|   Trend Micro Cloud One™
Open menu

Add an Azure account

Location

Dashboard>Select Add an account

Let’s get started!

By adding your Azure Active Directories and Subscriptions to Conformity, your organization will be able to create holistic multi-cloud views of your security and governance posture.

User Access

  1. Setup an Azure App registration
  2. Add your first Azure Active Directory
  3. Remove Active Directories
  4. Update Active Directory Settings

Set up an Azure App registration

An Azure App registration provides Conformity’s rule engine the necessary read-only permissions to run the rule checks against subscription resources you want to add to your Conformity organization.

To set up this App registration, you will need to open your Azure console and complete the following steps.

  1. Create an App registration
  2. Configure Certificates and secrets
  3. Add API Permissions
  4. Assign Reader access to the App registration for a Subscription

Create an App registration

  1. Select Active Directory
  2. Select App registrations
  3. Click New registration (app ID)

  4. Give the App registration a name e.g. Conformity Azure Access
  5. Supported account types: “Accounts in this organization only” (single tenant)
  6. Redirect URL: not required

  7. Click Register

Configure Certificates and secrets

  1. Select Certificates & secrets
  2. Select Client secrets
  3. Add a description
  4. Choose any expiry period
  5. Select Add

    Note: Save your new secret according to your organisation’s security protocol. The secret will be needed later when adding your subscriptions to Conformity

When you configure Certificates and secrets, you also created your application key.

If you no longer have access to this key, you can create it again following the same steps above.

Add API Permissions

You will need to configure API permissions for ActiveDirectory checks to enable Conformity Bot to access ActiveDirectory resources for running ActiveDirectory rules.

  1. From App Registrations, click on the app that you registered with Conformity during onboarding.
  2. Select API permissions and click on + Add a permission.

  3. Under Supported legacy APIs, select **Azure Active Directory Graph.

  4. Select Delegated permissions.
    1. Set Delegated permissions to:
      1. User.Read
      2. User.Read.All
      3. Directory.Read.All

  5. Repeat Steps 2 and 3 and then
  6. Select Application permissions
    1. Set Application permissions to:
      1. Directory.Read.All
  7. Repeat Step 2
  8. Under Supported Legacy APIs, select Microsoft Graph.
    1. Set Delegated permissions to:
      1. User.Read
      2. User.Read.All
    2. Set Application permissions to:
      1. Directory.Read.All
      2. User.Read.All
  9. From the API Permissions page, click on Grant admin consent for the default app.

Once complete, your configured API permissions should look like this:

Assign access to the App registration for a Subscription

Only Subscriptions you add to your Active Directory within Conformity can be scanned by Conformity’s rule engine. For each Subscription you would like to add, follow these instructions.

  1. Go to Subscriptions.
    Note: you can use Search to find a subscription
  2. Copy the id of the Subscription you would like to add to your Conformity organization.

  3. This

Note: You will need to repeat steps 2 and 3 for each Subscription you want to add to Conformity.

Add your first Azure Active Directory

To add your first Active Directory (and Subscriptions), you will first need to Create an App registration for each Active Directory you want to add to your Conformity organization.

Once your Azure App registration is set up, you are ready to add your Active Directory.

  1. Sign in to Conformity
  2. From Conformity’s Main Dashboard, click on Add an account.
  3. Click on Azure Subscription, then click Next.
  4. Populate Active Directory Name and Active Directory Tenant ID, then click Next
    • Active Directory Name: will be the reference name of your Active Directory in Conformity. This name will display in the Conformity accounts menu and does not need to match any names used in your Azure console.
    • Active Directory Tenant ID: identifies your Active Directory for Conformity.

    To get Active Directory Tenant ID from Azure:

    1. Select Azure Active Directory
    2. Select Properties
    3. Copy to clipboard the Tenant ID

  5. To allow Conformity access to your Azure Subscriptions, you will use the Azure App registration you should have previously setup. This will allow the Conformity rule engine to run Rule checks against Subscriptions within your Azure Active Directory.

    You will need to supply both the Application ID and Application Key that was generated for your Azure App registration.

    • A separate Azure App registration is required for each Active Directory you want to add to your Conformity organisation.
    • Your application key is created when you Configure certificates and secrets during the setup of your Azure App registration.
    • If you do not have this key, you can create it again following the same steps in Configured certificates and secrets.

    To get App registration ID from Azure:

    1. Select Azure Active Directory
    2. Select App registrations
    3. Select the application i.e. Conformity Azure Access or whatever you named this application.

    4. Copy the Application ID
  • After clicking Next, you will have the option to select subscriptions you want to add to your Conformity organization.

    You will only see subscriptions that you have provided Conformity access to in your Azure App registration setup.
    If you can’t see your subscription you will need to enable access settings for this Subscription in Azure following the instructions:
    Assign access to the App registration for a Subscription

  • Click Next, and wait a moment as Conformity Bot checks your subscription resources for rule failures.

  • Success! Once the Conformity Bot has finished running, you will be returned to the Main Dashboard where you will see your added Azure Active Directory.

    Note: the accounts navigation will be organized to group together Cloud Providers of the same type.

  • Remove Active Directories

    Click Delete… on existing Active Directory. Note: Active Directories can only be deleted once all their Subscriptions have been removed.

    Update Active Directory Settings

    Location

    Main Dashboard > Select {Active Directory} > Settings > Edit Access Settings

    1. Click on Edit access settings…
    2. Make the required updates and click on Update settings.

    Active Directory Settings

    Once you have added an Active Directory successfully to Conformity, you can configure Rules after your fist Conformity Bot run.

    Note: You will need to allow Conformity with permission to list Key Vault Attributes and Secrets in your Azure account to be able to run certain rules successfully in the Conformity platform. For details see, Add Access Policy for Key Vault Attributes