Onboard an Azure Organization

After InsightCloudSec is successfully installed, you're ready to start harvesting data from your Accounts, which requires configuring Microsoft Azure to "talk" with InsightCloudSec securely. As your inventory grows and your cloud accounts are fully visible, you can then begin to leverage the rest of InsightCloudSec, including Insights, Bots, Layered Context, and more.

This page and the functionality detailed here refer to the provider-specific Accounts and Organizations capability available under Cloud > Cloud Accounts (individual accounts are listed on the Listing page; Organizations are listed on the Organizations page). This functionality should not be confused with the InsightCloudSec-specific Organizations capability that allows for multi-tenant functionality available under System Administration > Organizations. If you are looking to onboard a single Azure Subscription instead, see Onboard an Azure Account.

Opening the Cloud Account Onboarding Interface

Before you can begin the onboarding process, you'll need to navigate to the Cloud Account Onboarding interface, which provides a different experience depending on the type of user you are:

UserDescriptionExperience
First-time UserInsightCloudSec is freshly deployed and this will be the first time a Cloud Service Provider (CSP) has been onboarded.Platform Users:
Onboarding wizard launched from Platform Home by clicking the InsightCloudSec tile.

InsightCloudSec Only Users:
The onboarding wizard appears automatically after logging in using your unique InsightCloudSec URL.
Returning UserInsightCloudSec has one or more CSPs already onboarded and you would like to add a new account.Launched from within InsightCloudSec. Not a wizard.
Admin UserYou can login to the cloud provider and have the appropriate access to grant InsightCloudSec access to your account(s).As an admin, you will need to complete some specific tasks within your Cloud Service Provider's (CSP) console to generate details needed for onboarding that either you or a non-admin user can input to InsightCloudSec.
Non-Admin UserYou can interact with InsightCloudSec and would like to onboard an account(s) but do not have the appropriate CSP access to grant InsightCloudSec access to your account(s).You will need to copy and send a message to the admin asking them to complete specific tasks and provide you with the information you need to complete onboarding.

Onboarding an Azure Organization

A couple methods for onboarding your Azure Organizations (tenants in Azure's parlance) are available depending on whether you're a non-admin or admin user.

Resuming cloud onboarding to InsightCloudSec

If you close the interface before completing Account onboarding, you can resume onboarding from the page you were on last.

Non-Admin User Instructions

Ask an admin for required information

As a non-admin user, you need to copy and send a message to the admin asking them to complete specific tasks and provide you with the information needed to complete onboarding.

First-time Users
  1. Login to InsightCloudSec using one of the methods below:
    • In the Insight Platform, click InsightCloudSec to launch the onboarding wizard.
    • Open a browser window to your unique InsightCloudSec URL and login. The onboarding wizard will appear automatically.
  2. On the Welcome screen, review key features and capabilities, then click Onboard a Cloud Account.
  3. On the Cloud Service Providers screen, select Microsoft Azure.
  4. Select No - Help me identify the details needed, then click Next.
  5. Click the Copy button in the Microsoft Azure Admin Instructions text box and share them with the admin.
Returning Users
  1. Login to InsightCloudSec using one of the methods below:
    • In the Insight Platform, click the InsightCloudSec tile.
    • Open a browser window to your unique InsightCloudSec URL and login.
  2. Navigate to Cloud > Cloud Accounts in the left-hand navigation menu.
  3. Click the + Add Cloud button in the top right corner.
  4. Click the Microsoft Azure button.
  5. Click Don't have admin access? in the bottom right corner of the window.
  6. Click the Copy button in the Microsoft Azure Admin Instructions text box and share them with the admin.

Connect the Account

When your admin has completed their steps and provided the information to you, you can now connect the Account.

First-time Users
  1. Return to InsightCloudSec using one of the methods below:
    • In the Insight Platform, click InsightCloudSec to launch the onboarding wizard.
    • Open a browser window to your unique InsightCloudSec URL and login. The onboarding wizard will appear automatically.
  2. The wizard should automatically return you to the Microsoft Azure Admin Instructions page.
  3. Enter the following information (provided by your admin):
    1. Select the Azure partition (Commercial, Government, China) in which the Account is located.
    2. Copy/paste the Nickname for the Account. This is a unique value that will be used to search Accounts across the system based on an identifiable label.
    3. Copy/paste the Application (Client) ID and Directory (Tenant) ID.
    4. Select the authentication type.
      • If you chose API/Secret, copy/paste the Secret Key Value.
      • If you chose Client Certificate, copy/paste the PEM Certificate and Certificate Thumbprint.
    5. Copy/paste the Subscription ID.
  4. Click Connect Account.
Returning Users
  1. Login to InsightCloudSec using one of the methods below:
    • In the Insight Platform, click the InsightCloudSec tile.
    • Open a browser window to your unique InsightCloudSec URL and login.
  2. Navigate to Cloud > Cloud Accounts in the left-hand navigation menu.
  3. Click the + Add Cloud button in the top right-hand corner.
  4. Click the Microsoft Azure button.
  5. Click Don't have admin access? in the bottom right-hand corner of the window.
  6. Enter the following information (provided by your admin):
    1. Select the Azure partition (Commercial, Government, China) in which the Account is located.
    2. Copy/paste the Nickname for the Account. This is a unique value that will be used to search Accounts across the system based on an identifiable label.
    3. Copy/paste the Application (Client) ID and Directory (Tenant) ID.
    4. Select the authentication type.
      • If you chose API/Secret, copy/paste the Secret Key Value.
      • If you chose Client Certificate, copy/paste the PEM Certificate and Certificate Thumbprint.
    5. Copy/paste the Subscription ID.
  7. Click Connect Account.

Admin User Instructions

As an admin, you must prepare your Account(s) for the connection with InsightCloudSec by creating a new application registration & creating and assigning custom roles within Azure. For more information on the custom roles that InsightCloudSec provides, review Azure Overview & Support.

Providing details to a non-admin user?

If you are providing details to a non-admin user to onboard the Account, ensure that the credentials you share with the non-admin user will include the appropriate access and enable them to connect your Azure tenant with InsightCloudSec successfully. We recommend using a secure file sharing system to provide credentials to your non-admin user.

Azure Admin Onboarding Prerequisites

Prepare Azure for Onboarding

To onboard an Organization for Azure you need to complete one of the following set of instructions:

Manual Onboarding using the Azure console
Step 1: Create a new Azure Active Directory Application Registration

The primary Azure subscription inside the tenant that contains data you want to harvest for InsightCloudSec will need an Application Registration associated with it. By creating a specific InsightCloudSec app, you are then able to monitor all actions taken by InsightCloudSec. This facilitates troubleshooting, helping you understand what InsightCloudSec is doing versus what other apps are doing.

InsightCloudSec onboarding can proceed much more quickly and easily if you have both your InsightCloudSec instance and the Azure console open side-by-side in your preferred browser's windows/tabs.

  1. Login to your InsightCloudSec instance and open the Cloud Onboarding interface.
    • First-time Users:
      1. On the Welcome screen, review key features and capabilities, then click Onboard a Cloud Account.
      2. On the Cloud Service Providers screen, select Microsoft Azure.
      3. Select Yes - I have permissions to create roles, then click Next.
      4. For your connection journey, click Manual Steps, then click Next.
    • Returning Users:
      1. Navigate to Cloud > Cloud Accounts in the left navigation menu.
      2. Click the + Add Cloud button in the top right corner.
      3. Click the Microsoft Azure button.
      4. For your connection journey, click Manual Steps.
  2. In a separate browser tab or window, login as an Admin to the Azure Console for the subscription you want to harvest.

In the Azure Console:

