How to onboard your Azure accounts in CloudHealth Secure State

CloudHealth Secure State uses a read-only cloud account role to scan the Azure configurations to create an interconnected cloud security model of your environment. The service also uses an activity log event stream from Azure to trigger near real-time notifications of configuration violations. 

For Azure resources, the events are generated by monitoring activity logs that trigger a webhook. A provided shell script simplifies setup of stream of activity log events into the service. 

Before you start

Before you set up an Azure cloud account, make sure you have the following requirements in place:

  • Know the Azure subscription ID for any cloud accounts you want to add.
  • Confirm your access to the subscription in the Azure console.
  • Have permissions to register a new Azure Active Directory (Azure AD) app and create a new secret.
  • Have permissions to enable a new activity log subscription for your account.

Configure your Azure Portal

You can register an Azure AD application before you start adding any cloud accounts to CloudHealth Secure State. This makes it easier to retrieve some required information later on in the onboarding process.

  1. Sign into the Azure portal and navigate to Azure Active Directory > App registrations > New registration.

    Azure App Registration 1

  2. Complete the requested fields and click register.

    Azure App Registration 2

  3. Navigate to Azure Active Directory > App Registrations > Secure State > Certificates & Secrets.

  4. Click + New client secret, add a description and expiration time, then copy the Value in a safe location for later use (it becomes unavailable after you leave this page).

    Azure Client Secrets

    Note: Ensure you copy the Value and not the Secret ID. The latter doesn't work if you try to enter it when onboarding a cloud account for Azure.

Keep the Azure Portal tab open so you can return to it when prompted.

Add a single cloud account

Open a new tab to the CloudHealth Secure State dashboard, and follow these steps.

  1. To connect a new Azure cloud account, navigate to Settings > Cloud accounts.

  2. Click the Add New button and select Azure.

  3. Enter the following information on the first page and click Next when finished:

    • Account name - Pick a name for your account in the service. You can enter any name as long as it's not already used by another cloud account.
    • Account type - Select Commercial or Government as necessary.
    • Account ID - This should your Azure subscription ID.
    • Project - If there is an existing project you want to add the cloud account to, select it here. Otherwise, you can leave it as the default value).
    • Environment - Select the appropriate environment for this account, if your organization makes use of them. A blank entry defaults to "None".
    • Account owner - Enter the name and email of the person or team responsible for the account. This field is optional, but it's good to have this information available when determining who is responsible for resolving a violation.
    • Secure State Tag - Add any tags you want to associate with this account. You can select from any tags assigned to previously added cloud accounts, or enter a new one.
  4. The next page prompts you to enter an Application ID and a Shared secret key. Enter the secret value you copied when you created the Azure AD application.

  5. To retrieve the Application ID, navigate to Azure Active Directory > App Registrations in your Azure Portal, then select the application you created.

    Azure application ID

  6. Click Next.

  7. The next page requires your Tenant ID, which you can find at the Azure Active Directory > Overview page in your Azure Portal. The Subscription ID should be pre-populated from when you entered it on the first page.

    Azure AD Tenant ID

  8. From your Azure console, navigate to the Subscriptions page, select your subscription, then select Access control (IAM).

  9. Select Add. then Add role assignment.

  10. Search for and select the Reader role, then select Next.

  11. Click Select members, search for the application you created, then click Select.

  12. Click Review + assign, confirm your assignment, then click Review + assign again.

  13. Verify the role is assigned by going to Access control (IAM) > Role assignments and searching for your application.

If you encounter any issues when trying to onboard a single Azure subscription, refer to the troubleshooting section of this document.

Add multiple cloud accounts

CloudHealth Secure State supports bulk onboarding for situations where you need to onboard a large number of Azure subscriptions. You can use this feature to onboard up to 100 subscriptions in the same management group with one action. If you need to onboard more than 100 subscriptions, you do so with the continuous onboarding feature after completing the directions in this section. Subscriptions may be onboarded from the root management group or sub-management group, as long as they are associated with the same Azure AD tenant.

If you have already onboarded some subscriptions from the same management group individually, you can use the same application ID and client secret for bulk onboarding. This allows you to manage the same set of credentials for all of your Azure cloud accounts.

Note: To effectively perform every step in this procedure, you must have permissions in Azure Portal to add role assignments in the management group you're onboarding subscriptions from.

  1. Navigate to Settings > Cloud accounts.

  2. Click the Add New button and select Azure bulk cloud account.

  3. Enter the following information on the first page and click Next when finished.

    • Tenant ID: You can retrieve this from the Azure Active Directory > Overview page in your Azure Portal. Refer to the single account onboarding section for a screenshot, if needed.
    • Project - If there is an existing project you want to add the cloud accounts to, select it here. Otherwise, you can leave it as the default value). If you're planning to add the cloud accounts across different projects, you can leave this as the default option and update each cloud account during validation.
    • Environment - Select the appropriate environments for your cloud account, if your organization makes use of them. A blank entry defaults to "None". If your cloud accounts need to be in different environments, you can leave this as the default option and update each cloud account during validation.
    • Account owner - Enter the name and email of the person or team responsible for the cloud account. This field is optional, but it's good to have this information available when determining who is responsible for resolving a violation. If there are different owners for your cloud accounts, you can leave these fields blank and update them during validation.
    • Secure State Tag - Add any tags you want to associate with this account. You can select from any tags assigned to previously added cloud accounts, or enter a new one.

