Azure Overview & Support
After InsightCloudSec is successfully installed, you're ready to enable visibility into your target Azure tenant(s) and/or subscription(s). Review the sections below to determine the best starting point for your environment.
Supported Regions and Services
Listed below are the supported services (and their components) and regions for Microsoft Azure public cloud.
If you're interested in the Azure GovCloud support for InsightCloudSec, review the Government Cloud Support Reference for details instead.
Regions
Regions
text
1australiacentral2australiacentral23australiaeast4australiasoutheast5brazilsouth6canadacentral7canadaeast8centralindia9centralus10eastasia11eastus12eastus213francecentral14japaneast15japanwest16koreacentral17koreasouth18northcentralus19northeurope20southafricanorth21southcentralus22southeastasia23southindia24uaenorth25uksouth26ukwest27westcentralus28westeurope29westindia30westus31westus2
Services
Services
text
1Activity log (Alerts)2API Management services3App Configurations4App Registration5App Services6App Service plans7Application credentials8Application gateways9Applied AI services (Cognitive search)10Automation Account11Azure Active Directory (Federated Group, Federated User, Group, Service Principal, User)12Azure Blob Storage13Azure Cache for Redis14Azure Cosmos DB15Azure Database for PostgreSQL/MySQL/MariaDB16Azure Databricks17Azure Files18Azure role assignments19Azure Synapse Analytics20Bastion Host21Batch (Accounts, Pools)22Bot services23CDN profile24Container instances25Container registries (Container Image)26Compute/Network Usage Limit27Data factories28Data Lake Storage Gen129Dedicated SQL pools30DDoS protection plans31Diagnostic settings32Disks33DNS zones34Event Grid (Subscriptions, Topics, System topics)35Event Hubs36ExpressRoute circuits37Firewall (Rule, Rule Collection)38Front Doors39Function App40HDInsight clusters41IP Groups42Key vaults (Key, Secret)43Kubernetes services44Load balancers45Log Analytics workspaces46Logic apps47Management groups48Microsoft Defender for Cloud (Security posture recommendations)49NAT gateways50Network interfaces51Network security groups (Flow Logs, Security Rules)52Peerings53Policy (Definitions)54Private Link services55Public IP addresses56Region57Resource groups58Role Definition59Route tables (Route)60Service Bus (Queue)61Service Fabric clusters62Shared Image Gallery (Image Definition, Image Version)63SQL Servers64SSL Certificate65Storage accounts66Storage Sync Services67Subscriptions68Template specs69Traffic Manager70Virtual machine (Dedicated Host, Image)71Virtual machine scale sets72Virtual network (Private Endpoint, Service Endpoint, Service Endpoint Policy Subnet)73Virtual network gateway
Azure Roles
An IAM role must be associated with the Azure tenant or subscription that will be harvested by InsightCloudSec to ensure secure and appropriate access of this information. There are two paths for selecting the IAM role:
- Standard role managed by Azure: this requires less maintenance long term because Microsoft will automatically update these roles for new services.
- InsightCloudSec recommends using the Azure Reader role for read-only permissions to all resources. For users interested in a power-user-level harvesting (especially if you plan on using Bots often), InsightCloudSec recommends using the Azure Contributor role for the ability to create and manage all types of Azure resources except the ability to grant access to other roles.
- Custom role that by InsightCloudSec: this offers more customization and a 1:1 match to the Azure resources that InsightCloudSec supports.
InsightCloudSec offers a few custom roles for Azure accounts (subscriptions) and organizations (tenants) that will be harvested. Role usage depends on the level of access you want to provide InsightCloudSec (Read Only vs. Power User) or the type of account being added to InsightCloudSec (single account vs. organization, Commercial vs. GovCloud). For most scenarios within InsightCloudSec, using the standard Azure-created roles is appropriate.
Role Description Custom Reader Grants InsightCloudSec read-only permissions exclusively to InsightCloudSec-supported resources within a given Azure subscription or management group so that it can harvest data and report on it. Reader Plus Grants InsightCloudSec extensive read-only permissions, including increased access to Azure Web Apps. Power User Grants InsightCloudSec all permissions to supported resources within a given Azure subscription or management group so it can act upon cloud resources in addition to monitoring and reporting on them. Organization Reader Grants InsightCloudSec access to Azure management group information.
There are some caveats, however, with some individual Azure permissions relevant to InsightCloudSec:
- The
"Microsoft.ContainerRegistry/registries/pull/read"
permission is included in the Commercial and GovCloud Reader and Reader Plus roles as it needs to be explicit if not using one of the Azure built-in Owner, Contributor, or AcrPull roles. - Due to a limitation with Azure, roles with a Management Group (Azure Organization) scope cannot have
dataActions
permissions. As such, the relevant roles below do not include adataActions
permission for Microsoft Key Vault,"Microsoft.KeyVault/vaults/keyrotationpolicies/read"
, which provides read access to key rotation policies (an InsightCloudSec-supported resource). This simplifies copying the role during setup as well as role maintenance.
Commercial Harvesting
The roles provided for Azure Commercial Harvesting include the following:
Azure Custom Reader User Role
If you are interested in operating in read-only mode, which prevents InsightCloudSec from taking actions against your Microsoft Azure resources, then we recommend using the Azure Custom Reader User role. This role grants InsightCloudSec read-only permissions to supported resources so data is harvested and available for reporting, but this means the role must be manually updated with each new Azure service that InsightCloudSec supports.
