Microsoft Azure

Professional Community Platform

runZero integrates with Microsoft Azure to deliver greater visibility into your cloud assets. This integration imports data through each applicable API to enrich your asset inventory:

• Virtual Machines API
• Virtual Machine Scale Sets API
• Load Balancers API
• AzureSQL API
• Web Apps API

Syncing with Azure allows you to view information about your asset’s OS profile, storage profile, and more. This integration imports assets that are in a running state.

Getting started

The following Azure resource types are supported:

• Virtual Machines
• Virtual Machine Scale Sets
• Azure SQL
• Azure Cosmos DB
• Load Balancers
• Function Apps

To set up the Azure integration, you’ll need to:

1. Configure Azure to allow API access through runZero.
2. Add an Azure credential to runZero.
3. Choose whether to configure the integration as a scan probe or connector task.
4. Activate the Azure integration to sync your data with runZero.

Requirements

Before you can set up the Azure integration, make sure you have access to the Microsoft Azure portal.

Step 1: Configure Azure to allow API access through runZero

1. Log into the Microsoft Azure portal.
2. Go to Azure Active Directory > App registrations and click on New registration.
   • Provide a name.
   • Select the supported account types.
   • Optionally add a redirect URI.
3. Click Register to register the application.
4. Once the application is created, you should see the Overview dashboard. Save the following information:
   • Application (client) ID
   • Directory (tenant) ID
5. Give the client access to the subscriptions you want to sync. From the subscription details page, go to Access Control (IAM) and select Add > Add role assignment. Enter the following:
   • Role: Reader
   • Assign access to: User, group, or service principal
   • Under Select, search for the name of the application you created. Click on your application to add it to the Selected members list below.
6. Click Save to save the role assignment.
7. Navigate to Azure Active Directory > App registrations and select the application you created.
8. Go to Certificates & secrets and click on New client secret.
   • Enter a description.
   • Select the expiration.
9. Click Add to create the client secret. Save the following information:
   • Client secret value

Step 2: Add the Azure credential to runZero

The credential used for the Azure integration can be either a client secret or a username & password.

Step 2a: Add an Azure Client Secret credential to runZero

This type of credential can be used to sync all resources in a single directory (across multiple subscriptions).

1. Go to the Credentials page in runZero and click Add Credential.
2. Provide a name for the credential, like Azure Client Secret.
3. Choose Azure Client Secret from the list of credential types.
4. Provide the following information:
   • Azure application (client) ID - The unique ID for the registered application. This can be found in the Azure portal if you go to Azure Active Directory > App registrations and select the application.
   • Azure client secret - To generate a client secret, go to Azure Active Directory > App registrations, select your application, go to Certificates & secrets and click on New client secret.
   • Azure directory (tenant) ID - The unique ID for the tenant. This can be found in the Azure portal if you go to Azure Active Directory > App registrations and select the application.
   • Select the Access all subscriptions in this directory (tenant) option to sync all resources in your directory. Otherwise, specify the Azure subscription ID - The unique ID for the subscription that you want to sync. This can be found in the Azure portal if you go to Subscriptions and select the subscription.
5. If you want other organizations to be able to use this credential, select the Make this a global credential option. Otherwise, you can configure access on a per organization basis.
6. Save the credential. You’re now ready to set up and activate the connection to bring in data from Azure.

Step 2b: Add an Azure Username & Password credential to runZero

This type of credential can be used to sync all resources across directories. Alternatively, you can add one Azure Client Secret credential for each Azure directory you want to sync.

