Quick Setup - Azure Subscription Continuous Scanning
The Mondoo Azure integration lets you continuously scan Azure resources, such as compute instances and databases, in one or more Azure subscriptions.
You can also scan an Azure management group. For instructions, read Continuously Scan an Azure Management Group.
Prerequisites
Before you integrate Microsoft Azure with Mondoo, be sure you have:
-
A Mondoo account with Editor or Owner permissions for the space in which you want to add the integration.
-
An Azure account with an active subscription and permission to manage applications in Microsoft Entra ID (formerly Active Directory). Any of these Entra built-in roles include the required permissions:
In the Azure portal you can see what roles your user account has: Go to Microsoft Entra ID > Users > (your user account) > Assigned roles.
-
Command-line access to Azure using either:
-
The Azure CLI in either the Linux shell or the macOS shell
Install the Azure CLI.
Log into the Azure CLI from PowerShell or a Linux/macOS CLI by entering:
az loginAzure opens your web browser and prompts you to log in. After you do so, you can return to the CLI.
Register and grant permissions to an Azure app
Like any service that integrates with Azure, Mondoo must have Microsoft Entra ID app registration in your Azure tenant. To learn more about creating a new app registration and service principal, read App registration, app objects, and service principals in the Azure documentation.
Registering Mondoo with Entra establishes a trust relationship between Mondoo and the Microsoft identity platform. The trust is unidirectional: Mondoo trusts the Microsoft identity platform, and not the other way around. The Entra app registration creates a service principal to represent Mondoo in any tenants and subscriptions.
The app registration you create gives Mondoo read-only access to Azure resources, web apps, key vault, and Graph API.
These instructions describe how to use Microsoft's "automatic" method of registering an Azure app. If you want to use your own certificates for authentication, if you use the key vault access policy permission model, or if your Azure environment is unusually large, follow the instructions in Manually Set up an Azure Integration instead.
To configure your Azure resources, you must:
Step A. Retrieve the subscription ID
Step B. Create the app registration and certificate and grant READ access
Step C. Grant web app and key vault READ permissions to the registered app
Step D. Grant permissions to access Microsoft Graph (API permissions)
Step A: Retrieve your subscription ID and tenant ID
You can give your app READ access to one or several subscriptions.
-
In the Azure CLI, find the ID(s) of the subscription(s) you want to monitor by entering:
az account subscription listOR
az account list
The Azure CLI provides information about all your subscriptions across all tenants. Each entry has an id value.
-
Copy the
idvalue for each of the subscriptions you want to integrate with Mondoo. Paste the value(s) somewhere handy to use later. -
Copy the
tenantIdvalue and paste it somewhere handy to use later.
Step B: Create the app, service principal, and certificate and grant READ access
A single command in the Azure CLI performs these tasks:
-
Creates the application registration and service principal in Microsoft Entra ID
-
Grants READ access (using RBAC) to the new application at the defined level
-
Creates a certificate and assigns it to the newly created app
In the Azure CLI, enter:
az ad sp create-for-rbac --name mondoo-security --role Reader --scopes /subscriptions/YOUR-SUBSCRIPTION-ID --create-cert
For YOUR-SUBSCRIPTION-ID, substitute the subscriptionId value you copied in the instruction above. For example, this command creates a service principal and an application named mondoo-security that provides access to a subscription with the ID e4e2600a-2d3d-2600-aa70-b9d8c8ec2600:
az ad sp create-for-rbac --name mondoo-security --role Reader --scopes /subscriptions/e4e2600a-2d3d-2600-aa70-b9d8c8ec2600 --create-cert
To scan multiple subscriptions, in the Azure CLI, provide multiple subscription IDs:
az ad sp create-for-rbac --name mondoo-security --role Reader --scopes /subscriptions/YOUR-SUBSCRIPTION-ID-1 /subscriptions/YOUR-SUBSCRIPTION-ID-2 /subscriptions/YOUR-SUBSCRIPTION-ID-3 --create-cert
When successful, the Azure CLI returns results like these:
"appId": "63c35483-c62f-2600-a097-a6e44d8dcdf6",
"displayName": "Mondoo",
"fileWithCertAndPrivateKey": "/Users/stella/tmpkqyme3rm.pem",
"password": null,
"tenant": "e4e2600a-2d3d-2600-aa70-b9d8c8ec2600"
Copy your results and paste them somewhere handy; you'll need them in later steps.
Copy the created PEM file (in the example above, it's named tmpkqyme3rm.pem) and save it; you'll need it in later steps.
In the Azure portal, you can make sure that the created application has the required READ access at the subscription level: Go to Azure portal > [your subscription] > Access control (IAM) > Roles (choose Reader and View) > Assessments. If you see the mondoo-security application, you've succeeded.
Step C: Grant web app and key vault READ permissions to the registered app
The key vault permissions below are from Microsoft's "Key Vault Reader" role. The Microsoft documentation describes this role:
Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.
