Azure Onboarding - Manual Deployment

This guide is for customers who want to manually onboard Azure subscriptions, management groups, or tenants to Panoptica, without using a script. The onboarding process is composed of two processes performed in the Azure portal: app creation (Steps 1 and 2 below); and role creation/assignment (Step 3 below). Along the way, you will feed details about your Azure deployment into the Panoptica console, which is completed in Step 4 below.

πŸ“˜

Privileges and Permissions

Sufficient privileges to your Azure environment are required in order to complete the deployment.

User must have permission to create a Microsoft Entra ID (formerly Azure AD) application, add a role assignment to subscriptions, and create a custom role.

Onboarding also requires Read permission to your Active Directory, which requires consent from a Global Administrator in your tenant.

Step 1: Create a Microsoft Entra ID Application

  1. Log in to your tenant’s portal.
  2. Go to Microsoft Entra ID (formerly Azure Active Directory) via search, or from the menu to the left.
  1. Click App registrations, then New registration.
  1. Choose a name for the application, and click Register at the bottom.
    Once the application is created, take note of the identifiers that are displayed. You will need those values to connect your application to the Panoptica console.

  2. Open a new tab and log into Panoptica. Browse to the Microsoft Azure page, which you'll find on the Accounts tab in the Settings pane.

    Enter the identifiers you received in the relevant fields:

    • Directory (tenant) ID
    • Application (client) ID
  3. Now switch back to the Azure portal, and choose how you would like Panoptica to be authenticated in your Azure environment. We highly recommend Federated credentials for stability. Panoptica also supports Client secrets, but these need to be renewed occasionally, which can interrupt the security scans.
    While viewing your application, click Certificates & Secrets in the left-side navigation menu.

  4. Go to the Federated credentials tab, and click Add credential

  5. On the Add a credential screen, select Other issuer, and fill in the form as follows:

    1. Issuer: https://accounts.google.com/
    2. Subject identifier: 104631297208827230230
    3. Name: pick a good one

    Then click Add

  6. If you prefer working with client secrets, go to the Client secrets tab under Certificates and Secrets to create one. Copy and paste the value into the Application Secret field on the Panoptica console.
    Otherwise, leave the default Federated Identity selected.

Step 2: Grant Azure AD Permissions

  1. Back on the Panoptica application page in your Azure tenant, click API permissions.

  2. Click Add a permission and a new side panel will open to the right.
    Click the Microsoft Graph option.

  3. Click Application permissions to see a list of the permissions that can be added.
    Expand > Directory, and select the Directory.Read.All permission below.
    Then click Add permissions.

  4. Important! An admin in your tenant must grant admin consent for the permissions to be granted. Ask an administrator to go to the permission page of your application, and click Grant admin consent for {tenant name}. Until the admin consent is granted, the permissions are not effectively added to the application.

Step 3: Assign a Role for Subscriptions

If you want to enable the CVE scanning feature, switch over to the Panoptica console, and select the Enable CVE & Malware scan. Then follow the steps below to create a custom role.

If you do not want CVE scanning, skip this section and continue to Assigning a Role.

Creating the custom role (CVE enabled only):

  1. Go to Subscriptions, either from the menu or the search bar. Click on any subscription.

  2. Click Access control (IAM). Click Add and choose Add custom role.

  3. From the Basics tab, choose Start from JSON as the Baseline permissions option, and upload the panoptica-CVE-scanning.json policy below as a JSON file:

{
    "properties": {
        "roleName": "panoptica-CVE-scanning",
        "description": "Used by Panoptica to scan CVEs",
        "assignableScopes": [
            
        ],
        "permissions": [
            {
                "actions": [
                "*/read",
                "Microsoft.Resources/subscriptions/resourcegroups/write",
                "Microsoft.Network/virtualNetworks/write",
                "Microsoft.Network/virtualNetworks/subnets/write",
                "Microsoft.Network/networkInterfaces/write",
                "Microsoft.Network/virtualNetworks/subnets/join/action",
                "Microsoft.Compute/virtualMachineScaleSets/write",
                "Microsoft.Authorization/roleAssignments/write",
                "Microsoft.Compute/snapshots/write",
                "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/delete",
                "Microsoft.Storage/storageAccounts/listKeys/action",
                "Microsoft.Storage/storageAccounts/write",
                "Microsoft.Compute/galleries/write",
                "Microsoft.Storage/storageAccounts/blobServices/containers/write",
                "Microsoft.Compute/galleries/images/write",
                "Microsoft.Compute/images/write",
                "Microsoft.Compute/galleries/images/versions/write",
                "Microsoft.Compute/images/delete",
                "Microsoft.Compute/galleries/images/versions/delete",
                "Microsoft.Compute/snapshots/delete",
                "Microsoft.Compute/disks/*",
                "Microsoft.Compute/disks/beginGetAccess/action",
                "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/*",
                "Microsoft.Network/virtualNetworks/subnets/join/action",
                "Microsoft.Compute/snapshots/delete"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

This will fill out the name, description, and relevant permissions of the role. You will be able to change the name and description here.

  1. Click the Assignable scopes tab and click Add assignable scopes. From the side panel, choose all subscriptions or management groups that you want to onboard, and click Select.

    • Using a management group (and specifically the Root management group) is recommended so that the role can be assigned to new subscriptions created in the future.
    • Note that you will not be able to onboard a subscription that is not in the assignable scope of this role.
  2. Click the Review + create tab, and click Create.

Assigning a Role

  1. Choose the scope that you want to onboard to Panoptica.

    • If you want to onboard a specific subscription, go to Subscriptions and click the subscription that you want to onboard.
    • If you want to onboard multiple subscriptions, go to Management groups and click the Management group that you want to onboard.
  2. Click Access control (IAM). Click Add and choose the Add role assignment option.

  3. Search for the relevant role.

    • If you do not want CVE scanning, select the Reader role and click Next.
    • If you want CVE scanning and created the custom role (see previous step) you need to add two roles:
      1. Select the custom role and then click Next.
      2. Select the Reader role and click Next.
  4. Click the Members tab. Make sure the Assign access to option is User, group, or service principal, and click + Select members. From the side panel, look for the Panoptica application you created in Step 1 and click on it, and then click Next.

  5. Click the Review + assign tab, and click Review + assign.

πŸ“˜

Reminder:

If you enabled CVE scanning in the Panoptica console, make sure you repeat steps 1-5 to assign both a Reader role and a Custom role.

Step 4: Finish onboarding

That's it! You're done with the Azure configuration. Now you just have to complete the onboarding in Panoptica,

Visit the Panoptica console, and confirm that you have pasted the correct values into all of the relevant field on the Microsoft Azure page.

If you chose to enable CVE scanning, make sure you have selected the Enable CVE & Malware scan option.

Now click Check Credentials to make sure everything is in order.

If it is, click Start Scan. The new account will appear in the list of accounts after a few moments, and all of the subscriptions that the application has permissions for will be onboarded and scanned.

πŸ“˜

Resources

In every region where you have a Virtual Machine (VM) installed, Panoptica creates a resource group, a virtual network (VNet), a subnet, a network interface (NIC), and a scale set.