1. Go to the Credentials page in runZero and click Add Credential.
2. Provide a name for the credential, like Azure User/Pass.
3. Choose Azure Username & Password from the list of credential types.
4. Provide the following information:
   • Azure application (client) ID - The unique ID for the registered application. This can be found in the Azure portal if you go to Azure Active Directory > App registrations and select the application.
   • Azure directory (tenant) ID - The unique ID for the tenant. This can be found in the Azure portal if you go to Azure Active Directory > App registrations and select the application.
   • Azure username - The username for your Azure cloud account. This cannot be a federated user account.
   • Azure password - The password for your Azure cloud account.
5. If you want other organizations to be able to use this credential, select the Make this a global credential option. Otherwise, you can configure access on a per organization basis.
6. Save the credential. You’re now ready to set up and activate the connection to bring in data from Azure.

Step 3: Choose how to configure the Azure integration

The Azure integration can be configured as either a scan probe or a connector task. Scan probes gather data from integrations during scan tasks. Connector tasks run independently from either the cloud or one of your Explorers, only performing the integration sync.

Step 4: Set up and activate the Azure integration to sync data

After you add your Azure credential, you’ll need to set up a connector task or scan probe to sync your data.

Step 4a: Configure the Azure integration as a connector task

A connection requires you to set a schedule and choose a site. The schedule determines when the sync occurs, and the site determines where any new Azure-only assets are created.

1. Activate a connection to Azure. You can access all available third-party connections from the integrations page, your inventory, or the tasks page.
2. Choose the credential you added earlier. If you don’t see the credential listed, make sure the credential has access to the organization you are currently in.
3. Enter a name for the task, like Azure sync.
4. Schedule the sync. A sync can be set to run on a recurring schedule or run once. The schedule will start on the date and time you have set.
5. Under Task configuration, choose the site you want to add your assets to. All newly discovered assets will be stored in this site.
6. Under Service options, select the services you would like to sync data from. You must choose at least one.
7. If you want to exclude assets that have not been scanned by runZero from your integration import, switch the Exclude unknown assets toggle to Yes. By default, the integration will include assets that have not been scanned by runZero.
8. Activate the connection when you are done. The sync will run on the defined schedule. You can always check the Scheduled tasks to see when the next sync will occur.

Step 4b: Configure the Azure integration as a scan probe

1. Create a new scan task or select a future or recurring scan task from your Tasks page.
2. Add or update the scan parameters based on any additional requirements.
3. On the Probes and SNMP tab, choose which additional probes to include, set the Azure toggle to Yes, and change any of the default options if needed.
4. On the Credentials tab, set the Azure toggle for the credential you wish to use to Yes.
5. Click Initialize scan to save the scan task and have it run immediately or at the scheduled time.

Step 5: View Azure assets

After a successful sync, you can go to your inventory to view your Azure assets. These assets will have an Azure icon listed in the Source column.

To filter Azure assets, consider running the following queries:

• View all Azure assets:

   source:azure
  

• View all Azure VMs

  has:"@azure.vm.vmID"
  

• View all Azure virtual machine scale set VMs

  has:"@azure.vmss.vmID"
  

• View all Azure load balancers

  has:"@azure.lb.id"
  

• View all AzureSQL instances

  has:"@azure.azsql.id"
  

• View all Azure Cosmos DB instances

  has:"@azure.cosmos.id""
  

• View all Azure Function Apps

  @azure.functionapp.kind:"functionapp"
  

Click into each asset to see its individual attributes. runZero will show you the attributes returned by the Azure APIs.

Troubleshooting

If you are having trouble using this integration, the questions and answers below may assist in your troubleshooting.

Why is the Microsoft Azure integration unable to connect?

1. Are you getting any data from the Microsoft Azure integration?
   • Make sure to query the inventory rather than look at the task details to review all the data available from this integration.
   • In some cases, integrations have a configuration set that limits the amount of data that comes into the runZero console.
2. Some integrations require very specific actions that are easy to overlook. If a step is missed when setting up the intergration, it may not work correctly. Please review this documentation and follow the steps exactly.
3. If the Microsoft Azure integration is unable to connect be sure to check the task log for errors. Some common errors include:
   • 500 - server error, unable to connect to the endpoint
   • 404 - hitting an unknown endpoint on the server
   • 403 - not authorized, likely a credential issue