  1. Add a New Application Registration.
    • Click Azure Active Directory from the left navigation menu.
    • Click App registrations under the Azure Active Directory's Manage menu.
    • Click New registration.
  2. Describe the New App Registration.
    • Enter a Name to denote that this app is used for InsightCloudSec, e.g., InsightCloudSec Azure Application.
    • Select the supported account type. We recommend using the Single Tenant option.
    • Optionally, enter a Redirect URI using the specified URL format. This may be required later for authentication.
    • Click Register to create the app registration.
  3. Once you have registered your app, a preview panel opens. This panel shows an overview of your newly created app and displays both the Application (Client) ID and the Directory (Tenant) ID. Copy both of these IDs to a safe location; you will need to use these values later.
  4. From the new application's Overview page, click Certificates & secrets from the Manage menu on the left side.
  5. Create and save a certificate or secret for this Application.
    • To use a Certificate:
      • Generate a certificate (public key) locally and save it to a secure location.
      • From the Certificates & secrets page in Azure, click the Certificates tab.
      • Click Upload certificate.
      • Click Select a file and navigate to the certificate on your computer.
      • Click Open.
      • Optionally, provide a description.
      • Click Add. Your certificate's thumbprint will be displayed.
      • Copy the certificate value and thumbprint to a secure location; you will need to use this later.
    • To use a Client secret:
      • From the Certificates & secrets page in Azure, click the Client secrets tab.
      • Click New client secret.
      • Give your client secret a description.
      • Set an expiration period for your secret.
      • Click Add. Your new client secret's values will be displayed.
      • Copy the generated client secret key value to a safe location; you will need to use this value later. This is the only opportunity you have to copy this secret key value. If you leave this page without copying the secret key value, you will not be able to access the value and you'll need to delete the key and create another one.
  6. Set up permissions for this App Registration.
    • From the application's Overview page, click API permissions from the Manage menu on the left side.
    • Click Add a permission.
    • Click Microsoft Graph.
  7. Select Application Permissions.
    • Search for Directory.Read.All under the Directory section.
      • The Directory.Read.All permission contains the Application.Read.All permission, which is required to harvest the Azure Application Credentials resource. Review the Resource Matrix for more information and contact the support team through the Customer Support Portal for any questions or assistance.
    • Check the box next to the permission and click Add permissions.
    • Search for AuditLog.Read.All under the "AuditLog" section.
    • Check the box next to the permission and click Add permissions.
  8. Click Grant admin consent for Default Directory, then confirm the selection.

In the InsightCloudSec Cloud Onboarding interface:

  1. For 1. Authentication:
    1. Select the Azure partition (Commercial, Government, China) in which the subscription is located.
    2. Copy/paste the Application (Client) ID and the Directory (Tenant) ID values.
    3. Select the authentication type you configured within the Azure console.
      • If you chose API/Secret, copy/paste the Secret Key Value.
      • If you chose Client Certificate, copy/paste the PEM Certificate and Certificate Thumbprint.
    4. Click Next.
Step 2: Create custom role(s)

To ensure that the new InsightCloudSec-associated Application Registration you created in the previous section is securely and appropriately accessing your Azure account data (and providing resource visibility), you'll need to create the appropriate IAM role; InsightCloudSec offers a few. Since you're attempting to onboard an Organization, you'll also need to create a custom Organization-based role within the tenant.

Using a standard role?

If you are planning on using a standard Azure role (e.g., not one of the InsightCloudSec-provided custom roles), skip to Adding the Organization Reader Role

Adding a Custom Role for Resource Visibility

In the Azure Console:

  1. Navigate to Subscriptions and select the subscription you want to onboard. This is the primary Subscription and as such, will be harvested first. If you'd prefer a different Subscription first, select that one instead.
  2. On the Overview page, copy the Subscription ID. You will need this ID for connecting the subscription.
  3. Navigate to the Tenant you are onboarding from the Management Groups page.
  4. From the menu panel on the left, select Access control (IAM).
  5. From the Access control (IAM) page, click Add > Add custom role.
  6. Provide the Basics.
    1. Provide a custom role name.
    2. Optionally, provide a description for the role.
    3. Select Start from scratch.
  7. Update the generated JSON file for the correct permissions.
    1. Click the JSON tab.
    2. Click Edit.
    3. Download one of the roles discussed on the Azure Overview & Support page. The roles are also available inside the Cloud Onboarding interface in InsightCloudSec.
    4. Return to the Azure Console and replace the JSON object with the one you just copied.
    5. Update the placeholder Subscription ID for the ID associated with the subscription you're onboarding to InsightCloudSec.
    6. Click Save.
  8. Click Review + create.
    • The JSON will be validated. If successful, verify everything looks correct.
    • Click Create.

Adding the Organization Reader Role

This role will allow InsightCloudSec to access basic information about the relevant tenant. You'll need to create the Organization Reader Role within the tenant account.

In the Azure Console:

  1. From the Tenant's menu panel on the left, select Access control (IAM).
  2. From the Access control (IAM) panel, click Add > Add custom role.
  3. Provide the Basics.
    1. Provide a custom role name.
    2. Optionally, provide a description for the role.
    3. Select Start from scratch.
  4. Update the generated JSON file for the correct permissions.
    1. Click the JSON tab.
    2. Click Edit.
    3. Open the Azure Organization Reader Role section in a new tab.
    4. Point your mouse cursor to the code area and click the Copy icon. This will store the JSON permissions object in your clipboard.
    5. Return to the Azure Portal tab and replace the default permissions object with the one you just copied. The pasted code does not need to match the indention level of the existing JSON.
  5. Click Review + create.
    1. The JSON will be validated. If successful, verify everything looks correct.
    2. Click Create.

