Configure Azure for a Compliance Audit

The Tenable integration for Microsoft Azure supports two parallel methods for creating and registering the application: Key Authentication and Password Authentication. Choose either of the authentication methods, then complete the setup with the Assign API Permissions steps.

Key Authentication Method

  1. Click Azure Active Directory > App Registrations.

  2. Click the New Registrations application.
  3. Give the application a name.
  4. Choose the supported account types for your environment.
  5. Choose Public Client/Native for the redirect URI type.
  6. (Optional) Add a redirect URI.
  7. Click Register.

  1. Click your registered application in Azure Active Directory > App Registrations.

  2. Click Certificates and Secrets.

  3. Click + New client secret.

  4. Give the secret a name and click Add.

    Tip Copy the secret somewhere safe for use in authenticating during a scan.

  1. Click Subscriptions > Your Subscription > Access Control (IAM) > Role Assignments > + Add.

  2. Add the Reader role to the application you previously created for scanning.

  3. Select Reader from the Role drop-down menu.

  4. Assign access to User, Group, or Service Principal.

  5. In the Select field, type the name of your created application.

  6. Select the application.

  7. Click Save.

Password Authentication Method

Create a new user to scan in the Azure Active Directory.  See the Microsoft Azure documentation for steps to add a new user.

  1. Click Subscriptions > Your Subscription > Access Control (IAM) > Role Assignments > + Add.

  2. Add the Reader role to the user account you created for scanning.

  1. Click on Azure Active Directory > App registrations.

  2. Click New Registrations application.

  3. Give the application a name.
  4. Choose the supported account types for your environment.
  5. Click Register.

  6. Click Authentication.

  7. Choose Yes for Default Client Type/Treat application as a public client.

API Permissions

  1. Click your registered application in Azure Active Directory > App Registrations > Your Application > API Permissions.

  2. Select Microsoft Graph.

    Note: If adding permissions for Key Authentication, then select Application permissions. If adding permissions for Password Authentication, then select Delegated permissions.

  3. In the Configured permissions section, click Add a permission.

  4. Add the following permissions:

    • Microsoft Graph — Directory.Read.All
    • Microsoft Graph — User.Read.All
    • Microsoft Graph — Policy.Read.All
    • Microsoft Graph — Reports.Read.All
    • Microsoft Graph — DeviceManagementApps.Read.All
    • Microsoft Graph — Calendars.Read
    • Microsoft Graph — DeviceManagementConfiguration.Read.All
    • Azure Service Management — user_impersonation

    Scanning Microsoft 365 environment:

    • Microsoft Graph — SecurityEvents.Read.All

    Scanning Microsoft Intune:

    • Microsoft Graph — DeviceManagementApps.Read.All
    • Microsoft Graph — DeviceManagementManagedDevices.Read.All

  5. Click Grant admin consent.
  6. Click Add permissions.

What to do next:

Create an audit scan in either Tenable Vulnerability Management or Tenable Nessus: