Azure Overview & Support

After InsightCloudSec is successfully installed, you're ready to enable visibility into your target Azure tenant(s) and/or subscription(s).

Frequently Asked Questions (FAQ)

The following frequently asked questions and answers should help you understand Microsoft Azure in InsightCloudSec.

What does InsightCloudSec support from Azure?

As one of the leading public cloud service providers, InsightCloudSec provides broad support for Microsoft Azure. Review the full list of Azure-specific supported regions and services for details. InsightCloudSec also supports individual Microsoft Azure China and Microsoft Azure GovCloud accounts (not organizations) in varying capacities; see China Cloud Overview & Support and/or GovCloud Overview & Support for more information.

How do I start seeing my Azure environments in InsightCloudSec?

InsightCloudSec relies on a process called "harvesting" to pull data from various CSPs. Review Azure - Onboarding for details.

New Microsoft Azure Onboarding

As of InsightCloudSec version 23.4.11, a new Azure onboarding experience is available. This experience replaces the old setup experience and you will not be able to access it.

What do I do after my environments is being harvested?

After at least one Azure account is harvested by InsightCloudSec, you're free to configure additional Azure features as necessary to enhance, optimize, or further secure your experience. Review Azure Additional Configuration for more information. You may also want to review the Azure Least Privileged Access (LPA) feature.

How can I optimize harvesting?

Harvesting is the term we use to describe the process of data collection from a selected cloud service provider (CSP) within InsightCloudSec. Check out our Harvesting Overview documentation to understand the basics and refer to Harvesting Strategies for details on specific strategies.

In addition, InsightCloudSec offers Event-Driven Harvesting, which requires additional configuration but optimizes harvesting by only pulling in new data when certain Azure events occur. Review our Azure Event-Driven Harvesting documentation for more information.

How do organizations handle Azure subscriptions that have the same name?

Right now, the names will be overwritten with the name of the subscription coming from Azure in InsightCloudSec.

Will migrating to organizations impact anything from the user experience side?

The InsightCloudSec user experience should be the same.

Is there any reporting available for new cloud accounts added/changed/removed as part of organizations?

Not at this time.

How long is data retained for an account when it's onboarded?

The account in the InsightCloudSec "Clouds" page is deleted immediately. Any resources attached to that cloud may take up to a day to be removed from the database.

How do I manage an existing account after it's been onboarded?

For general information about managing existing Azure accounts, check out the Clouds section and subsections on Cloud Account Setup & Management. For general information about managing existing Azure organizations, review Modifying an Azure Organization in InsightCloudSec Information about viewing the details of a single cloud account is available on the Cloud Account Detail Page. Cloud accounts can be deleted through their individual page.

Manage Azure Cloud Accounts

After initial configuration of the account in Azure, you can add the account to InsightCloudSec. In InsightCloudSec, you onboard a cloud account or organization using the onboarding wizard. Review Onboard an Azure Cloud Account or Onboard an Azure Organization for details.

Once an account is successfully being harvested by InsightCloudSec, it can be modified or deleted as necessary.

Azure Commercial Support Reference

Supported Services

Supported Services

Included in this section are all of the Azure services (and their components) supported by InsightCloudSec. If you have questions related to Azure or specific services and their support, contact us through the Customer Support Portal. If you're interested in the Azure China or GovCloud support for InsightCloudSec, review the China Cloud Support Reference or Government Cloud Support Reference for details instead.

Azure Data Lake Storage Gen1 Retired

As of February 29, 2024, Azure has retired the Data Lake Storage Gen1 service. The Data Lake Storage resource type has been disabled until InsightCloudSec is able to officially support Azure Data Lake Storage Gen2. Contact support for any questions or issues.

