TOC & Recently Viewed

Recently Viewed Topics

Audit the Microsoft Azure Cloud Environment

Tenable offers the ability to audit the Microsoft Azure Cloud environment to detect misconfigurations in the cloud environment and account settings using Tenable.io. Complete the following steps to configure Microsoft Azure for successful Audit Cloud Infrastructure assessments with Tenable.io.

Before you Begin:

  • No pre-authorization is needed from Microsoft to perform the audit, but a Microsoft Azure account is required.
  • To perform an audit of the Microsoft Azure cloud environment, Tenable.io needs a Microsoft Azure Client ID (now known as the Application ID).

To audit the Microsoft Azure Cloud environment:

Note: An Azure Active Directory App Registration is required to complete these steps. Active Directory Federation Services (ADFS), SSO, and custom domains are not supported.

  1. Log in to the Microsoft Azure portal.
  2. In the left-hand menu, click Azure Active Directory.

    The Azure Active Directory page appears.

  3. Click App Registrations.

    The App Registrations page appears.

  4. To add a new application, click New Application Registration.

    The Create section appears.

  5. In the Create section, enter a descriptive Name for the application.

  6. In the Application Type drop-down, select Native.

  7. In the Redirect URI box, enter a URI.

    Note: The Redirect URI is required, but has no effect for this configuration; therefore, it doesn't have to be a real URI, i. e., https://example.com.

  8. Click the Create button.

    Microsoft Azure displays a success message at the top of the page stating that the new application has been created.

    The new application page appears.

  9. Click the link to the newly created application to display the details.
  10. Click Properties.

    The application properties appear.

  11. Copy the Application ID.

    Note: This information is used to complete the audit configuration with Tenable.io.

  12. Click the name of your newly added project > Settings > Required Permissions.

  13. In the Required Permissions section, click + Add.

  14. In the Add API access section, click Select an API.

    The Select an API options appear.

  15. Select Windows Azure Service Management API.

  16. Click Select.

  17. Select the Access Azure Service Management as organization users (preview) to enable the permissions.
  18. Click Select.

  19. Click Done.

    The Required Permissions section appears.

  20. Click the Grant Permissions button.

    A confirmation request appears.

  21. Click Yes.

In the Tenable.io Interface

  1. Log in to Tenable.io.
  2. Click New Scan.

    The My Scans page appears.

  3. Select the Audit Cloud Infrastructure template.

    The Audit Cloud Infrastructure page appears.

  4. In the Name box, type a descriptive name for the scan.
  5. Click Credentials.

  6. Click Microsoft Azure.

    Note: See the Required User Privileges section in the Nessus User Guide for the required Microsoft Azure privileges.

  7. In the appropriate boxes, enter your Microsoft Azure Username and Password, Client ID (Application ID), and Subscription IDs.

    Note: Leave the Subscription IDs box blank if you want to audit all of your Azure subscriptions.

  8. Click Compliance.

  9. Click Microsoft Azure.

    The Microsoft Azure options appear.

    Tenable offers three pre-configured compliance checks and provides the ability to upload a custom Azure audit file.

    • Microsoft Azure Best Practices – Infrastructure: This audit file implements a set of general best practices for Microsoft Azure infrastructure items including Principals, Virtual Networks, Certificates, and Virtual Machines.
    • Microsoft Azure Best Practices – Websites: This audit file implements a set of general best practices for Microsoft Azure Website items including Website Status, SSL Status, and recent Site modifications.
    • Microsoft Azure Best Practices – Databases: This audit file implements a set of general best practices for Microsoft Azure items including Database Configuration, Audit Events, and Recoverable Databases.

  10. Click each compliance check you want to add to the scan.
  11. If you choose to add a custom audit file, click Add File and select the file to upload.

  12. Do one of the following:

    • Click Save.
    • Click the drop-down arrow next to Save and select Launch to initiate the scan.

Note: For additional information on configuring Tenable.io scans, please refer to the Tenable.io User Guide.

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.. Tenable.sc, Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.