Configure Azure for a Compliance Audit
The Tenable integration for Microsoft Azure supports two parallel methods for creating and registering the application: Key Authentication and Password Authentication. Choose either of the authentication methods, then complete the setup with the Assign API Permissions steps.
Key Authentication Method
-
Click Microsoft Entra ID > App Registrations.
- Click the New Registrations application.
- Give the application a name.
- Choose the supported account types for your environment.
- Choose Public Client/Native for the redirect URI type.
- (Optional) Add a redirect URI.
- Click Register.
-
Click Subscriptions > Your Subscription > Access Control (IAM) > Role Assignments > + Add.
-
Add the Reader role to the application you previously created for scanning.
-
Select Reader from the Role drop-down menu.
-
Assign access to User, Group, or Service Principal.
-
In the Select field, type the name of your created application.
-
Select the application.
-
Click Save.
Password Authentication Method
Create a new user to scan in the Microsoft Entra ID. See the Microsoft Azure documentation for steps to add a new user.
-
Click Subscriptions > Your Subscription > Access Control (IAM) > Role Assignments > + Add.
-
Add the Reader role to the user account you created for scanning.
API Permissions
-
Click your registered application in Microsoft Entra ID > App Registrations > Your Application > API Permissions.
-
Select Microsoft Graph.
Note: If adding permissions for Key Authentication, then select Application permissions. If adding permissions for Password Authentication, then select Delegated permissions.
-
In the Configured permissions section, click Add a permission.
-
Add the following permissions:
- Azure Service Management — user_impersonation
- Microsoft Graph — Calendars.Read
- Microsoft Graph — DeviceManagementApps.Read.All
- Microsoft Graph — DeviceManagementConfiguration.Read.All
- Microsoft Graph — Directory.Read.All
- Microsoft Graph — Policy.Read.All
- Microsoft Graph — Reports.Read.All
- Microsoft Graph — User.Read.All
Scanning Microsoft 365 environment:
- Microsoft Graph — SecurityEvents.Read.All
Scanning Microsoft Intune:
- Microsoft Graph — DeviceManagementApps.Read.All
- Microsoft Graph — DeviceManagementManagedDevices.Read.All
- Click Grant admin consent.
- Click Add permissions.
What to do next:
Create an audit scan in either Tenable Vulnerability Management or Tenable Nessus: