Manual Onboarding (Azure Console)
This page is for Administrative users that wish to manually onboard an Azure account using the Azure console. If you are a non-admin user, return to the Azure - Onboarding Overview for details.
- If you are connecting to InsightCloudSec for the first time, you will be greeted by a workflow that shares some details around InsightCloudSec capabilities and allows you to select your Cloud Service Provider to start the onboarding process.
- If you have connected to InsightCloudSec previously but are setting up Azure for the first time, you will need to navigate to Cloud > Cloud Accounts and select the Add Cloud option to open the cloud onboarding.
Onboard manually
Step 1: Create a new Microsoft Entra ID Application Registration
- Login to the Azure Portal using the account your want to connect with InsightCloudSec.
- Go to Microsoft Entra ID > App Registrations and click New registration.
- Provide the required information for the registration and click Register. We recommend using the Single Tenant option.
- Copy the Application ID and the Tenant ID. You will need those IDs for connecting your cloud account.
Step 2: Configure Authentication and Permissions
Configure the API Key and Secret or Client Certificate plus Microsoft Graph API permissions granted to the App Registration.
- From the new application registration’s overview page, click Certificates & secrets.
- Generate and upload a certificate or create a new client secret. You will need these certificates for connecting your cloud account.
- If using a certificate, copy the PEM certificate and Certificate Thumbprint. * If using an API Key and Secret, copy the Secret Key value.
- In the side menu, click API permissions, then click Add a permission → Microsoft Graph.
- Click Application Permissions, then search for and add the following permissions:
Directory.Read.All
*AuditLog.Read.All
- Click Grant admin consent for Default Directory, and then confirm the selection.
Step 3: Create custom roles
Create a custom role in Microsoft Azure using the JSON from our public S3 buckets.
- Navigate to Subscriptions and select the subscription you want to onboard.
- On the Overview page, copy the Subscription ID. You will need this ID for connecting the account.
- On the Access control (IAM) page, click Add > Add custom role.
- Provide the required information for the role and select Start from scratch.
- On the JSON tab, click Edit.
- Using one of the roles listed above, copy and paste the JSON into the field, ensuring you update the placeholder Subscription ID with the ID you copied earlier.
- Click Save.
- Click Review + create, then click Create.
Step 4: Assign the role
- On the Access control (IAM), click Add > Add role assignment.
- Search for and select the custom role you just created, and then click Next.
- Click + Select members, then search for and select the new App registration.
- Click Save.
If you are providing details to a non-admin user to onboard the account, ensure that the credentials you share with the non-admin user will include the appropriate access and enable them to connect your Azure subscription with InsightCloudSec successfully.
We recommend using a secure file sharing system to provide credentials to your non-admin user.
Success! You've onboarded an Azure cloud account
Congratulations on successfully onboarding an Azure account! InsightCloudSec will now detect the following:
- If there are any missing permissions, which could cause impaired visibility into your account.
- If the account is an Azure Tenant Account; if it is a Tenant, you can enable Account Discovery. If Account Discovery is enabled, Rapid7 can onboard and collect information on related Azure Tenants and Subscriptions via the onboarded Tenant. Click Enable Auto Discovery at the bottom of the window to start.