How to onboard your Azure subscriptions in VMware Aria Automation for Secure Clouds

VMware Aria Automation for Secure Clouds uses a read-only cloud account role to scan the Azure configurations to create an interconnected cloud security model of your environment. The service also uses an activity log event stream from Azure to trigger near real-time notifications of configuration violations.

For Azure resources, the events are generated by monitoring activity logs that trigger a webhook. A provided shell script simplifies setup of stream of activity log events into the service.

Before you start

Note
References to the Azure AD service have been updated to Microsoft Entra ID throughout this page to reflect the upcoming rebrand recently announced by Microsoft.

Before you set up an Azure cloud account, make sure you have the following requirements in place:

Know the Azure subscription ID for any cloud accounts you want to add.
Confirm your access to the subscription in the Azure console.
Have permissions to register a new Microsoft Entra ID (Entra ID) app and create a new secret.
Have permissions to enable a new activity log subscription for your account.

Configure your Azure Portal

You can register an Entra ID application before you start adding any cloud accounts to VMware Aria Automation for Secure Clouds. This makes it easier to retrieve some required information later on in the onboarding process.

Sign into the Azure portal and navigate to Microsoft Entra ID > App registrations > New registration.
Complete the requested fields and click register.
Navigate to Microsoft Entra ID > App Registrations > Your application > Certificates & Secrets.
Click + New client secret, add a description and expiration time, then copy the Value in a safe location for later use (it becomes unavailable after you leave this page).

Note: Ensure you copy the Value and not the Secret ID. The latter doesn't work if you try to enter it when onboarding a cloud account for Azure.

Keep the Azure Portal tab open so you can return to it when prompted.

Add a single cloud account

Use this process when you want to onboard an individual Azure subscription into VMware Aria Automation for Secure Clouds. To begin the onboarding process:

To connect a new Azure cloud account, navigate to Settings > Cloud accounts.
Click the Add Account button.
Make the following selections:
- Provider - Azure.
- Onboarding Method - Single subscription.
- Account Type - Select Commercial or Government as necessary.
Click Add.

Step one - General information

For this step, you must enter information needed to identify your cloud account:

Account name - Pick a name for your account in the service. You can enter any name as long as it's not already used by another cloud account.
Account ID - This should your Azure subscription ID.
Project - If there is an existing project you want to add the cloud account to, select it here. Otherwise, you can leave it as the default value).
Environment - Select the appropriate environment for this account, if your organization makes use of them. A blank entry defaults to "None".
Account owner - Enter the name and email of the person or team responsible for the account. This field is optional, but it's good to have this information available when determining who is responsible for resolving a violation.
Account Tag - Add any tags you want to associate with this account. You can select from any tags assigned to previously added cloud accounts, or enter a new one.

When finished, click Next.

Step two - Application creation and role assignment

The next step prompts you to enter credentials for your Azure subscription and assign a role to your Entra ID application. For the Client secret, enter the value you copied when you created the Entra ID application.

To retrieve the Application ID and Tenant ID, navigate to Microsoft Entra ID > App Registrations in your Azure Portal, then select the application you created.

Azure application ID

Before proceeding, you must also assign a role to your Entra ID application.

Navigate to the Subscriptions page in your Azure portal, click your subscription, then select Access control (IAM).
Click Add, then Add role assignment.
Search for and click on the Reader role, then click Next.
Click Select members, search for the application you created, then click Select.
Click Review + assign, confirm your assignment, then click Review + assign again.
Verify the role is assigned by going to Access control (IAM) > Role assignments and searching for your application.
In the VMware Aria Automation for Secure Clouds browser client, click the checkbox to confirm you created and assigned a role.
Click Next.

Step three - Inbound integrations

Next, you can decide which inbound integrations to enable on this cloud account.

For Azure, the available integration is Microsoft Defender for Cloud, which imports additional security findings from the Azure service into VMware Aria Automation for Secure Clouds

Note: Microsoft Defender for Cloud must be active on your Azure subscription for the integration to work. Choosing to enable the integration in this step does not activate the service in Azure, which must be done separately from the Azure portal.

After you make your selection, click Next.

Step four - Event stream

The final section details how to activate event monitoring for your account to receive real-time updates for security violations. Follow the onscreen instructions or refer to the event stream setup section in this document.

