icon-zcspm.svg
ZCSPM

Onboarding a Microsoft Azure Account

You can onboard your Microsoft Azure cloud account onto ZCSPM. Once onboarded, ZCSPM will be able to provide you with your account's security posture. ZCSPM will run your Azure cloud account deployment against all the security policies we offer. To view the security policies, see Azure Security Policies. To onboard an Azure account with ZCSPM:

    • You need to be a ZCSPM License Admin to onboard an Azure cloud account onto ZCSPM.
    • You need to be an Azure Global AD Administrator and a Subscription Owner to register the ZCSPM app and grant access permissions to ZCSPM.
    Close

  • You can create a new Azure app registration either manually or by running an automation script on the Cloud Shell. To register a new Azure app manually:

      1. Log in to the Azure Portal
      2. In the left-pane menu, click Azure Active Directory.
      3. Select App registrations, then click New Registration.

      1. Enter the Name and select the Accounts in this organizational directory only button.
      2. Click Register.
      3. Copy the Application ID to the clipboard and store it. You need to submit this information in ZCSPM.
      4. In the left-pane menu, click Certificates & secrets, then click New client secret.
      5. Enter a Description and select an expiry time, then click Add.
      6. Copy the Client secret Value to the clipboard and store it. You need to submit this information at ZCSPM.

      You will not be able to copy the Client secret later and will have to create a new one.

      Close
      1. Log in to the Azure Portal as a Subscription Owner.
      2. Go to Subscriptions, then click the subscription where you want to assign the reader role.
      3. Click Access Control (IAM), then click Add role assignments.

      1. From the Role drop-down menu, select Reader.
      2. From the Assign access to drop-down menu, select User, group, or service principal.
      3. From the Select drop-down menu, select the newly registered Azure application.
      4. Click Save.

      Close
      1. Log in to the Azure Portal
      2. In the left-pane menu, click Azure Active Directory.
      3. Copy the Tenant ID and the Primary Domain to the clipboard and store it. You need to submit this information at ZCSPM.

      Close

    Alternatively, you can register a new Azure app by running a script on the Cloud Shell. The script will register a new Azure application and grant the application the subscription reader role.

      1. Ensure you have PowerShell version v5 or higher. Verify your PowerShell version using the following command:
      $PSVersionTable.PSVersion
      1. Ensure there are no restrictions on PowerShell to run the agent installation script. Remove restrictions on PowerShell using the following command:
      Set-ExecutionPolicy `
-Scope Process `
-ExecutionPolicy Bypass
      1. Download the PowerShell script files from ZCSPM Github.
      2. Install Azure modules by using the following command:
      Install-Module `
-Name AzureAD `
-MinimumVersion 2.0.0.131
      1. Open PowerShell as an administrator.
      2. Navigate to the directory where the script was downloaded.
      3. Run the following command to create a new Azure app registration:
      .\Create-ServicePrincipal-AzureOnboarding.ps1 `
-azureActiveDirectoryId <active_directory_id> `
-servicePrincipalName <data_collector_name> `
-expirationPeriod 1year
      1. Enter the Global AD Administrator credentials.
      2. Copy the following information and store them:
        • Tenant Id
        • Domain Name
        • Application Id
        • Password Key
      In case you do not want to provide Microsoft Graph permissions, use the following command instead: 
      .\Create-ServicePrincipal-AzureOnboarding.ps1 `
-azureActiveDirectoryId <active_directory_id> `
-servicePrincipalName <data_collector_name> `
-expirationPeriod 1year
-disableADPolicies
      Close
    Close
    1. Log in into ZCSPM as a License Admin.
    2. Click Activate License.
    3. Select Azure, then click Continue.
    4. Select New Azure AD Tenant.
    5. Enter the following information:
      • Cloud Account Name
      • Domain Name
      • Azure Directory Id
      • Azure Application Id
      • Azure Application Secret
    6. Click Get Subscription.
    Close

In addition to onboarding your Azure account on to ZCSPM, you can have optional configurations and certain agents on your Azure cloud account to collect additional metadata:

If you'd like to offboard your Azure account, see Offboarding a Microsoft Azure Account.

Related Articles
Onboarding a Microsoft Azure AccountGranting Admin Consent for Microsoft Graph API PermissionsGranting Access to Additional Roles in Microsoft AzureGranting Access to Key Vaults in Microsoft AzureAdvanced Security Configurations for Microsoft AzureEnabling Microsoft Defender Audit PoliciesConfiguring OS Baselines for Microsoft AzureConfiguring the ZCSPM Agent for the Azure Kubernetes ServiceVerifying the Cloud Account Health Status for AzureOffboarding a Microsoft Azure Account