Discovering Microsoft Azure instances
The Microsoft Azure discovery connection provides visibility on your virtual assets as they are created, used, and destroyed within the Azure infrastructure. Properly configured Azure discovery connections perform the following tasks:
- Discover new assets that are created in Azure.
- Remove destroyed assets from your Security Console.
- Synchronize Azure tags with your Security Console asset tags.
Preparing your environment
Before a connection can be created, Azure must be configured to communicate with the Security Console. Complete the steps detailed on the Azure Documentation pages. After completing these steps, you should have the following pieces of information:
- Tenant ID
- Application ID
- Application Secret Key
Record the values for each of these fields. You will be required to provide them during the Azure discovery connection creation setup.
Assigning Reader rights for the Security Console
The Security Console must have permission to access your Azure-based assets. In Azure, this permission should be configured at the “Subscriptions” scope.
- In your Azure portal, in the Search bar, enter:
- Click your subscription to open it.
- Click Access Control (IAM). Existing users and roles are shown.
- Click Add.
- In the Add permissions window, complete the fields as follows:
- Set Role to Reader.
- Set Assign access to to Azure AD user, group, or application.
- Set Select to the Application ID that you created earlier.
Search for the application ID.
You must search for the Application ID in order for it to appear on this screen.
- Click Save.
The Nexpose console will need outbound access to .azure.com and .microsoftonline.com on port 443. The discovery connection is created from the console itself and not from the scan engine.
Creating a connection
When the previous steps have been completed, you’ll be ready to create a connection. See our connection creation guide at Creating and managing Dynamic Discovery connections and browse to Adding a Microsoft Azure Connection.