If you encounter any issues when trying to onboard a single Azure subscription, refer to the troubleshooting section of this document.

Note
Onboarding multiple subscriptions at once from a common set of credentials is recommended over individual onboarding. If you have a large number of individual cloud accounts, follow the migration instructions to associate them with the same management group.

Add multiple cloud accounts

Use this process when you want to onboard a group of Azure subscriptions into VMware Aria Automation for Secure Clouds at once. Be aware of the following:

You must have permissions in your Azure Portal to add role assignments in the management groups you're onboarding subscriptions from.
You can onboard up to 100 subscriptions in the same management as a single action.
After initial onboarding, you can use the continuous onboarding feature to onboard more Azure subscriptions.
Azure subscriptions may be onboarded from the root management group or sub-management group, as long as they are associated with the same Entra ID tenant.

Note
It's a best practice to handle all onboarding from the root management group so that you can discover and all subscriptions in different sub-management groups.

If you have already onboarded some subscriptions from the same management group individually, you can use the same application ID and client secret for bulk onboarding. This allows you to manage the same set of credentials for all of your Azure cloud accounts.

When you're ready to begin, do the following:

Navigate to Settings > Cloud accounts.
Click the Add Account button.
Make the following selections:
- Provider - Azure.
- Onboarding Method - Management group.
Click Add.

Step one - General information

For this step, you must enter information needed to identify your subscriptions when they are onboarded as cloud accounts:

Project - If there is an existing project you want to add the cloud accounts to, select it here. Otherwise, you can leave it as the default value). If you're planning to add the cloud accounts across different projects, you can leave this as the default option and update each cloud account during validation.
Environment - Select the appropriate environments for your cloud account, if your organization makes use of them. A blank entry defaults to "None". If your cloud accounts need to be in different environments, you can leave this as the default option and update each cloud account during validation.
Account owner - Enter the name and email of the person or team responsible for the cloud account. This field is optional, but it's good to have this information available when determining who is responsible for resolving a violation. If there are different owners for your cloud accounts, you can leave these fields blank and update them during validation.
Account Tag - Add any tags you want to associate with this account. You can select from any tags assigned to previously added cloud accounts, or enter a new one.

Note: The information you enter on this page is associated with all the subscriptions you choose to onboard. You can change the project, environment, later in the process if you prefer.

When finished, click Next.

Step two - Application creation and role assignment

To retrieve the Application ID and Tenant ID, navigate to Microsoft Entra ID > App Registrations in your Azure Portal, then select the application you created.

Azure application ID

Before proceeding, you must also assign a role to your Entra ID application.

Navigate to the Subscriptions page in your Azure portal, click your subscription, then select Access control (IAM).
Click Add, then Add role assignment.
Search for and click on the Reader role, then click Next.
Click Select members, search for the application you created, then click Select.
Click Review + assign, confirm your assignment, then click Review + assign again.
Verify the role is assigned by going to Access control (IAM) > Role assignments and searching for your application.
In the VMware Aria Automation for Secure Clouds browser client, click the checkbox to confirm you created and assigned a role.
Click Next.

Step three - Subscriptions selection

In this step you should see a list of all the subscriptions associated with the Tenant ID you entered. Select all the subscriptions you would like to onboard as cloud accounts, then click Next.

Step four - Subscriptions configuration

Here you can review and validate the cloud accounts you selected in the previous step. Update the name, project, environment, and owner details for each cloud account as necessary, then click Next.

Step five - Inbound integrations

Next, you can decide which inbound integrations to enable on your cloud accounts.

For Azure, the available integration is Microsoft Defender for Cloud, which imports additional security findings from the Azure service into VMware Aria Automation for Secure Clouds.

After you make your selection, click Next.

Step six - Event stream

The final section details how to activate event monitoring for your account to receive real-time updates for security violations. Follow the on-screen instructions or refer to the event stream setup section in this document.

If you encounter any issues when trying to onboard Azure subscriptions, refer to the troubleshooting section of this document.

Continuous onboarding

After onboarding your first batch of Azure subscriptions, you can use VMware Aria Automation for Secure Clouds's continuous onboarding feature to easily onboard any additional subscriptions under the same management group.

Navigate to Settings > Cloud accounts.
Locate one of the Azure cloud accounts you created and click the link in the Account Name field.
Click the Manage link in the Application ID field.

