icon-zcspm.svg
ZCSPM

Advanced Security Configurations for Microsoft Azure

You can create an Azure automation account to collect additional metadata for advanced security configuration security polices offered by ZCSPM.

  • Policy Title Category
    Ensure that ‘Users can consent to apps accessing company data on their behalf’ is set to ‘No’ Azure - Identity and Access
    Ensure that ‘Users can add gallery apps to their Access Panel’ is set to ‘No’ Azure - Identity and Access
    Ensure that ‘Restrict access to Azure AD administration portal’ is set to ‘Yes’ Azure - Identity and Access
    Ensure that ‘Users can register applications’ is set to ‘No’ Azure - Identity and Access
    Ensure that ‘Guest user permissions are limited’ is set to ‘Yes’ Azure - Identity and Access
    Ensure that ‘Members can invite’ is set to ‘No’ Azure - Identity and Access
    Ensure that ‘Guests can invite’ is set to ‘No’ Azure - Identity and Access
    Ensure that ‘Self-service group management enabled’ is set to ‘No’ Azure - Identity and Access
    Ensure that ‘Users can create security groups’ is set to ‘No’ Azure - Identity and Access
    Ensure that ‘Users who can manage security groups’ is set to ‘None’ Azure - Identity and Access
    Ensure that ‘Users can create Office 365 groups’ is set to ‘No’ Azure - Identity and Access
    Ensure that ‘Users who can manage Office 365 groups’ is set to ‘None’ Azure - Identity and Access
    Ensure that ‘Require Multi-Factor Auth to join devices’ is set to ‘Yes’ Azure - Identity and Access
    Ensure that ‘Number of methods required to reset’ is set to ‘2’ Azure - Identity and Access
    Ensure that ‘Number of days before users are asked to re-confirm their authentication information’ is not set to ‘0’ Azure - Identity and Access
    Ensure that ‘Notify users on password resets?’ is set to ‘Yes’ Azure - Identity and Access
    Ensure that ‘Notify all admins when other admins reset their password?’ is set to ‘Yes’ Azure - Identity and Access
    Close

The Azure automation account will create an Azure Active Directory control plane. This control plane will only be able to collect configuration metadata via PowerShell run using the global AD reader credentials.

ZCSPM does not store or have access to the global AD reader. The PowerShell script you deploy on your Azure account which will use the global AD reader permission to collect the configuration metadata and send it to ZCSPM.

To enable advanced security configurations:

    • To find your ZCSPM license ID:

      1. Log in to the ZCPSM Admin Portal as a License Admin.
      2. Go to Configurations >Features and Quotas.
      3. Copy the License ID.
      Close

    • To generate the ZCSPM API Key:

      1. Sign up at the ZCSPM API portal.
      2. From the top navigation bar, go to PRODUCTS > Unlimited.
      3. Under Customer-Api, click Subscribe.
      4. Zscaler will then activate your subscription and send you an email confirmation.
      5. After you receive the email confirmation, click on your Username on the top right corner.
      6. Select your profile and click Show next to the Primary key.
      Close
      1. Log in to the Azure Portal
      2. In the left-pane menu, click Azure Active Directory.
      3. Click Properties.
      4. Copy the Directory ID.
      Close
      1. Log in to the Azure Portal as a Subscription Owner.
      2. Go to Subscriptions, then click your subscription.
      3. Copy the Subscription ID.
      Close

    • To get the ZCSPM API application credentials:

      1. Log in to the Azure Portal
      2. In the left-pane menu, click Azure Active Directory.
      3. Select App registrations, then select the application you created in Onboarding an Azure Account.
      4. Copy the Application (client) ID.
      5. In the left-pane menu, click Certificates & secrets, then click New client secret.
      6. Enter a Description and select an expiry time, then click Add.
      7. Copy the Client secret to the clipboard and store it. You need to submit this information at ZCSPM.

      Close

    • You need your ZCSPM environment and the following IAM Data Collector information:

      • ZCSPM Azure IAM Data Collector Artifacts Storage Name
      • ZCSPM Azure IAM Data Collector Artifacts Storage Access Key
      • ZCSPM Azure IAM Data Collector Version

      To collect the above mentioned information:

      1. Go to Configurations > Cloud Accounts.
      2. Choose your Azure cloud account.
      3. Click Configure Account, then click Onboarding Health Status.
      4. Click Download Artifact. This will download a JSON file which contains your ZCSPM environment information.
      Close

    You will also need to submit your Azure Active Directory Global Reader credentials.