text
1
Activity log (Alerts)
2
API Management services
3
App Configurations
4
App Registration
5
App Services
6
App Service plans
7
Application credentials
8
Application gateways
9
Applied AI services (Cognitive search)
10
Automation Account
11
Azure Blob Storage
12
Azure Cache for Redis
13
Azure Cosmos DB
14
Azure Database for PostgreSQL/MySQL/MariaDB
15
Azure Databricks (workspace)
16
Azure Files
17
Azure role assignments
18
Azure Synapse Analytics
19
Bastion Host
20
Batch (Accounts, Pools)
21
Bot services
22
CDN profile
23
Conditional Access (Policies, Named Locations)
24
Container instances
25
Container registries (Container Image)
26
Compute/Network Usage Limit
27
Data factories
28
Dedicated SQL pools
29
DDoS protection plans
30
Diagnostic settings
31
Disks
32
DNS zones
33
Event Grid (Subscriptions, Topics, System topics)
34
Event Hubs
35
ExpressRoute circuits
36
Firewall (Rule, Rule Collection)
37
Front Doors
38
Function App
39
HDInsight clusters
40
IP Groups
41
Key vaults (Key, Secret)
42
Kubernetes services
43
Load balancers
44
Log Analytics workspaces
45
Logic apps
46
Management groups
47
Microsoft Defender for Cloud (Security posture recommendations)
48
Microsoft Entra ID (Federated Group, Federated User, Group, Service Principal, User)
49
NAT gateways
50
Network interfaces
51
Network security groups (Flow Logs, Security Rules)
52
Peerings
53
Policy (Definitions)
54
Private Link services
55
Public IP addresses
56
Region
57
Resource groups
58
Role Definition
59
Route tables (Route)
60
Service Bus (Queue)
61
Service Fabric clusters
62
Shared Image Gallery (Image Definition, Image Version)
63
SQL Servers
64
SSL Certificate
65
Storage accounts
66
Storage queues
67
Storage Sync Services
68
Subscriptions
69
Template specs
70
Traffic Manager
71
Virtual machine (Dedicated Host, Image)
72
Virtual machine scale sets
73
Virtual network (Private Endpoint, Service Endpoint, Service Endpoint Policy Subnet)
74
Virtual network gateway
75
Web Application Firewall policies (WAF)
Supported Regions

Supported Regions

The Azure Commercial services supported by InsightCloudSec includes:

text
1
australiacentral
2
australiacentral2
3
australiaeast
4
australiasoutheast
5
brazilsouth
6
canadacentral
7
canadaeast
8
centralindia
9
centralus
10
eastasia
11
eastus
12
eastus2
13
francecentral
14
japaneast
15
japanwest
16
koreacentral
17
koreasouth
18
northcentralus
19
northeurope
20
southafricanorth
21
southcentralus
22
southeastasia
23
southindia
24
uaenorth
25
uksouth
26
ukwest
27
westcentralus
28
westeurope
29
westindia
30
westus
31
westus2

Azure Roles

An IAM role must be associated with the Azure tenant or subscription that will be harvested by InsightCloudSec to ensure secure and appropriate access of this information. There are two paths for selecting the IAM role:

  • Standard role managed by Azure: this requires less maintenance long term because Microsoft will automatically update these roles for new services.
    • InsightCloudSec recommends using the Azure Reader role for read-only permissions to all resources. For users interested in a power-user-level harvesting (especially if you plan on using Bots often), InsightCloudSec recommends using the Azure Contributor role for the ability to create and manage all types of Azure resources except the ability to grant access to other roles.
  • Custom role that by InsightCloudSec: this offers more customization and a 1:1 match to the Azure resources that InsightCloudSec supports.
    • InsightCloudSec offers a few custom roles for Azure accounts (subscriptions) and organizations (tenants) that will be harvested. Role usage depends on the level of access you want to provide InsightCloudSec (Read Only vs. Power User) or the type of account being added to InsightCloudSec (single account vs. organization, Commercial vs. GovCloud). For most scenarios within InsightCloudSec, using the standard Azure-created roles is appropriate.

      RoleDescription
      Custom ReaderGrants InsightCloudSec read-only permissions exclusively to InsightCloudSec-supported resources within a given Azure subscription or management group so that it can harvest data and report on it.
      Reader PlusGrants InsightCloudSec extensive read-only permissions, including increased access to Azure Web Apps.
      Power UserGrants InsightCloudSec all permissions to supported resources within a given Azure subscription or management group so it can act upon cloud resources in addition to monitoring and reporting on them.
      Organization ReaderGrants InsightCloudSec access to Azure management group information.

