Azure Overview & Support

After InsightCloudSec is successfully installed, you're ready to enable visibility into your target Azure tenant(s) and/or subscription(s). Review the sections below to determine the best starting point for your environment.

Supported Regions and Services

Listed below are the supported services (and their components) and regions for Microsoft Azure public cloud.

If you're interested in the Azure GovCloud support for InsightCloudSec, review the Government Cloud Support Reference for details instead.

Regions

Regions

text
1
australiacentral
2
australiacentral2
3
australiaeast
4
australiasoutheast
5
brazilsouth
6
canadacentral
7
canadaeast
8
centralindia
9
centralus
10
eastasia
11
eastus
12
eastus2
13
francecentral
14
japaneast
15
japanwest
16
koreacentral
17
koreasouth
18
northcentralus
19
northeurope
20
southafricanorth
21
southcentralus
22
southeastasia
23
southindia
24
uaenorth
25
uksouth
26
ukwest
27
westcentralus
28
westeurope
29
westindia
30
westus
31
westus2
Services

Services

text
1
Activity log (Alerts)
2
API Management services
3
App Configurations
4
App Registration
5
App Services
6
App Service plans
7
Application credentials
8
Application gateways
9
Applied AI services (Cognitive search)
10
Automation Account
11
Azure Active Directory (Federated Group, Federated User, Group, Service Principal, User)
12
Azure Blob Storage
13
Azure Cache for Redis
14
Azure Cosmos DB
15
Azure Database for PostgreSQL/MySQL/MariaDB
16
Azure Databricks
17
Azure Files
18
Azure role assignments
19
Azure Synapse Analytics
20
Bastion Host
21
Batch (Accounts, Pools)
22
Bot services
23
CDN profile
24
Container instances
25
Container registries (Container Image)
26
Compute/Network Usage Limit
27
Data factories
28
Data Lake Storage Gen1
29
Dedicated SQL pools
30
DDoS protection plans
31
Diagnostic settings
32
Disks
33
DNS zones
34
Event Grid (Subscriptions, Topics, System topics)
35
Event Hubs
36
ExpressRoute circuits
37
Firewall (Rule, Rule Collection)
38
Front Doors
39
Function App
40
HDInsight clusters
41
IP Groups
42
Key vaults (Key, Secret)
43
Kubernetes services
44
Load balancers
45
Log Analytics workspaces
46
Logic apps
47
Management groups
48
Microsoft Defender for Cloud (Security posture recommendations)
49
NAT gateways
50
Network interfaces
51
Network security groups (Flow Logs, Security Rules)
52
Peerings
53
Policy (Definitions)
54
Private Link services
55
Public IP addresses
56
Region
57
Resource groups
58
Role Definition
59
Route tables (Route)
60
Service Bus (Queue)
61
Service Fabric clusters
62
Shared Image Gallery (Image Definition, Image Version)
63
SQL Servers
64
SSL Certificate
65
Storage accounts
66
Storage Sync Services
67
Subscriptions
68
Template specs
69
Traffic Manager
70
Virtual machine (Dedicated Host, Image)
71
Virtual machine scale sets
72
Virtual network (Private Endpoint, Service Endpoint, Service Endpoint Policy Subnet)
73
Virtual network gateway

Azure Roles

An IAM role must be associated with the Azure tenant or subscription that will be harvested by InsightCloudSec to ensure secure and appropriate access of this information. There are two paths for selecting the IAM role:

  • Standard role managed by Azure: this requires less maintenance long term because Microsoft will automatically update these roles for new services.
    • InsightCloudSec recommends using the Azure Reader role for read-only permissions to all resources. For users interested in a power-user-level harvesting (especially if you plan on using Bots often), InsightCloudSec recommends using the Azure Contributor role for the ability to create and manage all types of Azure resources except the ability to grant access to other roles.
  • Custom role that by InsightCloudSec: this offers more customization and a 1:1 match to the Azure resources that InsightCloudSec supports.

    • InsightCloudSec offers a few custom roles for Azure accounts (subscriptions) and organizations (tenants) that will be harvested. Role usage depends on the level of access you want to provide InsightCloudSec (Read Only vs. Power User) or the type of account being added to InsightCloudSec (single account vs. organization, Commercial vs. GovCloud). For most scenarios within InsightCloudSec, using the standard Azure-created roles is appropriate.

      RoleDescription
      Custom ReaderGrants InsightCloudSec read-only permissions exclusively to InsightCloudSec-supported resources within a given Azure subscription or management group so that it can harvest data and report on it.
      Reader PlusGrants InsightCloudSec extensive read-only permissions, including increased access to Azure Web Apps.
      Power UserGrants InsightCloudSec all permissions to supported resources within a given Azure subscription or management group so it can act upon cloud resources in addition to monitoring and reporting on them.
      Organization ReaderGrants InsightCloudSec access to Azure management group information.

There are some caveats, however, with some individual Azure permissions relevant to InsightCloudSec:

  • The "Microsoft.ContainerRegistry/registries/pull/read" permission is included in the Commercial and GovCloud Reader and Reader Plus roles as it needs to be explicit if not using one of the Azure built-in Owner, Contributor, or AcrPull roles.
  • Due to a limitation with Azure, roles with a Management Group (Azure Organization) scope cannot have dataActions permissions. As such, the relevant roles below do not include a dataActions permission for Microsoft Key Vault, "Microsoft.KeyVault/vaults/keyrotationpolicies/read", which provides read access to key rotation policies (an InsightCloudSec-supported resource). This simplifies copying the role during setup as well as role maintenance.