In the InsightCloudSec Cloud Onboarding interface:

  1. For 2. Roles:
    1. Select Tenant/Root Management Group.
    2. Copy/paste the Primary Subscription ID.
    3. Click Next.
Step 3: Assign the role(s)

Standard and custom roles alike must be assigned to a subscription within the tenant so it can be harvested properly and securely. You'll need to add the IAM role (e.g., Reader, Reader Plus, etc.) assignment; since you're onboarding an Organization, you'll also need to assign the Organization Reader Role to the tenant account.

Assigning the IAM Role

In the Azure Console:

  1. From the desired subscription's menu panel on the left, select Access control (IAM).
  2. From the Access control (IAM) panel, click Add > Add role assignment.
  3. Select the role you wish to assign, then click Next.
  4. Add the Application Registration as a member.
    1. Leave the Assign access to field as the default value (User, group, or service principal).
    2. Next to Members, click + Select members.
    3. In the Select panel, begin typing the name of the application you created earlier. Select that application once it appears, then click Select.
    4. Click Review + assign to add the role.

Assigning the Organization Reader Role

In the Azure Console:

  1. From the desired tenant's menu panel on the left, select Access control (IAM).
  2. From the Access control (IAM) panel, click Add > Add role assignment.
  3. Search for the Azure Organization Reader Role, then click Next.
  4. Add the new InsightCloudSec Application Registration as a member.
    1. Leave the Assign access to field as the default value (User, group, or service principal).
    2. Next to Members, click + Select members.
    3. In the Select panel, begin typing the name of the application you created earlier. Select that application once it appears, then click Select.
    4. Click Review + assign to add the role.

Manual Onboarding instructions complete!

After completing these steps, you have completed the manual onboarding instructions for Azure. Jump to the Connect the Account in InsightCloudSec instructions.


Automated Onboarding using Azure Cloud Shell

The primary Azure subscription inside the tenant that contains data you want to harvest for InsightCloudSec will need an Application Registration associated with it. By creating a specific InsightCloudSec app, you are then able to monitor all actions taken by InsightCloudSec. This facilitates troubleshooting, helping you understand what InsightCloudSec is doing versus what other apps are doing. All of this can be completed in an automated fashion using the InsightCloudSec Azure Onboarding script in the Azure Cloud Shell.

InsightCloudSec onboarding can proceed much more quickly and easily if you have both your InsightCloudSec instance and the Azure console open side-by-side in your preferred browser's windows/tabs.

  1. Login to your InsightCloudSec instance and open the Cloud Onboarding interface.
    • First-time Users:
      1. On the Welcome screen, review key features and capabilities, then click Onboard a Cloud Account.
      2. On the Cloud Service Providers screen, select Microsoft Azure.
      3. Select Yes - I have permissions to create roles, then click Next.
      4. For your connection journey, click Microsoft Azure Script, then click Next.
    • Returning Users:
      1. Navigate to Cloud > Cloud Accounts in the left navigation menu.
      2. Click the + Add Cloud button in the top right corner.
      3. Click the Microsoft Azure button.
      4. For your connection journey, click Script.
  2. In a separate browser tab or window, login as an Admin to the Azure Console for the primary subscription you want to harvest.

In the InsightCloudSec Cloud Onboarding interface:

  1. Select the Azure partition (Commercial, Government, China) in which the tenant is located.
  2. Select Tenant/Root Management Group.
  3. Select the desired authentication type.
  4. Click Generate & Download Script.

In the Azure Console:

  1. Login to the Azure Portal using the subscription/tenant you would like to connect to InsightCloudSec.
  2. In the top bar, click the Cloud Shell icon to open the Cloud Shell. If this is your first time using the Cloud Shell, you'll be prompted to select the type of shell and storage within a subscription to persist files between sessions. Review the Azure Documentation for more information.
  3. Click the Upload/Download Files icon, then click Upload and select the onboarding script from its downloaded location. The file will be uploaded to /home/<username> by default.
  4. Run the script (python onboard.py) and follow the prompts to create everything needed to onboard the Account. If you uploaded the onboarding script to somewhere other than the default, you'll need to include the directory location with the command.
    • Provide an Application Registration name (or press Enter to use the default).
    • Provide the subscription ID for the Account you wish to onboard (or press Enter to use the current Subscription).
    • Provide a number corresponding to the role you wish to use for harvesting (or press Enter to use the default). Review Azure Overview & Support for more information.
    • The configuration is complete. The necessary values are displayed.
  5. Copy the necessary configuration information (Tenant ID, Subscription ID, Application Registration name, Application Registration ID, Application Registration password a.k.a. Secret Key Value) to a secure location.

