Microsoft Entra ID Support

In addition to Active Directory, Tenable Identity Exposure supports Microsoft Entra ID (formerly Azure AD or AAD) to expand the scope of identities in an organization. This capability leverages new Indicators of Exposure that focus on risks specific to Microsoft Entra ID.

To integrate Microsoft Entra ID with Tenable Identity Exposure, follow closely this on-boarding process:

  1. Have the Prerequisites

  2. Check the Permissions

  3. Check Network Flows

  4. Configure Microsoft Entra ID settings

  5. Activate Microsoft Entra ID support

  6. Enable tenant scans

Prerequisites

You need a Tenable Cloud account to log in to “cloud.tenable.com” and use the Microsoft Entra ID support feature. This Tenable Cloud account is the same email address used for your Welcome Email. If you do not know your email address for “cloud.tenable.com,” please contact Support. All customers with a valid license (On-Premises or SaaS) can access the Tenable Cloud at “cloud.tenable.com”. This account allows you to configure Tenable scans for your Microsoft Entra ID and collect the scan results.

Note: You do not need a valid Tenable Vulnerability Management license to access Tenable Cloud. A currently valid standaloneTenable Identity Exposure license (On-Premises or SaaS) is sufficient.

Permissions

The support of Microsoft Entra ID requires the collecting of data from Microsoft Entra ID such as users, groups, applications, service principals, roles, permissions, policies, logs, etc. It collects this data using Microsoft Graph API and service principal credentials following Microsoft recommendations.

  • You must sign in to Microsoft Entra ID as a user with permissions to grant tenant-wide administrator consent on Microsoft Graph, which must have the Global Administrator or Privileged Role Administrator role (or any custom role with appropriate permissions), according to Microsoft.

  • To access the configuration and data visualization for Microsoft Entra ID, your Tenable Identity Exposure user role must have the appropriate permissions. For more information, see Set Permissions for a Role.

Network Flows

Allow the following addresses on port 443 outbound from the Security Engine Node server to activate Entra ID support:

  • sensor.cloud.tenable.com

  • cloud.tenable.com

Configure Microsoft Entra ID settings

Use the following procedures (adapted from the Microsoft Quickstart: Register an application with the Microsoft identity platform documentation) to configure all required settings in Microsoft Entra ID.

  1. After you configure all the required settings in Microsoft Entra ID:

    1. In Tenable Vulnerability Management, create a new credential of type "Microsoft Azure".

    2. Select the "Key" authentication method and enter the values that you retrieved in the previous procedure: Tenant ID, Application ID, and Client Secret.

Activate Microsoft Entra ID support

Enable tenant scans