There are some caveats, however, with some individual Azure permissions relevant to InsightCloudSec:

  • The "Microsoft.ContainerRegistry/registries/pull/read" permission is included in the Commercial and GovCloud Reader and Reader Plus roles as it needs to be explicit if not using one of the Azure built-in Owner, Contributor, or AcrPull roles.
  • Due to a limitation with Azure, roles with a Management Group (Azure Organization) scope cannot have dataActions permissions. As such, the relevant roles included on this page do not include a dataActions permission for Microsoft Key Vault, "Microsoft.KeyVault/vaults/keyrotationpolicies/read", which provides read access to key rotation policies (an InsightCloudSec-supported resource). This simplifies copying the role during setup as well as role maintenance.

Commercial Harvesting

The roles provided for Azure Commercial Harvesting include the following:

Azure Custom Reader User Role

If you are interested in operating in read-only mode, which prevents InsightCloudSec from taking actions against your Microsoft Azure resources, then we recommend using the Azure Custom Reader User role. This role grants InsightCloudSec read-only permissions to supported resources so data is harvested and available for reporting, but this means the role must be manually updated with each new Azure service that InsightCloudSec supports.

The role JSON can be obtained from our public S3 bucket. The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.

Azure Reader Plus User Role

The Reader Plus role is similar to the built-in Azure Reader role but offers read-only permissions to all resources instead of only the resources that InsightCloudSec supports. Because of the wildcard usage, the role is more easily maintained. In addition, the following permissions are explicitly granted:

  • "Microsoft.Web/sites/config/list/Action",
  • "Microsoft.Web/sites/slots/config/list/Action"

For the permissions above, the config/list/Action permission provides visibility to determine if Web Apps are configured to require authentication and for Serverless Functions to determine if the function is enabled/disabled. The caveat is that those permissions also provide access to any environment variables configured for WebApps, which may contain sensitive information.

The role JSON can be obtained from our public S3 bucket. The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.

Azure Power User Role

If you would like to use InsightCloudSec to manage your Microsoft Azure resources directly or through the use of Bots, then use the InsightCloudSec Azure Power User role. The InsightCloudSec Azure Power User role will grant InsightCloudSec all permissions to supported resources so it can act upon cloud resources in addition to monitoring and reporting on them, but this means the role must be manually updated with each new Azure service that InsightCloudSec supports.

The role JSON can be obtained from our public S3 bucket. The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.

Additional Harvesting Policies

Azure Organization Reader Role

If you are adding an Azure Organization to InsightCloudSec, you'll need to create the Azure Organization Reader Role. This role will grant InsightCloudSec read-only permissions to aspects of management groups and subscriptions so that it can harvest data and report on them. This role must be attached to the Tenant Root Group in order for InsightCloudSec to be able to read all of the management groups and subscriptions in the tenant.

The role included in the following code block has two tabs: one for just the permissions associated with the role and one for the full JSON with abbreviated permissions. The permissions version can be simply copied into an in-progress custom role. The full JSON version can be saved, modified, and uploaded as a JSON file during the custom role assignment process. Review Azure's documentation for more information.

json
1
"permissions": [
2
{
3
"actions": [
4
"Microsoft.Management/managementGroups/descendants/read",
5
"Microsoft.Management/managementGroups/read",
6
"Microsoft.Management/managementGroups/settings/read",
7
"Microsoft.Resources/subscriptions/read"
8
],
9
"notActions": [],
10
"dataActions": [],
11
"notDataActions": []
12
}
13
]
json
1
{
2
"properties": {
3
"roleName": "InsightCloudSec Organization Reader User Role (Management Group)",
4
"description": "Provides access to read the structure for a given Management Group.",
5
"assignableScopes": [
6
"/providers/Microsoft.Management/managementGroups/<my-management-group>"
7
],
8
"permissions": [
9
{
10
"actions": [
11
"..."
12
],
13
"notActions": [],
14
"dataActions": [],
15
"notDataActions": []
16
}
17
]
18
}
19
}