In the InsightCloudSec Cloud Onboarding interface:

  1. Copy/paste the Application (Client) ID and the Directory (Tenant) ID values.
  2. Copy/paste the relevant authentication value(s).
    • If you chose API/Secret, copy/paste the Secret Key Value.
    • If you chose Client Certificate, copy/paste the PEM Certificate and Certificate Thumbprint.
  3. Copy/paste the Primary Subscription ID.

Azure Cloud Shell Onboarding instructions complete!

After completing these steps, you have completed the automated onboarding instructions for Azure Cloud Shell. Jump to the Connect the Account in InsightCloudSec instructions.


Automated Onboarding using Azure CLI

The primary Azure subscription inside the tenant that contains data you want to harvest for InsightCloudSec will need an Application Registration associated with it. By creating a specific InsightCloudSec app, you are then able to monitor all actions taken by InsightCloudSec. This facilitates troubleshooting, helping you understand what InsightCloudSec is doing versus what other apps are doing. All of this can be completed in an automated fashion using the InsightCloudSec Azure Onboarding script in the Azure CLI.

Prerequisites

These instructions and prerequisites have only been tested on a Unix-based system.

  1. Login to your InsightCloudSec instance and open the Cloud Onboarding interface.
    • First-time Users:
      1. On the Welcome screen, review key features and capabilities, then click Onboard a Cloud Account.
      2. On the Cloud Service Providers screen, select Microsoft Azure.
      3. Select Yes - I have permissions to create roles, then click Next.
      4. For your connection journey, click Microsoft Azure Script, then click Next.
    • Returning Users:
      1. Navigate to Cloud > Cloud Accounts in the left navigation menu.
      2. Click the + Add Cloud button in the top right corner.
      3. Click the Microsoft Azure button.
      4. For your connection journey, click Script.
  2. In a separate browser tab or window, login as an Admin to the Azure Console for the primary subscription you want to harvest.

In the InsightCloudSec Cloud Onboarding interface:

  1. Select the Azure partition (Commercial, Government, China) in which the subscription is located.
  2. Select Tenant/Root Management Group.
  3. Select the desired authentication type.
  4. Click Generate & Download Script.

In a local terminal window:

  1. Login to the Azure CLI: az login
  2. Run the script (python onboard.py) and follow the prompts to create everything needed to onboard the Account. If you're not currently in the location of the onboarding script, you'll need to include the directory location with the command.
    • Provide an Application Registration name (or press Enter to use the default).
    • Provide the subscription ID for the Account you wish to onboard (or press Enter to use the current Subscription).
    • Provide a number corresponding to the role you wish to use for harvesting (or press Enter to use the default). Review Azure Overview & Support for more information.
    • The configuration is complete. The necessary values are displayed.
  3. Copy the necessary configuration information (Tenant ID, Subscription ID, Application Registration name, Application Registration ID, Application Registration password a.k.a. Secret Key Value) to a secure location.

In the InsightCloudSec Cloud Onboarding interface:

  1. Copy/paste the Application (Client) ID and the Directory (Tenant) ID values.
  2. Copy/paste the relevant authentication value(s).
    • If you chose API/Secret, copy/paste the Secret Key Value.
    • If you chose Client Certificate, copy/paste the PEM Certificate and Certificate Thumbprint.
  3. Copy/paste the Primary Subscription ID.

Azure CLI Onboarding instructions complete!

After completing these steps, you have completed the automated onboarding instructions for Azure CLI. Jump to the Connect the Account in InsightCloudSec instructions.

Connect the Account in InsightCloudSec

The Azure onboarding process is nearly complete; all that remains is to setup an account nickname in InsightCloudSec and verify the account connection.

In the InsightCloudSec Cloud Onboarding interface:

  1. Provide the Nickname for the Account. This is a unique value that will be used to search Accounts across the system based on an identifiable label.
  2. Click Connect Account.

