Create application in Azure Active Directory and you can then note the application ID and directory ID.
(1) - Log on to the Microsoft Azure console. Go to Azure Active Directory in the left navigation pane, then App Registrations. Show me
(2) - Click New registration and provide these details: Show me
a. Name: A name for the application (e.g. My_Azure_Connector).
b. Supported account types: Select Accounts in any organizational directory.
(3) - Click Register. The newly created application is displayed with its properties. Copy the Application (client) ID and Directory (tenant) ID and paste it into the connector details. Show me
Provide permission to the new application to access the Azure Service Management API and create a secret key.
(1) - Select the application that you created and go to Settings > Required permissions.
(2) - Click Add > Select an API > Azure Service Management API and click Select. Show me
(3) - Select required Delegated Permissions, click Select and then click Done. Show me
(4) - Click Add a permission.
(5) - Select Microsoft Graph in Microsoft APIs for Request API permissions. Show me
(6) - Select Application permissions and expand User permissions and select User.Read.All permission and click Add permissions.
A confirmation notification “Permissions have changed. Users and/or admins will have to consent even if they have already done so previously.” is displayed on success.
(1) - Select the application that you created and go to Certificates and Secrets > New client secret.
(2) - Add a description and expiry duration for the key (recommended: Never) and click Add.
(3) - The value of the key appears in the Value field. Show me
Copy the key value at this time. You won’t be able to retrieve it later. Paste the key value as Authentication Key into the connector details. You need to provide the key value with the application ID to log on as the application. Store the key value where your application can retrieve it.
Grant permission for the application to access subscriptions. Assign a role to the new application. The role you assign will define the permissions for the new application to access subscriptions.
(1) - On the Azure portal, navigate to Subscriptions. Show me
(2) - Select the subscription for which you want to grant permission to the application and note the subscription ID. To grant permission to the application you created, choose Access Control (IAM).
(3) - Assign two roles (Reader role and a custom role to the application).
a - To grant permission to the application you created, choose Access Control (IAM).
b - Go to Add > Add a role assignment. Pick the role as Reader. A Reader can view everything but cannot make any changes to the resources of a subscription.
c - Select Azure AD user, group, or service principal in Assign Access to dropdown.
d - Type the application name in Select drop-down and select the application you created. Show me
e - Click Save to finish assigning the role. You’ll see your application in the list of users assigned to a role for that scope.
Before you assign the custom role, create the custom role (QRole). Learn more
a - Go to Add > Add a role assignment. Pick the custom role you created (QRole). The custom role can view but cannot make any changes to the resources of a subscription.
b - Select Azure AD user, group, or service principal in Assign Access to dropdown.
c - Type the application name in Select drop-down and select the application you created.
d - Click Save to finish assigning the role. You’ll see your application in the list of users assigned to a role for that scope.
(4) - Copy the subscription ID you noted and paste it into the connector details in the Qualys Azure Connector screen and then click Create Connector.
You can create a custom role either through Azure Portal UI or through Azure CLI Shell commands.
1. Log on to the Microsoft Azure console.
2. In the search bar, search for Subscriptions and click Subscriptions under the Services category.
3. On the Subscriptions page, choose your subscription.
4. Click Access control (IAM), in navigation pane.
5. Scroll to Create a custom role card and click Add.
6. Provide a name for the Custom role, select Start from scratch option for Baseline permissions and click Next
7. On the Permissions tab, click Add permissions and add the permissions listed below:
Microsoft.Web/sites/config/list/action
8. Click Review + Create.
The custom role is created.
Perform the Azure CLI Shell commands. Create a JSON file with following content: Edit the content and add Subscription ID.
{
"Name": "QRole",
"IsCustom": true,
"Description": "Role for Qualys Connector",
"Actions":
[
"Microsoft.Web/sites/config/list/action"
],
"NotActions": [ ],
"AssignableScopes":
[
"/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
]
}
az role definition create --role-definition <Role-Definition-Json_file>
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-cli
https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
