Create a Microsoft Azure Connection for Cloud Configuration Assessment (CCA)

CCA End-of-Life Notice

As of February 15, 2024, Rapid7 will start the End-of-Life (EOL) process for Cloud Configuration Assessment. On February 15, 2025 support will officially end and the feature will be permanently removed from InsightVM for all customers.

While we will continue to support this feature in the interim with security patches, we will not be updating or enhancing CCA further. See our Cloud Risk Complete offering if you’re still interested in the capabilities of CCA.

You can configure a Microsoft Azure connection that allows the Insight Platform to collect data from your Azure resources for Cloud Configuration Assessment (CCA).

Fields subject to change

Third party UI elements may be subject to change. Updates to the doc will be made accordingly.

Azure connection requirements

In order for the Insight Platform to connect to your Azure resources, you must have the following:

  • An Azure account with appropriate permissions to create/modify Active Directory Applications and roles

Note

You must create a new cloud infrastructure connection for each individual Azure subscription you want to assess.

Configure Azure

Log in to the Azure portal.

Add a new application registration
  1. Select Azure Active Directory > App registrations > New registration.
  2. Enter the required information:
    • We recommend using a Name that denotes that this app is used for InsightVM.
    • Select the supported account type. The default value (single tenant) is sufficient.
    • The Redirect URI settings are optional and are not used for CCA.
  3. Click Register.
  4. On the following page, copy the Application (client) ID and the Directory (tenant) ID values for later.
Create a secret key for your application
  1. On the overview page for the application you created, select Certificates & secrets and click New client secret.
  2. Enter a description and set an expiration date for your secret.
  3. Click Add.

Copy the secret key

Copy and store the client secret value before leaving this page in the Azure portal. This is the only time you can view this information.

Set up your API permissions
  1. On the overview page for your application, select API permissions > Add a permission.
  2. Click Microsoft Graph.
  3. Select Application permissions as the required permissions for your application.
  4. In the Directory section, select Directory.Read.All.
  5. Click Add Permissions.
  6. On the API permissions page, click the Grant admin consent button and then click Yes.
Associate your application with a subscription and assign roles
  1. From the Azure portal menu, select All services > Subscriptions.
  2. Select the subscription you want to associate with your application. Copy the Subscription ID for later.
  3. Select Access control (IAM), and click Add > Add custom role.
  4. Enter a name for the custom role and click Next.
    • We recommend using a name that indicates the purpose of this role, such as CCA Reader Plus. You need to search for this role later in the setup process, so make note of the name that you choose.
  5. Click Add permissions.
  6. Search for the following permissions and add each one:
    • Microsoft.Web/sites/config/list/Action
    • Microsoft.Web/sites/slots/config/list/Action
    • Microsoft.Storage/storageAccounts/listkeys/action
  7. Click Review + create > Create.
  8. On the Access control (IAM) page, click Add > Add role assignment.
  9. In the Role field, search for your custom role, select it, and click Next.
  10. With User, group, or service principal checked, click Select Members.
  11. In the Select field, add your application and click Select.
  12. Click Next and then Review + Assign.
  13. Repeat the Add role assignment process (steps 8 - 12) to assign the Reader role to your application.

Configure InsightVM

Create an Azure connection
  1. On the Cloud Configuration page, click Add/Manage Connections.
  2. In the Cloud Infrastructure section, click Add.
  3. Enter an Account Nickname.
  4. This is the name for the connection you are creating in InsightVM. We recommend creating a nickname to help you easily identify the Azure account/subscription that is being assessed.
  5. Enter the following information from Azure:
    • API Key – The value that you copied when creating the Client secret key.
    • Directory (tenant) ID – The Azure AD tenant ID for your app registration.
    • Application (client) ID – The Azure AD application ID for your app registration.
    • Subscription ID – The ID of your Azure subscription that your application is associated with.
  6. Click Save.