoft Azure".

    2. Select the "Key" authentication method and enter the values that you retrieved in the previous procedure: Tenant ID, Application ID, and Client Secret.

  1. In Tenable Identity Exposure, click on the Systems icon in the left navigation menu.

  2. Click on the Configuration tab.

    The Configuration page opens.

  3. Under Application Services, click on Tenable Cloud.

  4. In Activate Azure AD Support, click the toggle to enabled.

  5. If you have not previously logged in to the Tenable Cloud, click the link to go to the login page:

    1. Click Forgot your password? to request a password reset.

    2. Type the email address associated with your Tenable Identity Exposure license and click Request Password Reset.

      Tenable sends an email to that address with a link to reset your password.

      Note: If your email address is not the same as the one associated with the Tenable Identity Exposure license, contact your Customer Support for assistance.

  6. Log in to Tenable Vulnerability Management.

  7. To generate API keys in Tenable Vulnerability Management, go to Tenable Vulnerability Management > Settings > My Account > API Keys.

  1. Enter your Tenable Vulnerability Management "Admin" user AccessKey and SecretKey to set up a connection between Tenable Identity Exposure and the Tenable Cloud Service.

  2. Click Edit keys to submit the API keys.

    Activate Azure AD Support

    Tenable Identity Exposure shows a message to confirm that it updated the API keys.

Adding a tenant links Tenable Identity Exposure with the Azure AD tenant to perform scans on that tenant.

  1. In the Configuration page, click on the Tenant Management tab.

    The Tenant Management page opens.

  2. Click on Add a tenant.

    The Add a tenant page opens.

  3. In the Name of the tenant box, type a name.

  4. In the Credentials box, click the drop-down list to select a credential.

  5. If your credential does appear in the list, you can either:

  6. Click Refresh to update the drop-down list of credentials.

  7. Select the credential you created.

  8. Click Add.

    A message confirms that Tenable Identity Exposure added the tenant, which now appears in the list on the Tenant Management page.

Note: Tenant scans do not occur in real time and require at least 45 minutes AAD data is visible in the Identity Explorer.

  • Select a tenant on the list and click the toggle to Scan enabled.

    Tenable Identity Exposure requests a scan on the tenant and the results appear in the Indicator of Exposure page.