    Note: The information you enter on this page is associated with all the subscriptions you choose to onboard. You can change the project, environment, later in the process if you prefer.

  4. The next page prompts you to enter an Application ID and a Shared secret key. Enter the secret value you copied when you created the Azure AD application.

  5. To retrieve the Application ID, navigate to Azure Active Directory > App Registrations in your Azure Portal, then select the application you created.

    Azure application ID

  6. From your Azure Portal, navigate to the Management groups page, select your management group, then select Access control (IAM).

  7. Select the Role assignments tab, then Add > Add role assignment.

  8. Search for and select the Reader role, then select Next.

  9. Click Select members, search for the application you created, then click Select.

  10. Click Review + assign, confirm your assignment, then click Review + assign again.

  11. Verify the role is assigned by going to Access control (IAM) > Role assignments and searching for your application.

  12. Click Next.

  13. On the next page, you should see a list of all the cloud accounts associated with the Tenant ID you entered previously. Select all the accounts you would like to onboard, then click Next.

  14. Validate the cloud accounts you want to onboard on the next page. Update the name, project, environment, and owner details for each cloud account as necessary, then click Next.

Once you've completed an initial bulk onboarding action, additional subscriptions in your Azure management group are detected through continuous onboarding and can be easily added to the service.

If you encounter any issues when trying to onboard Azure subscriptions, refer to the troubleshooting section of this document.

Continuous onboarding

After onboarding your first batch of Azure subscriptions, you can use CloudHealth Secure State's continuous onboarding feature to easily onboard any additional subscriptions under the same management group.

  1. Navigate to Settings > Cloud accounts.

  2. Locate one of the Azure cloud accounts you created and click the link in the Account Name field.

  3. Click the Manage link in the Application ID field.

This should take you the Manage Azure Credential page, which populates two lists. The first list contains Azure subscriptions that have already been onboarded, while the second list has subscriptions that are detected but not yet onboarded. You can select up to 100 subscriptions from the second list and click Add Account to begin onboarding them.

Manage cloud account credentials

After you've created your cloud accounts you can manage the credentials you associated them with in the CloudHealth Secure State browser client by going to the Manage Azure Credential page and clicking on the Change button.

The browser client then prompts you to update the application ID and client secret for any cloud accounts managed through the listed Azure Tenant ID. From here you can refresh a client secret if it's expired or switch credentials to a different Azure AD application.

Note: If you're changing the application ID, the available subscriptions on the page may change based on the read privileges granted to the new application.

Turn on event stream

CloudHealth Secure State uses event streams through Azure Activity logs to provide real-time updates about security findings for your monitored cloud accounts. Configuring an event stream for your cloud account is necessary to get information about misconfigurations and other vulnerabilities immediately, otherwise your information is only as accurate as your most recent system scan.

Setup with Azure shell script

The event stream is setup through a shell script you can download from the CloudHealth Secure State application and then run in the Azure Cloud Shell environment.

Open Azure Cloud Shell, then run this command:

curl https://api.securestate.vmware.com/download/onboarding/azure/bulk/vss_azure_bulk_event_stream_setup.sh --output vss_azure_bulk_event_stream_setup.sh && /bin/bash vss_azure_bulk_event_stream_setup.sh <SubscriptionID_1>, <SubscriptionID_2>, <SubscriptionID_3>

You can add add as many subscription IDs as necessary, as long as they are separated by commas. On successful execution of this command, the Azure subscription is configured to send activity log events to CloudHealth Secure State.

Note: As part of using the Azure Cloud Shell, you're required to attach a storage account. Once you're done running the setup script, you may delete the associated storage account to avoid incurring future costs.

Remove event stream

To remove the event stream for an Azure subscription, perform these steps:

  1. Navigate to Settings > Cloud accounts.
  2. Select your Azure cloud account.
  3. On the cloud account details page, select Turn-Off under event stream and follow the instructions.

Troubleshooting

Review this section for any errors you may encounter when trying to onboard your cloud accounts.

Invalid credential errors

Many types of errors you receive when trying to connect an Azure cloud account can be traced to a misconfiguration during the Azure App registration process. If you're getting an error during this step, perform the following actions from your Azure Portal:

  1. Open Azure Cloud Shell.
  2. Enter az logout
  3. Enter az login --service-principal -u <app_client_id> -p <app_secret> --tenant <tenant_id>
  4. Enter az network nsg list -o table

If these steps fail, the problem is likely a configuration error in your Azure app. For example, this error is very common to see if you've copied the Secret ID instead of the Value when creating a client secret for the application:

AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '<Application ID>'.

Ensure that your application client ID, tenant ID, and client secret all match the values in Azure and repeat the Azure App registration process if necessary. If all the previous steps pass, but the service is still saying your credentials are invalid, create a support ticket.

check-circle-line exclamation-circle-line close-line
Scroll to top icon