Success! You onboarded an Account

Congratulations on successfully onboarding an Azure Account! InsightCloudSec will now detect the following:

  • If there are any missing permissions that could cause impaired visibility into your Account
  • Assuming you completed the Organization-related portion of the onboarding, if the Account is an Azure tenant Account, you can enable Account Discovery. If Account Discovery is enabled, Rapid7 can onboard and collect information on related Azure Tenants and Subscriptions via the onboarded Tenant. Click Enable Auto Discovery at the bottom of the window to start this process.
  • For information about modifying an existing onboarded account, check out the Cloud Account Setup & Management page.

Organization Post-Onboarding Information

Now that you have onboarded an Azure tenant Account as an Organization within InsightCloudSec, you should have at least your tenant Account with full visibility. Review the following sections for more information on augmenting your Organization onboarding experience or managing the organization within InsightCloudSec.

Enabling Account Discovery

Once a tenant Account is onboarded to InsightCloudSec, we can automatically detect any child Accounts and prompt you to enable Account Discovery. If you clicked the Enable Auto Discovery button within the onboarding wizard, you'll be taken to the Edit Organization Config window for the new organization.

  1. From the Edit Organization Config window, select Auto-Sync Subscriptions.
  2. Click UPDATE.

Once enabled, Accounts are discovered via the API dynamically and configured with defaults you provide (auto-badge, subscriptions to skip, import scope, etc.).

Modifying an Azure Organization in InsightCloudSec

After onboarding an Azure Organization, you can edit configuration information at any time.

  1. From InsightCloudSec, navigate to Cloud > Cloud Accounts.
  2. On the Organizations tab, click the Edit icon (pencil) next to the Organization you want to edit.
  3. Adjust the Organization Nickname or Credentials values as necessary.
  4. Adjust the scope/badging options as necessary:
    • Subscriptions to Skip: Enter details for subscriptions (IDs or Names) to be skipped (e.g., you have a group of development subscriptions you are not interested in tracking)
    • Auto-Sync Subscriptions: Select this box to add all subscriptions associated with the tenant. If not checked, each subscription must be added manually.
    • Auto-remove disabled subscriptions: Select this box to automatically remove suspended Azure subscriptions from InsightCloudSec. As soon as this checkbox is enabled, a background process will begin running and remove the subscriptions automatically as they are found
    • Auto-Badge Subscriptions: Select this box to allow InsightCloudSec to automatically badge your incoming Accounts based on Azure subscription tags
    • Limit import scope: Select this box and provide Management Group ID(s) to only include the given group(s) and anything underneath it
  5. Click UPDATE.

Auto-badging

As an enhancement to support for provider-based Organizations, InsightCloudSec includes auto-badging capabilities. The purpose of auto-badging is to create a 1:1 map of Azure account-level tags to Badges in InsightCloudSec. This allows Clouds to be scoped to a badge that maps to the account tag.

After the tags and labels are harvested into InsightCloudSec as badges - you cannot delete them in InsightCloudSec - they must be deleted in Azure and the changes will propagate to InsightCloudSec.

Auto-badging takes place in two stages.

StageDescription
Retrieves tags and labels from each account and project and compares them with ResourceTags associated with the cloud account in the InsightCloudSec database.If there are any changes detected, the ResourceTags in the database are overwritten with the values from the account/project.

This means that Cloud Account tags should not be locally modified since any local changes will be overwritten the next time the process runs. Additionally, any local changes that are made to Cloud Account tags are not pushed back up to the cloud provider.
Retrieves all ResourceTags from the local database that are associated with the accounts managed by an organization.For each cloud the list of tags for that cloud is compared with the current list of Badges and for each Key/Value pair of tags:

  • Existing Badges with a Key prefix of system. are skipped.
  • If the corresponding Badge with the Key/Value pair for that cloud does not already exist, it is created.
  • If a tag Value changes, the Badge with the corresponding Key will be updated to that value.
  • If a Badge no longer has a tag with a corresponding Key, it will be deleted.
  • All Badges that have a corresponding tag will have their autogenerated column set to ‘true’ even if they were previously set to ‘false’.

Microsoft Key Vault Harvesting

As mentioned above, if you used a recommended role during setup, you cannot harvest Microsoft Key Vault key rotation policies because of a limitation with Azure Tenant-scoped roles and dataActions permissions. Unfortunately, the only workaround currently is to add a custom role with the permission to each subscription within the Tenant. The InsightCloudSec documentation discusses this in the manual onboarding instructions.