This should take you the Manage Azure Credential page, which populates two lists. The first list contains Azure subscriptions that have already been onboarded, while the second list has subscriptions that are detected but not yet onboarded. You can select up to 100 subscriptions from the second list and click Add Account to begin onboarding them.

Add a Microsoft Entra ID cloud account

Note
Adding a Microsoft Entra ID cloud account is currently in private beta. Reach out to your customer success team if you're interested in trying this feature!

Use the Microsoft Entra ID onboarding process if you need more granular management of Azure IAM access that aligns with the IAM control group in the most recent version of the CIS Azure Foundations Benchmark.

To connect a new Microsoft Entra ID cloud account, navigate to Settings > Cloud accounts.
Click the Add Account button.
Select Entra ID, then click Add.

Step one - General information

For this step, you must enter information needed to identify your cloud account:

Account name - Pick a name for your account in the service. You can enter any name as long as it's not already used by another cloud account.
Project - If there is an existing project you want to add the cloud account to, select it here. Otherwise, you can leave it as the default value.
Environment - Select the appropriate environment for this account, if your organization makes use of them. A blank entry defaults to "None".
Account owner - Enter the name and email of the person or team responsible for the account. This field is optional, but it's good to have this information available when determining who is responsible for resolving a violation.
Account Tag - Add any tags you want to associate with this account. You can select from any tags assigned to previously added cloud accounts, or enter a new one.

When finished, click Next.

Step two - Application creation and role assignment

To retrieve the Application ID and Tenant ID, navigate to Microsoft Entra ID > App Registrations in your Azure Portal, then select the application you created.

Azure application ID

Enter these values where prompted, then select Next.

Step three - Grant required permissions

In the next step, you must add several required permissions to your Entra ID application. Follow the on-screen instructions to do this.

Before you select Finish, ensure you assign the correct role to your Entra ID application so that it has read access to your management group.

Open Azure Portal.
Enter and select Management Groups in the search bar.
Select a parent management group below the root management group.
Select Access control (IAM), then select Add role assignment.
Select the Reader role, then select Next.
Click Select members, then enter the name of application used for onboarding in the right-side menu.
Select the application, then click Review + assign.
Select role assignments and verify your application role is present.
Repeat these steps for any other parent management you want to include.

Once this is done, select Finish to complete the onboarding process.

Manage cloud account credentials

After you've created your cloud accounts you can manage the credentials you associated them with in the VMware Aria Automation for Secure Clouds browser client by going to the Manage Azure Credential page and clicking on the Change button.

The browser client then prompts you to update the application ID and client secret for any cloud accounts managed through the listed Azure Tenant ID. From here you can refresh a client secret if it's expired or switch credentials to a different Entra ID application.

Note: If you're changing the application ID, the available subscriptions on the page may change based on the read privileges granted to the new application.

Migrate single cloud accounts to an Azure management group

It's a best practice to ensure all Azure subscriptions in the same management group have the same set of credentials (application ID and client secret) to make it easier to manage all your subscriptions at once.

Update credentials with a bulk update API request

If you have a large number of subscriptions that were onboarded as individual cloud accounts but you recently started using bulk onboarding, you can follow these instructions to associate all your accounts with the same management group:

Retrieve the application ID used to onboard subscriptions from your management group. Azure cloud accounts use the same value for the credentialId and applicationId fields, so you can easily swap credentials in one call provided you have both application IDs.

Submit a bulk-update API request that removes the old credential from your cloud accounts and replaces it with the new credential. Use this example as a template:

curl -X POST \
https://api.securestate.vmware.com/v1/cloud-accounts/bulk-update \
-H 'Authorization: Bearer {access_token}' \
-d '{
        "provider": "Azure",
        "relationshipUpdates":[
        {
            "action": "delete",
            "cloudAccountId": "{Cloud Account ID 1}",
            "credentialId": "{Old Application ID}"
        },
        {
            "action": "post",
            "cloudAccountId": "{Cloud Account ID 1}",
            "credentialId": "{New Application ID}"
        },
        {
            "action": "delete",
            "cloudAccountId": "{Cloud Account ID 2}",
            "credentialId": "{Old Application ID}"
        },
        {
            "action": "post",
            "cloudAccountId": "{Cloud Account ID 1}",
            "credentialId": "{New Application ID}"
        },
    ]
}'

If you need more information about using the bulk-update API, and making API calls in general, read the API Getting Started and API Onboarding guides.

