Skip to main content

Azure

This connector exports Azure resources, role definitions and assignments.

This page is about Azure .

Package: Cloud/Azure

Prerequisites

Implementing this connector requires at least the Security Reader role, because Identity Manager does not access the Azure API on behalf of a user but with its own identity.

Export

For a given Azure tenant with resources, this connector exports Azure resources, role definitions and role assignments to CSV files.

Configuration

This process is configured through a Connection in the UI and/or the XML configuration, and in the appsettings.agent.json > Connections section:


    appsettings.agent.json

{ ... "Connections": { ... "<ConnectionIdentifier>": { ... } } }

The identifier of the connection and thus the name of the subsection must:

  • be unique.

  • not begin with a digit.

  • not contain <, >, :, ", /, \, |, ?, * and _.

The following example


    appsettings.agent.json
{
...
"Connections": {
...
"AzureExport": {
"ApplicationId": "contosoAzure897",
"ApplicationKey": "25d408a1925d4c081925b\\d40819",
"SubscriptionId": "Contoso",
"TenantId": "25d40819-f23f-4837-9d50-a9a52da50b8c",
"AzurePath": "https://management.azure.com/.default",
"AzurePathApi": "https://management.azure.com",
"ResponseUri": "https://agent.usercubecontoso.com"
}
}
}

Setting attributes

NameDetails
ApplicationId requiredType String Description GUID that uniquely identifies the application registration in the Azure tenant. Note: value obtained at registration: App registrations > Owned applications > Identity Manager > Overview > Application (client) ID
ApplicationKey requiredType String Description Secret associated with the ApplicationId. Note: value obtained at registration: App registrations > Owned applications > Identity Manager > Certificate & secrets > Client secrets > Client Secret
TenantId requiredType String Description GUID that uniquely identifies the Azure tenant. Note: value obtained at registration: App registrations > Owned applications > Identity Manager > Overview > Application (tenant) ID
ResponseUri default value: http://localhostType String Description URI used by Azure to contact back the application with the tokens. This response Uri needs to be registered in the app registration.
------
SubscriptionId requiredType String Description GUID that uniquely identifies the subscription associated to the ApplicationId. See how to find it.
AzurePath default value: https://management.azure.com/.defaultType String Description Scope requested to access a protected API. For this flow (client credentials), the scope should be of the form {ResourceIdUri/.default}. See Microsoft's documentation.
AzurePathApi default value: https://management.azure.comType String Description Azure Uri API.

Output details

This connector is meant to generate to the Application Settings folder the following CSV files:

<identifier>_RoleDefinition.csv with the following columns:

  • id: role definition's Azure id;
  • name: role definition's id;
  • roleName: role definition's name;
  • type: role definition's type, for example it can describe if it is a built-in role or a customized one;
  • description: role definition's description.

<identifier>_Resource.csv with the following columns:

  • id: resource's Azure id;
  • name: resource's name;
  • type: resource's type;
  • location: resource's geographical location;
  • managedBy: GUID or Azure id of the resource's manager;
  • principalId: resource's identity PrincipalId;
  • ResourceIdentitytype: resource's identity type.

<identifier>_RoleAssignment.csv with the following columns:

  • id: role assignment's Azure id;
  • name: role assignment's id;
  • roleDefinitionId: role definition's Azure id;
  • principalId: Microsoft Entra ID (formerly Microsoft Azure AD)'s object GUID;
  • scope: resource's Azure id.

Fulfill

There are no fulfill capabilities for this connector.

Authentication

Password reset

This connector does not reset passwords.

Credential protection

Data protection can be ensured through: