Home

Set Up Authentication Details

Create Application and get Application ID, Directory ID

Create application in Azure Active Directory and you can then note the application ID and directory ID.

(1) - Log on to the Microsoft Azure console. Go to Azure Active Directory in the left navigation pane, then App Registrations. Show me

(2) - Click New registration and provide these details: Show me

a. Name: A name for the application (e.g. My_Azure_Connector).

b. Supported account types: Select Accounts in any organizational directory.

(3) - Click Register. The newly created application is displayed with its properties. Copy the Application (client) ID and Directory (tenant) ID and paste it into the connector details. Show me

Generate Authentication Key

Provide permission to the new application to access the Azure Service Management API and create a secret key.

Provide Permission

(1) - Select the application that you created and go to Settings > Required permissions.

(2) - Click Add > Select an API > Azure Service Management API and click Select. Show me

(3) - Select required Delegated Permissions, click Select and then click Done. Show me

(4) - Click Add a permission.

(5) - Select Microsoft Graph in Microsoft APIs for Request API permissions. Show me

(6) - Select Application permissions and expand User permissions and select User.Read.All permission and click Add permissions.

A confirmation notification “Permissions have changed. Users and/or admins will have to consent even if they have already done so previously.” is displayed on success. 

Create a secret key

(1) - Select the application that you created and go to Certificates and Secrets > New client secret.

(2) - Add a description and expiry duration for the key (recommended: Never) and click Add.

(3) - The value of the key appears in the Value field. Show me

Copy the key value at this time. You won’t be able to retrieve it later. Paste the key value  as Authentication Key into the connector details. You need to provide the key value with the application ID to log on as the application. Store the key value where your application can retrieve it.

Acquire Subscription ID

Grant permission for the application to access subscriptions. Assign a role to the new application. The role you assign will define the permissions for the new application to access subscriptions.

(1) - On the Azure portal, navigate to Subscriptions. Show me

(2) - Select the subscription for which you want to grant permission to the application and note the subscription ID. To grant permission to the application you created, choose Access Control (IAM).

(3) - Assign two roles (Reader role and a custom role to the application).

Assign Reader Role

a - To grant permission to the application you created, choose Access Control (IAM).

b - Go to Add > Add a role assignment. Pick the role as Reader. A Reader can view everything but cannot make any changes to the resources of a subscription.

c - Select Azure AD user, group, or service principal in Assign Access to dropdown.

d - Type the application name in Select drop-down and select the application you created. Show me

e - Click Save to finish assigning the role. You’ll see your application in the list of users assigned to a role for that scope.

Assign Custom Role  

Before you assign the custom role, create the custom role (QRole). Learn more

a - Go to Add > Add a role assignment. Pick the custom role you created (QRole). The custom role can view but cannot make any changes to the resources of a subscription.

b - Select Azure AD user, group, or service principal in Assign Access to dropdown.

c - Type the application name in Select drop-down and select the application you created.

d - Click Save to finish assigning the role. You’ll see your application in the list of users assigned to a role for that scope.

(4) - Copy the subscription ID you noted and paste it into the connector details in the Qualys Azure Connector screen and then click Create Connector.

Create Custom Role  

Perform the Azure CLI Shell commands. Create a JSON file with following content: Edit the content and add Subscription ID.

{
"Name": "QRole",
"IsCustom": true,
"Description": "Role for Qualys Connector",
"Actions":  
[
   "Microsoft.Web/sites/config/list/action"
],
 "NotActions": [  ],
 "AssignableScopes":
[
   "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
]
}

Run command:

az role definition create --role-definition <Role-Definition-Json_file>

References:  

https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-cli

https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal