Skip to main content

Create an Azure App for Integration

The following procedure describes the common manual steps to create an Azure app for use in either an Azure compliance integration or Azure Activity Log integration. For instructions on creating the entire integration, see the topics in Azure Terraform or Azure Portal.

To manually create an integration between Lacework and Azure using the Azure Portal and the Lacework Console, you must have access to the following:

  • An Azure AD account that has a Global Administrator directory role for your tenant (or equivalent administrator rights to create app registrations).
  • Your account must have the Owner permissions role in all Azure subscriptions that you want to monitor.
  • A Lacework account with administrator privileges (see Azure Compliance Integration on the Lacework Console)

This integration procedure describes how to:

  • Create a new app registration ("Lacework SA Audit").
  • Grant it Azure AD permissions ("Directory Reader" role in Azure AD) to read information from your directory (this is optional, see Grant the Azure App the Directory Reader Role)
  • Grant it Azure permissions to read resource configurations from your subscriptions.

About Azure AD Permissions

If granted permissions to the directory (via the "Directory Reader" role) Lacework collects the list of users, groups, members, and app registrations from the Azure AD organization using Microsoft Graph API calls. This information is exposed for LQL datasources and compliance policies. Disabling this permission may be required if your organization has specific regulatory or privacy requirements that avoid collecting this information by third parties. If disabled, the LQL datasources and related IAM compliance policies will not be assessed.

For existing integrations, at any time, you can remove the "Directory Reader" role from the Azure AD service principal used for Lacework.

Create an Azure App Registration

  1. Log in to the Azure Portal.
    In the left panel, select Azure Active Directory.
    azure_ad_select.png

  2. Select App registrations.
    azure_app_registration.png

  3. Click + New registration.

  4. In the Register an application panel, enter the following values:

    1. Name - Enter Lacework SA Audit.
    2. Supported account types - Leave the default Accounts in this organizational directory only (my_dir) option.
    3. Redirect URL - Leave the URL blank.

  5. Click Register.

Grant the Azure App the Directory Reader Role

This section is optional. See the previous section for more information.

The Azure app you created in the previous section must be given basic permissions to read users information from your directory. To grant the necessary permissions:

  1. Navigate to Azure Active Directory.

  2. Click Roles and administrators.

  3. Click Directory Reader (click the name, do not select it). AD_roles.png

  4. Click Add assignments.

  5. Go to the Add assignments menu, then search for your app registration name, such as Lacework SA Audit, then click Add.
    AD_add_assignments.png

If you are using Privileged Identity Management, the flow is slightly different after step 4:

  1. Navigate to Azure Active Directory.
  2. Click Roles and administrators.
  3. Click Directory Reader (click the name, do not select it).
  4. Click Add assignments.
    PIM_AD_role.png
  5. Under Select member(s), click No member selected, then search for your app registration name, such as Lacework SA Audit, then click Select
    PIM_AD_membership.png
  6. Confirm Membership by clicking Next >
  7. Confirm Setting with assignment type Active, Select the Permanently assigned checkbox, and enter a justification. Azure will notify other Azure AD admins about this assignment via email.
    PIM_AD__setting.png

Assign Permissions to Subscriptions

You must give the Azure app Reader permissions to access subscriptions that you want to monitor for proper configuration and compliance.

For future CIS compliance checks, extra permissions may be needed. For instance Key Vault Reader permissions, which only allow reading Key Vault metadata, list the vaults, key permissions, and secret permissions, but do not allow access to the key or secret contents. For more information, see the detailed RBAC description of each role in Azure built-in roles documentation page

Assign Permissions to a Single Subscription

  1. In the main search field, enter subscription and select Subscriptions from the drop-down.
    azure_subscriptions.png

  2. Browse and click your subscription.

  3. Click Access control (IAM).
    mceclip2.png

  4. In the Add a role assignment tile, click Add.
    azure_add_role.png

  5. In the Role field, enter Reader.

  6. Leave the Assign access to field set to Azure AD user, group, or service principal.

  7. In the Select field, enter the app name such as Lacework SA.

  8. In the Selected members field, click Lacework SA Audit.
    azure_sa_audit.png

Assign Permissions to All Subscriptions

Repeat the previous steps for all the subscriptions in your tenant. Lacework will automatically detect all visible subscriptions with a single configuration integration.

Optionally, you can assign permissions to a Management Group. Lacework will discover every subscription where the Reader permission has been inherited. This allows organizations with dozens of subscriptions to avoid the manual process of assigning permissions. For more information, visit Azure documentation.