The role JSON can be obtained from our public S3 bucket. The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.
Azure Reader Plus User Role
The Reader Plus role is similar to the built-in Azure Reader role but offers read-only permissions to all resources instead of only the resources that InsightCloudSec supports. Because of the wildcard usage, the role is more easily maintained. In addition, the following permissions are explicitly granted:
"Microsoft.Web/sites/config/list/Action",
"Microsoft.Web/sites/slots/config/list/Action"
For the permissions above, the config/list/Action
permission provides visibility to determine if Web Apps are configured to require authentication and for Serverless Functions to determine if the function is enabled/disabled. The caveat is that those permissions also provide access to any environment variables configured for WebApps, which may contain sensitive information.
The role JSON can be obtained from our public S3 bucket. The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.
Azure Power User Role
If you would like to use InsightCloudSec to manage your Microsoft Azure resources directly or through the use of Bots, then use the InsightCloudSec Azure Power User role. The InsightCloudSec Azure Power User role will grant InsightCloudSec all permissions to supported resources so it can act upon cloud resources in addition to monitoring and reporting on them, but this means the role must be manually updated with each new Azure service that InsightCloudSec supports.
The role JSON can be obtained from our public S3 bucket. The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.
Additional Harvesting Policies
Azure Organization Reader Role
If you are adding an Azure Organization to InsightCloudSec, you'll need to create the Azure Organization Reader Role. This role will grant InsightCloudSec read-only permissions to aspects of management groups and subscriptions so that it can harvest data and report on them. This role must be attached to the Tenant Root Group in order for InsightCloudSec to be able to read all of the management groups and subscriptions in the tenant.
The role included in the code block below has two tabs: one for just the permissions associated with the role and one for the full JSON with abbreviated permissions. The permissions version can be simply copied into an in-progress custom role. The full JSON version can be saved, modified, and uploaded as a JSON file during the custom role assignment process. Review Azure's documentation for more information.
json
1"permissions": [2{3"actions": [4"Microsoft.Management/managementGroups/descendants/read",5"Microsoft.Management/managementGroups/read",6"Microsoft.Management/managementGroups/settings/read",7"Microsoft.Resources/subscriptions/read"8],9"notActions": [],10"dataActions": [],11"notDataActions": []12}13]
json
1{2"properties": {3"roleName": "InsightCloudSec Organization Reader User Role (Management Group)",4"description": "Provides access to read the structure for a given Management Group.",5"assignableScopes": [6"/providers/Microsoft.Management/managementGroups/<my-management-group>"7],8"permissions": [9{10"actions": [11"..."12],13"notActions": [],14"dataActions": [],15"notDataActions": []16}17]18}19}
Azure in InsightCloudSec: Frequently Asked Questions (FAQ)
The following frequently asked questions and answers should help you understand Microsoft Azure in InsightCloudSec.
What does InsightCloudSec support from Azure?
As one of the leading public cloud service providers, InsightCloudSec provides broad support for Microsoft Azure. Review the full list of Azure-specific supported regions and services below page. InsightCloudSec also supports individual Microsoft Azure China and Microsoft Azure GovCloud accounts (not organizations) in varying capacities; see China Cloud Overview & Support and/or GovCloud Overview & Support for more information.
How do I start seeing my Azure environments in InsightCloudSec?
InsightCloudSec relies on a process called "harvesting" to pull data from various CSPs. Review Azure - Onboarding for details.
New Microsoft Azure Onboarding
As of InsightCloudSec version 23.4.11, a new Azure onboarding experience is available. This experience replaces the old setup experience and you will not be able to access it.
What do I do after my environment(s) is being harvested?
After at least one Azure account is harvested by InsightCloudSec, you're free to configure additional Azure features as necessary to enhance, optimize, or further secure your experience. Review Azure Additional Configuration for more information. You may also want to review the Azure Least Privileged Access (LPA) feature.
How can I optimize harvesting?
Harvesting is the term we use to describe the process of data collection from a selected cloud service provider (CSP) within InsightCloudSec. Check out our Harvesting Overview documentation to understand the basics and refer to Harvesting Strategies for details on specific strategies.
In addition, InsightCloudSec offers Event-Driven Harvesting, which requires additional configuration but optimizes harvesting by only pulling in new data when certain Azure events occur. Review our Azure Event-Driven Harvesting documentation for more information.
How do organizations handle Azure subscriptions that have the same name?
Right now, the names will be overwritten with the name of the subscription coming from Azure in InsightCloudSec.
Will migrating to organizations impact anything from the user experience side?
The InsightCloudSec user experience should be the same.
Is there any reporting available for new cloud accounts added/changed/removed as part of organizations?
Not at this time.
How long is data retained for an account when it's onboarded via organization?
The account in the InsightCloudSec "Clouds" page is deleted immediately. Any resources attached to that cloud may take up to a day to be removed from the database.
How do I manage an existing account after it's been onboarded?
For general information about managing existing Azure accounts, check out the Clouds section and subsections on Cloud Account Setup & Management. For general information about managing existing Azure organizations, review Modifying an Azure Organization in InsightCloudSec Information about viewing the details of a single cloud account is available on the Cloud Account Detail Page. Cloud accounts can be deleted through their individual page.