Follow these steps, substituting the subscription ID(s) you copied in Step A for YOUR-SUBSCRIPTION-ID:
-
Copy this content and paste it into a new file named
mondoo-role.json:{
"Name": "mondoo-role",
"IsCustom": true,
"description": "Custom role for Mondoo integration",
"assignableScopes": ["/subscriptions/YOUR-SUBSCRIPTION-ID"],
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/listSitesAssignedToHostName/read",
"Microsoft.Web/serverFarms/read",
"Microsoft.Web/sites/config/read",
"Microsoft.Web/sites/config/web/appsettings/read",
"Microsoft.Web/sites/config/web/connectionstrings/read",
"Microsoft.Web/sites/config/appsettings/read",
"Microsoft.web/sites/config/snapshots/read",
"Microsoft.Web/sites/config/list/action",
"Microsoft.Web/sites/read",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read",
"Microsoft.Compute/virtualMachines/runCommands/read",
"Microsoft.Compute/virtualMachines/runCommands/write"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action"
],
"notDataActions": []
}To integrate with more than one subscription, list them:
"assignableScopes": [
"/subscriptions/YOUR-SUBSCRIPTION-ID-1"
"/subscriptions/YOUR-SUBSCRIPTION-ID-2"
"/subscriptions/YOUR-SUBSCRIPTION-ID-3"
] -
Create a custom role in the specified subscription:
az role definition create --role-definition mondoo-role.json -
Make sure you successfully created the role:
az role definition list --output json --query '[].{roleName:roleName, description:description}' --name "mondoo-role" -
Assign the created custom role to the app you registered:
az role assignment create --role mondoo-role --assignee <APP-ID> --scope /subscriptions/YOUR-SUBSCRIPTION-ID
Step D: Grant permissions to access Microsoft Graph (API permissions)
- Copy this content and paste it into a new file on your local system named
app-manifest.json:
[
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "246dd0d5-5bd0-4def-940b-0421030a5b68",
"type": "Role"
},
{
"id": "e321f0bb-e7f7-481e-bb28-e3b0b32d4bd0",
"type": "Role"
},
{
"id": "5e0edab9-c148-49d0-b423-ac253e121825",
"type": "Role"
},
{
"id": "bf394140-e372-4bf9-a898-299cfc7564e5",
"type": "Role"
},
{
"id": "6e472fd1-ad78-48da-a0f0-97ab2c6b769e",
"type": "Role"
},
{
"id": "dc5007c0-2d7d-4c42-879c-2dab87571379",
"type": "Role"
},
{
"id": "b0afded3-3588-46d8-8b3d-9842eff778da",
"type": "Role"
},
{
"id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
"type": "Role"
},
{
"id": "197ee4e9-b993-4066-898f-d6aecc55125b",
"type": "Role"
},
{
"id": "9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30",
"type": "Role"
},
{
"id": "f8f035bb-2cce-47fb-8bf5-7baf3ecbee48",
"type": "Role"
},
{
"id": "dbb9058a-0e50-45d7-ae91-66909b5d4664",
"type": "Role"
},
{
"id": "9e640839-a198-48fb-8b9a-013fd6f6cbcd",
"type": "Role"
},
{
"id": "37730810-e9ba-4e46-b07e-8ca78d182097",
"type": "Role"
},
{
"id": "c7fbd983-d9aa-4fa7-84b8-17382c103bc4",
"type": "Role"
}
]
}
]
-
Execute these commands to grant the permissions in the JSON file and give administrator consent. For YOUR-APP-ID, substitute the
appIdvalue from the results you copied in Step B:az ad app update --id YOUR-APP-ID --required-resource-accesses @app-manifest.json
az ad app permission admin-consent --id YOUR-APP-ID
Add a new Azure integration in the Mondoo Console
After you've created, granted permissions to, and tested a new app registration, you can create a Mondoo Azure integration. You need some values from the app registration you created in the instructions above.
-
Access the Integrations > Add > Azure page in one of two ways:
-
New space setup: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select BROWSE INTEGRATIONS and then select Azure.
-
INTEGRATIONS page: In the side navigation bar, under INTEGRATIONS, select Add New Integration. Under Cloud Security, select Azure.
-
-
In the Choose an integration name box, enter a name for the integration. Make it a name that lets you easily recognize the Azure tenant.
-
In the Enter Application (client) ID box, enter the value from the
appIdvalue you copied in Step B. -
In the Enter the Directory (tenant) ID box, enter the
tenantIdvalue you copied in Step A. -
Specify the subscriptions for Mondoo to continuously scan. You copied at least one subscription ID in step A.
-
To continuously scan all subscriptions in the tenant, leave the Scan all subscriptions connected to the Directory (tenant) ID toggle enabled.
-
To choose the subscriptions to scan, disable the Scan all subscriptions connected to the Directory (tenant) ID toggle, select Allowlist, and enter the subscription ID to scan.
-
To scan all subscriptions except those you specify, disable the Scan all subscriptions connected to the Directory (tenant) ID toggle, select Denylist, and enter the names of the subscriptions you don't want Mondoo to scan.
-
-
To automatically discover all Linux and Windows VMs in your subscription and scan them using Azure Run Command, select Scan Azure VMs using Run Command.
-
Provide the certificate (a PEM (privacy-enhanced mail) file) for Mondoo to securely authenticate with the app (service principal) you created. You created this certificate in Step B.
The certificate file must have the
.pemextension and must contain both the private key and the certificate in this order:-----BEGIN PRIVATE KEY-----
key goes here
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
certificate goes here
-----END CERTIFICATE-----Upload the certificate to Mondoo: In the Drag and drop your .pem file here box, select the cloud icon and choose the file to upload.
-
To automatically scan all VMs in your subscription, enable Scan Azure VMs using RunCommand.
-
Select the START SCANNING button.
-
On the Recommended Policies page, enable the policies on which you want to base assessments of your Azure environment. To learn more, read Manage Policies.
-
Select FINALIZE SETUP.
Mondoo begins scanning your Azure resources. When it completes, you can see results on the INVENTORY page. To learn more, read Monitor Your Infrastructure Security.
If your integration is unsuccessful, read Troubleshoot an Azure Configuration.