ZCSPM
Advanced Security Configurations for Microsoft Azure
You can create an Azure automation account to collect additional metadata for advanced security configuration security polices offered by ZCSPM.
- See the advanced security configuration security policies.Close
Policy Title Category Ensure that ‘Users can consent to apps accessing company data on their behalf’ is set to ‘No’ Azure - Identity and Access Ensure that ‘Users can add gallery apps to their Access Panel’ is set to ‘No’ Azure - Identity and Access Ensure that ‘Restrict access to Azure AD administration portal’ is set to ‘Yes’ Azure - Identity and Access Ensure that ‘Users can register applications’ is set to ‘No’ Azure - Identity and Access Ensure that ‘Guest user permissions are limited’ is set to ‘Yes’ Azure - Identity and Access Ensure that ‘Members can invite’ is set to ‘No’ Azure - Identity and Access Ensure that ‘Guests can invite’ is set to ‘No’ Azure - Identity and Access Ensure that ‘Self-service group management enabled’ is set to ‘No’ Azure - Identity and Access Ensure that ‘Users can create security groups’ is set to ‘No’ Azure - Identity and Access Ensure that ‘Users who can manage security groups’ is set to ‘None’ Azure - Identity and Access Ensure that ‘Users can create Office 365 groups’ is set to ‘No’ Azure - Identity and Access Ensure that ‘Users who can manage Office 365 groups’ is set to ‘None’ Azure - Identity and Access Ensure that ‘Require Multi-Factor Auth to join devices’ is set to ‘Yes’ Azure - Identity and Access Ensure that ‘Number of methods required to reset’ is set to ‘2’ Azure - Identity and Access Ensure that ‘Number of days before users are asked to re-confirm their authentication information’ is not set to ‘0’ Azure - Identity and Access Ensure that ‘Notify users on password resets?’ is set to ‘Yes’ Azure - Identity and Access Ensure that ‘Notify all admins when other admins reset their password?’ is set to ‘Yes’ Azure - Identity and Access
The Azure automation account will create an Azure Active Directory control plane. This control plane will only be able to collect configuration metadata via PowerShell run using the global AD reader credentials.
ZCSPM does not store or have access to the global AD reader. The PowerShell script you deploy on your Azure account which will use the global AD reader permission to collect the configuration metadata and send it to ZCSPM.
To enable advanced security configurations:
- 1. Collect Necessary Information from ZCPSM and Microsoft Azure
- ZCSPM License ID
To find your ZCSPM license ID:
- Log in to the ZCPSM Admin Portal as a License Admin.
- Go to Configurations >Features and Quotas.
- Copy the License ID.
- ZCSPM API Key
To generate the ZCSPM API Key:
- Sign up at the ZCSPM API portal.
- From the top navigation bar, go to PRODUCTS > Unlimited.
- Under Customer-Api, click Subscribe.
- Zscaler will then activate your subscription and send you an email confirmation.
- After you receive the email confirmation, click on your Username on the top right corner.
- Select your profile and click Show next to the Primary key.
- Azure Active Directory ID
- Log in to the Azure Portal
- In the left-pane menu, click Azure Active Directory.
- Click Properties.
- Copy the Directory ID.
- Azure Subscription ID
- Log in to the Azure Portal as a Subscription Owner.
- Go to Subscriptions, then click your subscription.
- Copy the Subscription ID.
- ZCSPM Data Collector Application ID and Secret
To get the ZCSPM API application credentials:
- Log in to the Azure Portal
- In the left-pane menu, click Azure Active Directory.
- Select App registrations, then select the application you created in Onboarding an Azure Account.
- Copy the Application (client) ID.
- In the left-pane menu, click Certificates & secrets, then click New client secret.
- Enter a Description and select an expiry time, then click Add.
- Copy the Client secret to the clipboard and store it. You need to submit this information at ZCSPM.
- ZCSPM Environment and IAM Data Collector Information
You need your ZCSPM environment and the following IAM Data Collector information:
- ZCSPM Azure IAM Data Collector Artifacts Storage Name
- ZCSPM Azure IAM Data Collector Artifacts Storage Access Key
- ZCSPM Azure IAM Data Collector Version
To collect the above mentioned information:
- Go to Configurations > Cloud Accounts.
- Choose your Azure cloud account.
- Click Configure Account, then click Onboarding Health Status.