Update credentials in VMware Aria Automation for Secure Clouds

If you're having trouble getting the bulk-update API call to work, you can also update your cloud account credentials individually:

Retrieve the application ID and the client secret used to onboard subscriptions from your management group.
Log in to VMware Aria Automation for Secure Clouds.
Navigate to Settings > Cloud Accounts.
Select the cloud account you want to associate with a management group.
From the account details page, select Manage.
Select the Change button.
Enter the new application ID and client secret where prompted.
Select Save.

The cloud account is now associated with the credentials you used for bulk onboarding.

Turn on event stream

VMware Aria Automation for Secure Clouds uses event streams through Azure Activity logs to provide real-time updates about security findings for your monitored cloud accounts. Configuring an event stream for your cloud account is necessary to get information about misconfigurations and other vulnerabilities immediately, otherwise your information is only as accurate as your most recent system scan.

Setup with Azure shell script

The event stream is set up through a shell script you can download from the VMware Aria Automation for Secure Clouds application and then run in Azure Cloud Shell or a local shell environment.

Create an API token with VMware Cloud Services Platform (CSP) to provide API access for the script. If you haven't created an API token before, refer to the API authorization process and follow steps one through three.
Once you have an API token, enter this command in your shell environment:
```
EXPORT CSP_REFRESH_TOKEN={api_token}
```

Run the following script:

curl https://api.securestate.vmware.com/download/onboarding/azure/bulk/vss_azure_bulk_event_stream_setup.sh --output vss_azure_bulk_event_stream_setup.sh && /bin/bash vss_azure_bulk_event_stream_setup.sh <SubscriptionID_1>, <SubscriptionID_2>, <SubscriptionID_3>

You can add add as many subscription IDs as necessary, as long as they are separated by commas. On successful execution of this command, the Azure subscription is configured to send activity log events to VMware Aria Automation for Secure Clouds.

Note: If using the Azure Cloud Shell, you must attach a storage account. Once you're done running the setup script, you may delete the associated storage account to avoid incurring future costs.

Remove event stream

To remove the event stream for an Azure subscription, perform these steps in Azure Cloud Shell or a local shell environment:

Create an API token with VMware Cloud Services Platform (CSP) to provide API access for the script. If you haven't created an API token before, refer to the API authorization process and follow steps one through three.
Once you have an API token, enter this command in your shell environment:
```
EXPORT CSP_REFRESH_TOKEN={api_token}
```

Run the the following script:

curl https://api.securestate.vmware.com/download/onboarding/azure/bulk/vss_azure_bulk_event_stream_deactivate.sh --output vss_azure_bulk_event_stream_deactivate.sh && /bin/bash vss_azure_bulk_event_stream_deactivate.sh  <SubscriptionID_1>, <SubscriptionID_2>, <SubscriptionID_3>

You can add add as many subscription IDs as necessary, as long as they are separated by commas. On successful execution of this command, the Azure subscription stops sending any activity log events to VMware Aria Automation for Secure Clouds.

These instructions can be reviewed in the VMware Aria Automation for Secure Clouds browser client by navigating to Settings > Cloud accounts, selecting an Azure cloud account, and clicking Disconnect under Event stream on the account details page.

Troubleshooting

Review this section for any errors you may encounter when trying to onboard your cloud accounts.

Invalid credential errors

Many types of errors you receive when trying to connect an Azure cloud account can be traced to a misconfiguration during the Azure App registration process. If you're getting an error during this step, perform the following actions from your Azure Portal:

Open Azure Cloud Shell.
Enter az logout
Enter az login --service-principal -u <app_client_id> -p <app_secret> --tenant <tenant_id>
Enter az network nsg list -o table

If these steps fail, the problem is likely a configuration error in your Azure app. For example, this error is very common to see if you've copied the Secret ID instead of the Value when creating a client secret for the application:

AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '<Application ID>'.

Ensure that your application client ID, tenant ID, and client secret all match the values in Azure and repeat the Azure App registration process if necessary. If all the previous steps pass, but the service is still saying your credentials are invalid, create a support ticket.