Big savings, Better ROI! Exclusive discounts on ManageEngine Products!* Boost your business *T&C apply
    Click here to shrink
    Click here to expand Click here to expand

    Attack Surface Analyzer for Azure Cloud

    With the Attack Surface Analyzer, you can spot threats within your Azure cloud and enhance cloud security.

    Listed below are the services tracked by the Attack Surface Analyzer for Azure:

    • Azure Compute
    • Azure Networking
    • Azure Storage
    • Azure Web
    • Azure Monitor
    • Azure Integration
    • Azure Database
    • Azure Security
    • Azure Container
    • Azure Recovery Service

    Prerequisites

    For the Attack Surface Analyzer to function seamlessly, the ADAudit Plus server should have a working internet connection. Additionally, the outbound HTTPS port 443 needs to be opened on the ADAudit Plus server to communicate with the Azure platform.

    There are two scenarios when configuring your Azure cloud for attack surface analysis:

    1. Syncing an existing Entra ID tenant configured in ADAudit Plus
    2. Configuring a new Azure cloud for attack surface analysis

    Sync an existing Entra ID (formerly Azure AD) tenant

    If you want to add an Entra ID tenant that is already configured for auditing in ADAudit Plus for attack surface analysis, you need to assign additional permissions to the registered application.

    Retrieve the registered application's name and client ID from ADAudit Plus

    1. Log in to the ADAudit Plus web console.
    2. Navigate to the Cloud Directory tab > Auditing > Configuration > Cloud Directory.
    3. Click the Modify option for the cloud directory that you want to configure for attack surface analysis.
    4. Attack Surface Analyzer for Azure Cloud

    5. From the Cloud Directory pop-up, copy the Client ID.
    6. Attack Surface Analyzer for Azure Cloud

    Retrieve the client secret and subscription ID from the Azure portal

    1. Log in to the Azure portal.
    2. Paste the client ID in the search box to find the registered application that is associated with this client ID, and note down the application's name.
    3. Attack Surface Analyzer for Azure Cloud

    4. Select the application and go to Manage > Certificates & secrets > New client secret.
    5. In the Add a client secret panel, give a suitable Description, select 730 days (24 months) from the Expires drop-down, and then click Add.
    6. Attack Surface Analyzer for Azure Cloud

    7. Copy the Value as this will be needed when configuring the Azure cloud in ADAudit Plus.
    8. Attack Surface Analyzer for Azure Cloud

    9. In the Azure portal, navigate to Subscriptions, select the subscription you want to configure in ADAudit Plus, and copy the Subscription ID as this will be required when configuring the Azure cloud in the Attack Surface Analyzer.
    10. Attack Surface Analyzer for Azure Cloud

    Assign required permissions

    1. Login to the Azure portal.
    2. Navigate to Subscriptions and select the subscription you want to configure in ADAudit Plus.
    3. From the left menu, go to Access control (IAM) > + Add > Add role assignment.
    4. Attack Surface Analyzer for Azure Cloud

    5. In the Role tab, search for and select the Reader role and click Next.
    6. Attack Surface Analyzer for Azure Cloud

    7. In the Members tab, click + Select Members, search for the name of the application that you copied in step six of the previous section, click Select, and then click Review + Assign.
    8. Attack Surface Analyzer for Azure Cloud

    9. Repeat steps three to five for the Storage Account Contributor role.
    10. If you want ADAudit Plus to verify policies against your keys, secrets, and certificates in Azure Key Vaults, then navigate to the Key Vault resource you want to monitor, click Access Configuration from the left menu, and based on the permission model you have selected, follow the steps below:
      • If you have selected Azure role-based access control (recommended), click Access control (IAM) and add the Key Vault Contributor role for the application by following steps three to five.
      • If you have selected Vault Access Policy, click Go to access policies, and then click Create. Under Key permissions, Secret permissions, and Certificate permissions, select the check box next to List and click Next. In the Principal tab, search for and select the name of the application that you created, and click Next. Review your settings and click Review + Create.

    Note: If you have multiple subscriptions, repeat the steps for each of them.

    Add the existing Entra ID (formerly Azure AD) tenant in the Attack Surface Analyzer

    You can add your Entra ID tenant for attack surface analysis either automatically or manually.