Commercial Harvesting

The roles provided for Azure Commercial Harvesting include the following:

Azure Custom Reader User Role

If you are interested in operating in read-only mode, which prevents InsightCloudSec from taking actions against your Microsoft Azure resources, then we recommend using the Azure Custom Reader User role. This role grants InsightCloudSec read-only permissions to supported resources so data is harvested and available for reporting, but this means the role must be manually updated with each new Azure service that InsightCloudSec supports.

The role JSON can be obtained from our public S3 bucket. The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.

Azure Reader Plus User Role

The Reader Plus role is similar to the built-in Azure Reader role but offers read-only permissions to all resources instead of only the resources that InsightCloudSec supports. Because of the wildcard usage, the role is more easily maintained. In addition, the following permissions are explicitly granted:

  • "Microsoft.Web/sites/config/list/Action",
  • "Microsoft.Web/sites/slots/config/list/Action"

For the permissions above, the config/list/Action permission provides visibility to determine if Web Apps are configured to require authentication and for Serverless Functions to determine if the function is enabled/disabled. The caveat is that those permissions also provide access to any environment variables configured for WebApps, which may contain sensitive information.

The role JSON can be obtained from our public S3 bucket. The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.

Azure Power User Role

If you would like to use InsightCloudSec to manage your Microsoft Azure resources directly or through the use of Bots, then use the InsightCloudSec Azure Power User role. The InsightCloudSec Azure Power User role will grant InsightCloudSec all permissions to supported resources so it can act upon cloud resources in addition to monitoring and reporting on them, but this means the role must be manually updated with each new Azure service that InsightCloudSec supports.

The role JSON can be obtained from our public S3 bucket. The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.

Additional Harvesting Policies

Azure Organization Reader Role

If you are adding an Azure Organization to InsightCloudSec, you'll need to create the Azure Organization Reader Role. This role will grant InsightCloudSec read-only permissions to aspects of management groups and subscriptions so that it can harvest data and report on them. This role must be attached to the Tenant Root Group in order for InsightCloudSec to be able to read all of the management groups and subscriptions in the tenant.

The role included in the code block below has two tabs: one for just the permissions associated with the role and one for the full JSON with abbreviated permissions. The permissions version can be simply copied into an in-progress custom role. The full JSON version can be saved, modified, and uploaded as a JSON file during the custom role assignment process. Review Azure's documentation for more information.

json
1
"permissions": [
2
    {
3
        "actions": [
4
            "Microsoft.Management/managementGroups/descendants/read",
5
            "Microsoft.Management/managementGroups/read",
6
            "Microsoft.Management/managementGroups/settings/read",
7
            "Microsoft.Resources/subscriptions/read"
8
        ],
9
        "notActions": [],
10
        "dataActions": [],
11
        "notDataActions": []
12
    }
13
]
json
1
{
2
    "properties": {
3
        "roleName": "InsightCloudSec Organization Reader User Role (Management Group)",
4
        "description": "Provides access to read the structure for a given Management Group.",
5
        "assignableScopes": [
6
            "/providers/Microsoft.Management/managementGroups/<my-management-group>"
7
        ],
8
        "permissions": [
9
            {
10
                "actions": [
11
                  	"..."
12
                ],
13
                "notActions": [],
14
                "dataActions": [],
15
                "notDataActions": []
16
            }
17
        ]
18
    }
19
}

Azure in InsightCloudSec: Frequently Asked Questions (FAQ)

The following frequently asked questions and answers should help you understand Microsoft Azure in InsightCloudSec.

What does InsightCloudSec support from Azure?

As one of the leading public cloud service providers, InsightCloudSec provides broad support for Microsoft Azure. Review the full list of Azure-specific supported regions and services below page. InsightCloudSec also supports individual Microsoft Azure China and Microsoft Azure GovCloud accounts (not organizations) in varying capacities; see China Cloud Overview & Support and/or GovCloud Overview & Support for more information.

How do I start seeing my Azure environments in InsightCloudSec?

InsightCloudSec relies on a process called "harvesting" to pull data from various CSPs. Review Azure - Onboarding for details.

New Microsoft Azure Onboarding

As of InsightCloudSec version 23.4.11, a new Azure onboarding experience is available. This experience replaces the old setup experience and you will not be able to access it.

What do I do after my environment(s) is being harvested?

After at least one Azure account is harvested by InsightCloudSec, you're free to configure additional Azure features as necessary to enhance, optimize, or further secure your experience. Review Azure Additional Configuration for more information. You may also want to review the Azure Least Privileged Access (LPA) feature.

How can I optimize harvesting?

Harvesting is the term we use to describe the process of data collection from a selected cloud service provider (CSP) within InsightCloudSec. Check out our Harvesting Overview documentation to understand the basics and refer to Harvesting Strategies for details on specific strategies.

In addition, InsightCloudSec offers Event-Driven Harvesting, which requires additional configuration but optimizes harvesting by only pulling in new data when certain Azure events occur. Review our Azure Event-Driven Harvesting documentation for more information.

How do organizations handle Azure subscriptions that have the same name?

Right now, the names will be overwritten with the name of the subscription coming from Azure in InsightCloudSec.

Will migrating to organizations impact anything from the user experience side?

The InsightCloudSec user experience should be the same.

Is there any reporting available for new cloud accounts added/changed/removed as part of organizations?

Not at this time.

How long is data retained for an account when it's onboarded via organization?

The account in the InsightCloudSec "Clouds" page is deleted immediately. Any resources attached to that cloud may take up to a day to be removed from the database.

How do I manage an existing account after it's been onboarded?

For general information about managing existing Azure accounts, check out the Clouds section and subsections on Cloud Account Setup & Management. For general information about managing existing Azure organizations, review Modifying an Azure Organization in InsightCloudSec Information about viewing the details of a single cloud account is available on the Cloud Account Detail Page. Cloud accounts can be deleted through their individual page.