Microsoft Entra ID Support

In addition to Active Directory, Tenable Identity Exposure supports Microsoft Entra ID (formerly Azure AD or AAD) to expand the scope of identities in an organization. This capability leverages new Indicators of Exposure that focus on risks specific to Microsoft Entra ID.

To integrate Microsoft Entra ID with Tenable Identity Exposure, follow closely this on-boarding process:

  1. Have the Prerequisites

  2. Check the Permissions

  3. Check Network Flows

  4. Configure Microsoft Entra ID settings

  5. Activate Microsoft Entra ID support

  6. Enable tenant scans

Prerequisites

You need a Tenable Cloud account to log in to “cloud.tenable.com” and use the Microsoft Entra ID support feature. This Tenable Cloud account is the same email address used for your Welcome Email. If you do not know your email address for “cloud.tenable.com,” please contact Support. All customers with a valid license (On-Premises or SaaS) can access the Tenable Cloud at “cloud.tenable.com”. This account allows you to configure Tenable scans for your Microsoft Entra ID and collect the scan results.

Note: You do not need a valid Tenable Vulnerability Management license to access Tenable Cloud. A currently valid standaloneTenable Identity Exposure license (On-Premises or SaaS) is sufficient.

Permissions

The support of Microsoft Entra ID requires the collecting of data from Microsoft Entra ID such as users, groups, applications, service principals, roles, permissions, policies, logs, etc. It collects this data using Microsoft Graph API and service principal credentials following Microsoft recommendations.

  • You must sign in to Microsoft Entra ID as a user with permissions to grant tenant-wide administrator consent on Microsoft Graph, which must have the Global Administrator or Privileged Role Administrator role (or any custom role with appropriate permissions), according to Microsoft.

  • To access the configuration and data visualization for Microsoft Entra ID, your Tenable Identity Exposure user role must have the appropriate permissions. For more information, see Set Permissions for a Role.

Network Flows

Allow the following addresses on port 443 outbound from the Security Engine Node server to activate Entra ID support:

  • sensor.cloud.tenable.com

  • cloud.tenable.com

Configure Microsoft Entra ID settings

Use the following procedures (adapted from the Microsoft Quickstart: Register an application with the Microsoft identity platform documentation) to configure all required settings in Microsoft Entra ID.

    1. In the Azure Admin portal, open the App registrations page.

    2. Click + New registration.

    3. Give the application a name (Example: "Tenable Identity Collector"). For the other options, you can leave the default values as they are.

    4. Click Register.

    5. On the Overview page for this newly created app, make a note of the "Application (client) ID" and the "Directory (tenant) ID".

    1. In the Azure Admin portal, open the App registrations page.

    2. Click on the application you created.

    3. In the left-hand menu, click Certificates & secrets.

    4. Click + New client secret.

    5. In the Description box, give a practical name to this secret and an Expiry value compliant with your policies. Remember to renew this secret near its expiry date.

    6. Save the secret value in a secure location because Azure only shows this once, and you must recreate it if you lose it.

    1. In the Azure Admin portal, open the App registrations page.

    2. Click on the application you created.

    3. In the left-hand menu, click API permissions.

    4. Remove the existing User.Read permission:

    5. Click + Add a permission:

    6. Select Microsoft Graph:

    7. Select Application permissions (not "Delegated permissions").

    8. Use the list or the search bar to find and select all the following permissions:

      • AuditLog.Read.All

      • Directory.Read.All

      • IdentityProvider.Read.All

      • Policy.Read.All

      • Reports.Read.All

      • RoleManagement.Read.All

      • UserAuthenticationMethod.Read.All

    9. Click Add permissions.

    10. Click Grant admin consent for <tenant name> and click Yes to confirm:

  1. After you configure all the required settings in Microsoft Entra ID:

    1. In Tenable Vulnerability Management, create a new credential of type "Microsoft Azure".

    2. Select the "Key" authentication method and enter the values that you retrieved in the previous procedure: Tenant ID, Application ID, and Client Secret.

Activate Microsoft Entra ID support

Note: To activate this feature successfully, the Tenable Cloud user who created the access and secret keys must have administrative privileges in the Tenable Cloud container referenced by the Tenable Identity Exposure license. For more information, see Tenable Identity Exposure Licensing.

  1. In Tenable Identity Exposure, click on the Systems icon in the left navigation menu.

  2. Click on the Configuration tab.

    The Configuration page opens.

  3. Under Application Services, click on Tenable Cloud.

  4. In Activate Microsoft Entra ID Support, click the toggle to enabled.

  5. If you have not previously logged in to the Tenable Cloud, click the link to go to the login page:

    1. Click Forgot your password? to request a password reset.

    2. Type the email address associated with your Tenable Identity Exposure license and click Request Password Reset.

      Tenable sends an email to that address with a link to reset your password.

      Note: If your email address is not the same as the one associated with the Tenable Identity Exposure license, contact your Customer Support for assistance.

  6. Log in to Tenable Vulnerability Management.

  7. To generate API keys in Tenable Vulnerability Management, go to Tenable Vulnerability Management > Settings > My Account > API Keys.

  1. Enter your Tenable Vulnerability Management "Admin" user AccessKey and SecretKey to set up a connection between Tenable Identity Exposure and the Tenable Cloud Service.

  2. Click Edit keys to submit the API keys.

    Tenable Identity Exposure shows a message to confirm that it updated the API keys.

Enable tenant scans

Adding a tenant links Tenable Identity Exposure with the Microsoft Entra ID tenant to perform scans on that tenant.

  1. In the Configuration page, click on the Tenant Management tab.

    The Tenant Management page opens.

  2. Click on Add a tenant.

    The Add a tenant page opens.

  3. In the Name of the tenant box, type a name.

  4. In the Credentials box, click the drop-down list to select a credential.

  5. If your credential does not appear in the list, you can either:

  6. Click Refresh to update the drop-down list of credentials.

  7. Select the credential you created.

  8. Click Add.

    A message confirms that Tenable Identity Exposure added the tenant, which now appears in the list on the Tenant Management page.

Note: Tenant scans do not occur in real time and require at least 45 minutes before Microsoft Entra ID data is visible in the Identity Explorer.

  • Select a tenant on the list and click the toggle to Scan enabled.

    Tenable Identity Exposure requests a scan on the tenant and the results appear in the Indicator of Exposure page.

    Note: The mandatory minimum time delay between two scans is 30 minutes.