    Automatic configuration

    Once the required permissions are assigned, your Entra ID tenant will be enabled for attack surface analysis automatically through a sync process that runs regularly at 12am every day.

    Manual configuration

    If you want to configure the Entra ID tenant manually for attack surface analysis, proceed with the steps under Add the existing Entra ID tenant or the new Azure cloud in the Attack Surface Analyzer.

    Configure a new Azure cloud in ADAudit Plus

    Before configuring your Azure cloud for attack surface analysis, you need to create an application in the Azure portal and assign the appropriate role.

    Create an application in the Azure portal

    1. Log in to the Azure portal and navigate to Microsoft Entra ID.
    2. Attack Surface Analyzer for Azure Cloud

    3. Go to Manage > App registrations > + New registration to open the Register an application window.
    4. Attack Surface Analyzer for Azure Cloud

    5. Enter a suitable Name for the application (for example, ADAudit Plus Application), retain the default values for other options, and click Register.
    6. Attack Surface Analyzer for Azure Cloud

    7. On the application's Overview page, copy the Application (client) ID as this will be needed when configuring the Azure cloud in ADAudit Plus.
    8. Attack Surface Analyzer for Azure Cloud

    9. Go to Manage > Certificates & secrets > New client secret.
    10. In the Add a client secret panel, give a suitable Description, select 730 days (24 months) from the Expires drop-down, and then click Add.
    11. Attack Surface Analyzer for Azure Cloud

    12. Copy the Value as this will be needed when configuring the Azure cloud in ADAudit Plus.
    13. Attack Surface Analyzer for Azure Cloud

    14. In the Azure portal, navigate to Subscriptions, select the subscription you want to configure in ADAudit Plus, and copy the Subscription ID as this will be required when configuring the Azure cloud in ADAudit Plus.
    15. Attack Surface Analyzer for Azure Cloud

    16. From the left menu, go to Access control (IAM) > + Add > Add role assignment.
    17. Attack Surface Analyzer for Azure Cloud

    18. In the Role tab, search for and select the Reader role and click Next.
    19. Attack Surface Analyzer for Azure Cloud

    20. In the Members tab, click + Select Members, search for the name of the application that you created in step three of the previous section, click Select, and then click Review + Assign.
    21. Attack Surface Analyzer for Azure Cloud

    22. Repeat steps nine to 11 for the Storage Account Contributor role.
    23. If you want ADAudit Plus to verify policies against your keys, secrets, and certificates in Azure Key Vaults, then navigate to the Key Vault resource you want to monitor, click Access Configuration from the left menu, and based on the permission model you have selected, follow the steps below:
      • If you have selected Azure role-based access control (recommended), click Access control (IAM) and add the Key Vault Contributor role for the application by following steps nine to 11.
      • If you have selected Vault Access Policy, click Go to access policies, and then click Create. Under Key permissions, Secret permissions, and Certificate permissions, select the check box next to List and click Next. In the Principal tab, search for and select the name of the application that you created, and click Next. Review your settings and click Review + Create.
    Note: If you have multiple subscriptions, repeat the steps for each of them.

    Add the existing Entra ID tenant or the new Azure cloud in the Attack Surface Analyzer

    1. Log in to the ADAudit Plus web console.
    2. Navigate to the Cloud Directory tab > Attack Surface Analyzer > Configuration > Cloud Directory.
    3. Click +Add Cloud Directory in the top-right.
    4. Attack Surface Analyzer for Azure Cloud

    5. Select Azure Cloud from the Add Cloud Directory pop-up.
    6. Attack Surface Analyzer for Azure Cloud

    7. Enter the Display Name, Tenant Name, Client ID, Client Secret, Subscription ID, and Cloud Type.
    8. Select the Audit Log check box if you want to fetch the audit logs and monitor all the operations performed in the Azure cloud, and then click Next.
    9. Attack Surface Analyzer for Azure Cloud

    10. Review your settings and click Finish.

    Don't see what you're looking for?

    •  

      Visit our community

      Post your questions in the forum.

       
    •  

      Request additional resources

      Send us your requirements.

       
    •  

      Need implementation assistance?

      Try onboarding

       

    On this page

    Get download link