Step 1/3: Configure a Microsoft Entra ID Application for CSA

Step 1/3: Configure a Microsoft Entra ID Application for CSA

To configure Azure for Continuous Security Assessment (CSA), you must log in to the Azure portal as a subscription owner or global administrator and configure the following tasks:

  1. Create a Microsoft Entra ID Application
  2. Get the Application ID and Directory ID
  3. Get the Authentication Key
  4. Assign a Role to the Microsoft Entra ID Application
  5. List AD Users
  6. Assess Key Vault

Create an Microsoft Entra ID Application

To create a Microsoft Entra ID application, follow the steps below:

  1. Log in to portal.azure.com.
  2. Navigate to All services > Identity > Microsoft Entra ID.
  3. Click App registrations.
    Azure-AD-App_App-Regis.png
  4. Click + New registration and enter the following details:
    1. Name: Enter the name of the application.
    2. Supported account types: Keep the default selection to Accounts in this organizational directory only.
    3. Redirect URL (optional): Leave this blank.
    Azure_Regis-App.png
  5. Click Register.

For additional information, refer to the Microsoft Azure documentation located here.

Get the Application ID and Directory ID

After registering the Microsoft Entra ID application, the page redirects you to the Microsoft Entra ID application Overview page. Note down the Application (client) ID and Directory (tenant) ID.

Azure_App-ID_Dir-ID.png

Note

These values will be required when you set up the Azure application instance in the Netskope UI.

Get the Authentication Key

To get the authentication key, follow the steps below:

  1. On the left navigation bar of the Microsoft Entra ID application page, click Certificates & secrets.
  2. Under Client secrets, click + New client secret and enter the following details:
    1. Description: Provide a description of the key.
    2. Expires: Set a duration for the key.
  3. Click Add.
    Azure_Setup-Auth-Key.png
  4. After you save the configuration changes, under Client secrets, the Value column contains the authentication key. Copy it.
    Azure_Copy-Key-Value.png

    Important

    Ensure that you authentication key under the Value column as it is not accessible once you leave this page. The authentication key will be required when you set up the Azure application instance in the Netskope UI.

For additional information, refer to the Microsoft Azure documentation located here.

Assign a Role to the Microsoft Entra ID Application

To assign a role, follow the steps below:

  1. Log in to portal.azure.com.
  2. Navigate to All services > General > Subscriptions.
    Azure_All-serv_General_Subscrip.png
  3. On the Subscriptions page, click the appropriate subscription from the list.
  4. If you want to set up multiple subscriptions, group them under a Management Group and assign a role at the Management Group. When you add a new subscription to the management group, Netskope will automatically detect the subscription and perform scans as per your configuration.
  5. Click Access control (IAM).
  6. Click + Add > Add role assignment.
    Azure_Subscrip_Assign-Role.png

    Assign the roles and permissions specified in Step 2/3: Assign custom role permissions for Azure CSA.

For additional information, refer to the Microsoft Azure documentation located here.

List AD Users

Note

This procedure applies to continuous security assessment only.

For Netskope to list the AD users, you should grant the Directory.Read.All permission. To do so, follow the instructions below:

  1. Navigate to All services > Identity > Microsoft Entra ID.
  2. Click App registrations.
    azure_app_registration.png
  3. Locate the Microsoft Entra ID application you created earlier and click it.
  4. On the left navigation bar of the Microsoft Entra ID application page, click API permissions.
  5. Under API permissions, click + Add a permission.
    azure_add_api_permissions.png
  6. Under Request API permissions, keep the Microsoft APIs tab selected. Select Microsoft Graph.
    azure-microsoft-graph.png
  7. Under Microsoft Graph, select Application permissions and under Directory, select Directory.Read.All permission. Click Add permissions.
    azure-graph-directory-permission.png
  8. On the API permissions page, click Grant admin consent for <directory-name> and then click Yes.
    azure-api-grant-permissions.png

Assess Key Vault

Note

This procedure applies to continuous security assessment only.

As part of continuous security assessment, if you need Netskope to assess Key Vault, follow the instructions below:

Configure an Access Policy on Key Vault

  1. Navigate to All services > Security > Key vaults.
  2. For each key vault, do the following:
    1. Click on a key vault, navigate to Access policies, and click + Add new.
      Azure_Key-Vault-Access-Policy.png
      Under Add access policy, enter the following:
      1. Select principal: Select the Microsoft Entra ID application you created earlier.Key permissions: Select Key Management Operations > List.Secret permissions: Select Secret Management Operations > List.Certificate permissions: Select Certificate Management Permissions > List.Click OK.
      Azure_Key-Vault-Add-Access-Policy.png
      On the Access policies page, click Save.
      Azure_Key-Vault-Access-Policy-Save.png
Share this Doc

Step 1/3: Configure a Microsoft Entra ID Application for CSA

Or copy link

In this topic ...