Configure Azure for a Compliance Audit

1. Click Microsoft Entra ID > App Registrations.

2. Click the New Registrations application.
3. Give the application a name.
4. Choose the supported account types for your environment.
5. Choose Public Client/Native for the redirect URI type.
6. (Optional) Add a redirect URI.
7. Click Register.

1. Click your registered application in Microsoft Entra ID > App Registrations.

2. Click Certificates and Secrets.

3. Click + New client secret.

   

4. Give the secret a name and click Add.

   Tip Copy the secret somewhere safe for use in authenticating during a scan.

1. Click Subscriptions > Your Subscription > Access Control (IAM) > Role Assignments > + Add.

2. Add the Reader role to the application you previously created for scanning.

3. Select Reader from the Role drop-down menu.

4. Assign access to User, Group, or Service Principal.

5. In the Select field, type the name of your created application.

6. Select the application.

7. Click Save.

Create a new user to scan in the Microsoft Entra ID.  See the Microsoft Azure documentation for steps to add a new user.

1. Click Subscriptions > Your Subscription > Access Control (IAM) > Role Assignments > + Add.

2. Add the Reader role to the user account you created for scanning.

1. Click on Microsoft Entra ID > App registrations.

   

2. Click New Registrations application.

3. Give the application a name.
4. Choose the supported account types for your environment.
5. Click Register.

6. Click Authentication.

7. Choose Yes for Default Client Type/Treat application as a public client.

1. Click Microsoft Entra ID > App Registrations.

2. Click the New Registrations application.
3. Give the application a name.
4. Choose the supported account types for your environment.
5. Choose Public Client/Native for the redirect URI type.
6. (Optional) Add a redirect URI.
7. Click Register.

Execute the following PowerShell commands, replacing the appropriate values:

1. $certname = "{certificateName}" ## Replace {certificateName}

2. $cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation

   "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature

   -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256

3. Export-Certificate -Cert $cert -FilePath

   "C:\Users\admin\Desktop\$certname.cer" ## Specify your preferred location

1. Click your registered application in Microsoft Entra ID > App Registrations.

2. Click Certificates and Secrets.
3. Click Certificates.
4. Click Upload certificate.
5. Select the certificate file you exported.

6. Give the certificate a description and click Add.

1. Click Subscriptions > Your Subscription > Access Control (IAM) > Role Assignments > + Add.

2. Add the Reader role to the application you previously created for scanning.

3. Select Reader from the Role drop-down menu.

4. Assign access to User, Group, or Service Principal.

5. In the Select field, type the name of your created application..

6. Select the application.

7. Click Save.

1. Click your registered application in Microsoft Entra ID > App Registrations > Your Application > API Permissions.

   

2. Select Microsoft Graph.

   Note: If adding permissions for Key Authentication, then select Application permissions. If adding permissions for Password Authentication, then select Delegated permissions.

3. In the Configured permissions section, click Add a permission.

4. Add the following permissions:

   • Azure Service Management — user_impersonation
   • Microsoft Graph — Calendars.Read
   • Microsoft Graph — DeviceManagementApps.Read.All
   • Microsoft Graph — DeviceManagementConfiguration.Read.All
   • Microsoft Graph — Directory.Read.All
   • Microsoft Graph — Policy.Read.All
   • Microsoft Graph — Reports.Read.All
   • Microsoft Graph — User.Read.All

   Scanning Microsoft 365 environment:

   • Microsoft Graph — SecurityEvents.Read.All

   Scanning Microsoft Intune:

   • Microsoft Graph — DeviceManagementApps.Read.All
   • Microsoft Graph — DeviceManagementManagedDevices.Read.All

   

5. Click Grant admin consent.
6. Click Add permissions.