    Make sure that the credentials you intend to use do not have MFA enabled. If you are using conditional access, exclude the Global AD reader.

    Close
    1. Log in to the Azure Portal as a Subscription Owner.
    2. Go to Subscriptions, then click the subscription where you have set up the data collector.
    3. Click on the Cloud Shell icon.
    4. Choose PowerShell, then select your storage.
    5. Download the ZCSPM data collector provisioning script using the following command:
     wget https://raw.githubusercontent.com/Cloudneeti/docs_cloudneeti/master/scripts/Provision-AzureIAM-DataCollector.ps1 -O Provision-AzureIAM-DataCollector.ps1
    1. Install and verify the Az automation module by using the following commands:
    Get-Module -Name Az.Automation -ListAvailable

Install-Module -Name Az.Automation -RequiredVersion 1.4.2

Get-Module -Name Az.Automation -ListAvailable

Import-Module -Name Az.Automation -RequiredVersion 1.4.2
    1. Run the provisioning script by using the following command:
    ./Provision-AzureIAM-DataCollector.ps1 `
            -ZCSPMLicenseId <zcsp-license-id>`
            -ZCSPMEnvironment <zcspm-environment>`
            -ZCSPMApplicationId <zcspm-application-id>`
            -ArtifactsName <artifacts-name>`
            -DataCollectorVersion  <data-collector-version>`
            -AzureActiveDirectoryId <azure-active-directory-id>`
            -AzureGlobalReaderEmailId <azure-global-reader-email-id>`
            -AzureSubscriptionId <azure-subscription-id>`
            -DataCollectorName <data-collector-name>
    1. You will then be prompted to enter the following information:
      • ZCSPM API key
      • ZCSPM Data Collector
      • ZCSPM Azure Application Secret
      • ZCSPM Azure IAM data Collector Artifacts Name
      • ZCSPM Azure IAM data Collector Artifacts Storage Access Key
      • Azure Active Directory Reader password
      Once you enter the information, a runbook will be created in the automation account.

    The IAM data collector agent needs to be installed only once at the tenant level for it to access all subscriptions.

    Close

  • Apply a delete lock on the data collector in your Azure subscription to prevent anyone from accidentally deleting the data collector:

    1. Go to the Azure IAM Data collector's resoure group.
    2. Click Locks, then click Add.
    3. Enter the Lock Name.
    4. From the Lock Type drop-down menu, select the lock type as Delete.
    5. Enter Notes, then click OK.
    Close

  • You need to change the data collection schedule to match the ZCSPM's daily metadata collection time:

    1. Go to the Azure IAM Data collector's resoure group.
    2. Select Automation account then click Schedules.
    3. Change the schedule Time to one hour before the daily ZCPSM data collection time.
    4. Click Save.
    Close

You can upgrade the advanced security configuration data collector.

    1. Log in to the Azure Portal as a Subscription Owner.
    2. Go to Subscriptions, then click the subscription where you have set up the data collector.
    3. Click on the Cloud Shellicon.
    4. Choose PowerShell, then select your storage.
    5. Download the ZCSPM data collector update script using the following command:
    wget https://raw.githubusercontent.com/Cloudneeti/docs_cloudneeti/master/scripts/Upgrade-AzureIAM-DataCollector.ps1 -O Upgrade-AzureIAM-DataCollector.ps1
    1. Run the script by using the following command:
    ./Upgrade-AzureIAM-DataCollector.ps1`
         -ArtifactsName <artifacts-name>`
         -DataCollectorVersion <data-collector-version>`
         -AzureSubscriptionId <azure-subscription-id>`
        -DataCollectorName <data-collector-name>`
        -ZCSPMApplicationId <zcspm-application-id>
    Close

If the ZCSPM API Key has expired, you can generate a new one at ZCSPM and update the data collector.

Related Articles
Onboarding a Microsoft Azure AccountGranting Admin Consent for Microsoft Graph API PermissionsGranting Access to Additional Roles in Microsoft AzureGranting Access to Key Vaults in Microsoft AzureAdvanced Security Configurations for Microsoft AzureEnabling Microsoft Defender Audit PoliciesConfiguring OS Baselines for Microsoft AzureConfiguring the ZCSPM Agent for the Azure Kubernetes ServiceVerifying the Cloud Account Health Status for AzureOffboarding a Microsoft Azure Account