Azure AD Plugin for User Risk Exchange
This document explains how to configure Azure AD with User Risk Exchange in the Netskope Cloud Exchange platform. This integration enables seeing multiple connected systems’ risk values for individual users and groups.
To complete this configuration, you need:
A Netskope tenant (or multiple, for example, production and development/test instances).
A Netskope Cloud Exchange tenant with the User Risk Exchange module already configured.
An Azure AD account.
An Azure AD Premium P2 subscription.
Obtain your Azure AD credentials: Client (Application) ID, Client Secret ID, Tenant ID, Microsoft Azure AD URL, and Microsoft Graph Token URL.
Configure the Azure AD plugin.
Configure User Risk Exchange Business Rules and Actions for the Azure AD plugin.
Validate the Azure AD plugin.
Click play to learn more about how this plugin works.
Go to https://portal.azure.com/ and log in.
Click on the top left hand side menu button to open the menu bar.
Click Azure Active Directory, and in your basic information you will find your Tenant ID. Copy this to use when you configure your plugin.
On the left hand side of Azure Active Directory, click App registrations.
Click on your application name or New Registration. For a new registration, enter a name and click Register.
On the application page, you will find Application (client) ID. Copy this to use when you configure your plugin. This is for the Client (Application) ID setting.
Click Certificates and Secrets.
Click on + New Client Secret and create your key. Make sure you copy the value (NOT secret id), which is used for the Client Secret ID in the plugin. You can only get this when a Client Secret is first created.
Next, perform the following steps: 1) 2) 3) 4)
Click + Add a permission.
Click Microsoft Graph.
Click Application Permission.
Search for the following:
GroupMember.ReadWrite.All
Group.Create
User.Read.All
IdentityRiskyUser.Read.All
Grant admin consent on left side
Use
https://graph.microsoft.com
as the Microsoft Azure AD URL, and usehttps://login.microsoftonline.com
as the Microsoft Graph Token URL.Collect the Tenant ID, Client (Application) ID, Client Secret ID, Microsoft Azure AD URL, and Microsoft Graph Token URL) needed to configure the plugin.
In Cloud Exchange, go to Settings > Plugins.
Find (or search Microsoft Azure AD for a quicker way), and click on Microsoft Azure AD plugin box.
Enter a Configuration Name and the Sync Interval.
Enter the Client (Application) ID, Client Secret ID, Tenant ID, Microsoft Azure AD URL, and Microsoft Graph Token URL obtained earlier.
Select a range of scores.
Click Save.
Go to User Risk Exchange and click Business Rules.
Click Create New Rule
Select the options in the filter that you want to use. From the dropdowns, select a field, an operator, and a value. For example: Aggregate Score Grouping – Any in – medium.
.
You can see what your users' scores are by going to Users in the User Risk Exchange left panel.
Go to User Risk Exchange and click Actions.
Click Add Action Configuration.
Click the Business Rule dropdown and choose the appropriate Business rule.
Select the Configuration dropdown and choose your Azure plugin.
Select Actions from the dropdown and choose (Add to Group, Remove to Group, or No Action).
Add to Group : When triggered, users are added to that group.
Remove to Group : When triggered, users are removed from that group.
No Action : This does not perform any actions on users.
Click on the Generate Alert switch to enable it. This ensures that new alerts are added in the Ticket Orchestrator module whenever this action is taken.
Click Save.
To verify the plugin is working correctly, go to User Risk Exchange > User and confirm whether any Azure AD risky users are being listed.
