Microsoft Azure Cloud

Microsoft Azure is a cloud hosting platform that offers cloud computing and infrastructure services.

Secureframe scans various Azure resources and configurations to ensure compliance and automatically gather evidence.

Connecting the Integration

To integrate Azure with Secureframe, navigate to Integrations and search for “Azure” on the “Available Integrations” page. Click “Connect” and follow the steps in the connection form.

Secureframe now integrates with both Organization & Subscription. To connect a Subscription, an Organization must also be connected.

Connecting at different levels of the hierarchy (Organization & Account)

Azure allows users to manage connections at various levels in the hierarchy e.g. Management groups and subscriptions. Secureframe allows you to integrate with the Organization level as well as the subscription (child) connection in order to:

  • Make it easier to pull in and set up multiple account connections under an organization at once, allowing you to save time
  • Provide a cleaner experience in organizing and managing the different levels of the hierarchy enabled in your Azure account
  • Make it easier to identify accounts by automatically discovering accounts associated to your organization
  • Make it easier to exclude the accounts that you do not want to sync with Secureframe

Manage connections/sync

You can now easily manage your subscription (child) connections directly from the Integrations page.

  • To sync all accounts under a connection click the sync button
  • In order to sync or manage only specific accounts under a connection, click the # of connections
    • You can now view and manage the settings, rename the connection, reconnect and archive a subscription (child) account directly from this screen
  • You can also view and change included regions and accounts if you click into the Azure integration settings (cogwheel icon). Screenshot 2024-10-04 at 3.21.38 PM.png

Migrating existing connections in Secureframe to Parent/Child connections

If you already have multiple Azure accounts set up as separate connections in Secureframe and you want to take advantage of managing your connections through the parent/child connection. Follow these steps. 

    1. Archive any individual existing subscription connections you have that you are expecting to be pulled in by the organization connection. Note: if you have any subscription connections that you’re not expecting to be brought in by the organization connection, you do not need to archive those subscription accounts in Secureframe. 
      1. Click the kebab menu on individual subscription accounts
      2. Click archive

  1. Once your connections have been archived, click on available connections, search for “Azure” and click “add connection” or “connect” under Azure.
  2. Follow the steps outlined in the connection form under “Tenant root group”. Screenshot 2024-10-08 at 9.26.37 PM.png
  3. In step 7 of the connection form, you will be able to view a list of member subscriptions/child connections and select those you wish to integrate with Secureframe. These can be changed later via the integration settings.Screenshot 2024-10-08 at 9.27.45 PM.png
  4. Click start connection. When completed you will now be able to see the number of  child connections under an organization account (and their details) directly in the main integrations page.
  5. When you click on the number of child (subscription) connections, you will be able to see details of the subscription connections and be able to:
    1. Filter through child connections
    2. Sync individual child connections or sync all subscription accounts under the organization
    3. Rename the connection (organization or subscription connection)
    4. Exclude any individual subscription connections you don’t want integrated with Secureframe

Permissions, Fields Pulled, Controls and Automated Tests

  1. Click the provided link or navigate to the “Integration” page.
  2. Select the “Available” tab.
  3. Search for the integration.
  4. Click “View Details”.

Steps to resolve Key Vault Reader permission errors can be found here.

Remediating Errors

What is the Test Permission Error?

There are some permissions that the Azure integration purposefully does not initially ask for, for a variety of reasons. This includes the permissions necessary for certain tests related to KeyVault keys and secrets.

How can I resolve this error?

You will need to provide us with an additional role called Key Vault Reader.

You can read more about the specific permissions in Key Vault Reader here.

Please note that according to the Azure documentation, this role "[c]annot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model."

How to provide Key Vault Reader permissions:

  1. Click "Access Control (IAM)"
  2. Click "Add".
  3. Click "Add role assignment".
  4. Search for Key Vault Reader.
  5. Click "view" on the "Key Vault Reader" row.
  6. Click "Select Role".
  7. Click "Next".
  8. Click "Select members".
  9. Select Secureframe.
  10. Click "Select".
  11. Click "Next".
  12. Click "Review + assign".

Alternatively you may create a custom role with the following permissions and assign it to the Secureframe member:

- actions: "Microsoft.KeyVault/vaults/*/read"

- dataActions: "Microsoft.KeyVault/vaults/*/read",                         "Microsoft.KeyVault/vaults/secrets/readMetadata/action"

Frequently Asked Questions (FAQ)

How safe is it to grant these permissions?

  • Support cannot say what is right for your environment and your level of risk tolerance. Please review the required permissions along with the benefits of these tests and have a conversation with your security staff.

Is it possible to include an Azure subscription that was previously excluded from the tenant Azure integration?

  • Yes, If you already have multiple Azure accounts set up as separate connections in Secureframe and you want to take advantage of managing your connections through the parent/child connection. Follow these steps here

Related to

Was this article helpful?

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.