- Click Download Artifact. This will download a JSON file which contains your ZCSPM environment information.
You will also need to submit your Azure Active Directory Global Reader credentials.
Make sure that the credentials you intend to use do not have MFA enabled. If you are using conditional access, exclude the Global AD reader.
Close - ZCSPM License ID
- 2. Provision the Azure IAM Data Collector
- Log in to the Azure Portal as a Subscription Owner.
- Go to Subscriptions, then click the subscription where you have set up the data collector.
- Click on the Cloud Shell icon.
- Choose PowerShell, then select your storage.
- Download the ZCSPM data collector provisioning script using the following command:
wget https://raw.githubusercontent.com/Cloudneeti/docs_cloudneeti/master/scripts/Provision-AzureIAM-DataCollector.ps1 -O Provision-AzureIAM-DataCollector.ps1
- Install and verify the Az automation module by using the following commands:
Get-Module -Name Az.Automation -ListAvailable Install-Module -Name Az.Automation -RequiredVersion 1.4.2 Get-Module -Name Az.Automation -ListAvailable Import-Module -Name Az.Automation -RequiredVersion 1.4.2
- Run the provisioning script by using the following command:
./Provision-AzureIAM-DataCollector.ps1 ` -ZCSPMLicenseId <zcsp-license-id>` -ZCSPMEnvironment <zcspm-environment>` -ZCSPMApplicationId <zcspm-application-id>` -ArtifactsName <artifacts-name>` -DataCollectorVersion <data-collector-version>` -AzureActiveDirectoryId <azure-active-directory-id>` -AzureGlobalReaderEmailId <azure-global-reader-email-id>` -AzureSubscriptionId <azure-subscription-id>` -DataCollectorName <data-collector-name>
- You will then be prompted to enter the following information:
- ZCSPM API key
- ZCSPM Data Collector
- ZCSPM Azure Application Secret
- ZCSPM Azure IAM data Collector Artifacts Name
- ZCSPM Azure IAM data Collector Artifacts Storage Access Key
- Azure Active Directory Reader password
The IAM data collector agent needs to be installed only once at the tenant level for it to access all subscriptions.
Close - 3. Apply a Delete Lock on the Data Collector
Apply a delete lock on the data collector in your Azure subscription to prevent anyone from accidentally deleting the data collector:
- Go to the Azure IAM Data collector's resoure group.
- Click Locks, then click Add.
- Enter the Lock Name.
- From the Lock Type drop-down menu, select the lock type as Delete.
- Enter Notes, then click OK.
- 4. Modify the Data Collection Schedule
You need to change the data collection schedule to match the ZCSPM's daily metadata collection time:
- Go to the Azure IAM Data collector's resoure group.
- Select Automation account then click Schedules.
- Change the schedule Time to one hour before the daily ZCPSM data collection time.
- Click Save.
You can upgrade the advanced security configuration data collector.
- Upgrade the data collector.
- Log in to the Azure Portal as a Subscription Owner.
- Go to Subscriptions, then click the subscription where you have set up the data collector.
- Click on the Cloud Shellicon.
- Choose PowerShell, then select your storage.
- Download the ZCSPM data collector update script using the following command:
wget https://raw.githubusercontent.com/Cloudneeti/docs_cloudneeti/master/scripts/Upgrade-AzureIAM-DataCollector.ps1 -O Upgrade-AzureIAM-DataCollector.ps1
- Run the script by using the following command:
Close./Upgrade-AzureIAM-DataCollector.ps1` -ArtifactsName <artifacts-name>` -DataCollectorVersion <data-collector-version>` -AzureSubscriptionId <azure-subscription-id>` -DataCollectorName <data-collector-name>` -ZCSPMApplicationId <zcspm-application-id>
If the ZCSPM API Key has expired, you can generate a new one at ZCSPM and update the data collector.
- 1. Regenerate ZCSPM API Key.
- Sign in to the ZCSPM API portal.
- Click your username on the top-right corner, then click Profile.
- Click Regenerate next to the primary key.
- Click Show to view and copy the new primary key.
- 2. Update the Azure data collector.
- Go to the Azure IAM Data collector's resoure group.
- Select the Automation account, then click Variables in the left-pan menu.
- Click ZCSPMAPIKey, then click Edit value.
- Paste the regenerated API Key in the Value text-box.
- Click Save.