Professional Enterprise
runZero integrates with Azure AD to allow you to sync and enrich your asset inventory, as well as gain visibility into Azure AD users and groups. Adding your Azure AD data to runZero makes it easier to find assets that are not part of your domain.
Getting started
To set up the Azure AD integration, you’ll need to:
- Configure Azure AD to allow API access through runZero.
- Add the Azure AD credential in runZero.
- Choose whether to configure the integration as a scan probe or connector task.
- Activate the Azure AD integration to sync your data with runZero.
Requirements
Before you can set up the Azure AD integration:
- Verify that you have runZero Professional or Enterprise.
- runZero Professional and Enterprise users will be able to view and query Azure AD assets.
- runZero Enterprise users will also be able to view and query Azure AD users and groups.
- Make sure you have access to the Microsoft Azure portal.
Step 1: Register an Azure application for Azure AD API access
runZero can authenticate to the Azure AD API using either a username and password or a client secret. Register an application to configure Azure AD API access.
- Log into the Microsoft Azure portal.
- Go to Azure Active Directory > App registrations and click on New registration.
- Provide a name.
- Select the supported account types.
- Optionally add a redirect URI.
- Click Register to register the application.
- Once the application is created, you should see the Overview dashboard. Note the following information:
- Application (client) ID
- Directory (tenant) ID
- From the application’s details page, go to
Authentication. Set Allow public client flows to Yes and then save the configuration.
- Go to
API permissions > Add a permission.
- Select
Microsoft Graph from the list of Microsoft APIs.
- Select the correct permissions type for your needs:
- Username & password: select
Delegated permissions
- Client secret: select
Application permissions
- Search for and select the following required permissions:
Device.Read.AllGroup.Read.AllUser.Read.All
- Click Add permissions to save the permissions to the application.
- If using a client secret, also perform the following steps:
- Navigate to Azure Active Directory > App registrations and select the application you created.
- Go to Certificates & secrets and click on New client secret.
- Enter a description.
- Select the expiration.
- Click Add to create the client secret and save the client secret value.
Add the Azure AD credential to runZero
Step 2a: Add an Azure Username & Password credential to runZero
- Go to the Credentials page in runZero and click Add Credential.
- Provide a name for the credential, like
Azure User/Pass.
- Choose Azure Username & Password from the list of credential types.
- Provide the following information:
- Azure application (client) ID - The unique ID for the registered application. This can be found in the Azure portal if you go to Azure Active Directory > App registrations and select the application.
- Azure directory (tenant) ID - The unique ID for the tenant. This can be found in the Azure portal if you go to Azure Active Directory > App registrations and select the application.
- Azure username - The username for your Azure cloud account. This cannot be a federated user account.
- Azure password - The password for your Azure cloud account.
- If you want other organizations to be able to use this credential, select the
Make this a global credential option. Otherwise, you can configure access on a per organization basis.
- Save the credential. You’re now ready to set up and activate the connection to bring in data from Azure.
Step 2b: Add an Azure Client Secret credential to runZero
This type of credential can be used to sync all resources in a single directory (across multiple subscriptions).
- Go to the Credentials page in runZero and click Add Credential.
- Provide a name for the credential, like
Azure Client Secret.
- Choose Azure Client Secret from the list of credential types.
- Provide the following information:
- Azure application (client) ID - The unique ID for the registered application. This can be found in the Azure portal if you go to Azure Active Directory > App registrations and select the application.
- Azure client secret - To generate a client secret, go to Azure Active Directory > App registrations, select your application, go to Certificates & secrets and click on New client secret.
- Azure directory (tenant) ID - The unique ID for the tenant. This can be found in the Azure portal if you go to Azure Active Directory > App registrations and select the application.
- Select the Access all subscriptions in this directory (tenant) option to sync all resources in your directory. Otherwise, specify the Azure subscription ID - The unique ID for the subscription that you want to sync. This can be found in the Azure portal if you go to Subscriptions and select the subscription.
- If you want other organizations to be able to use this credential, select the
Make this a global credential option. Otherwise, you can configure access on a per organization basis.
- Save the credential. You’re now ready to set up and activate the connection to bring in data from Azure.
The Azure AD integration can be configured as either a scan probe or a connector task. Scan probes gather data from integrations during scan tasks. Connector tasks run independently from either the cloud or one of your Explorers, only performing the integration sync.
Step 4: Set up and activate the Azure AD integration to sync data
After you add your Azure AD credential, you’ll need to set up a connector task or scan probe to sync your data.
A connection requires you to set a schedule and choose a site. The schedule determines when the sync occurs, and the site determines where any new Azure AD-only assets are created.
- Activate a connection to Azure AD. You can access all available third-party connections from your inventory or tasks page.
- Choose the credential you added earlier. If you don’t see the credential listed, make sure it has access to the organization you are currently in.
- Enter a name for the task, like
Azure AD sync.
- Schedule the sync. A sync can be set to run on a recurring schedule or run once. The schedule will start on the date and time you have set.
- Under Task configuration, choose the site you want to add your assets to.
- If you want to exclude assets that have not been scanned by runZero from your integration import, switch the Exclude unknown assets toggle to
Yes. By default, the integration will include assets that have not been scanned by runZero.
- Activate the connection when you are done. The sync will run on the defined schedule. You can always check the Scheduled tasks to see when the next sync will occur.
- Create a new scan task or select a future or recurring scan task from your Tasks page.
- Add or update the scan parameters based on any additional requirements.
- On the Probes and SNMP tab, choose which additional probes to include, set the Azure AD toggle to
Yes, and change any of the default options if needed.
- On the Credentials tab, set the Azure AD toggle for the credential you wish to use to
Yes.
- Click Initialize scan to save the scan task and have it run immediately or at the scheduled time.
Step 5: View Azure AD assets
After a successful sync, you can go to your inventory to view your Azure AD assets. These assets will have an Active Directory icon listed in the Source column.
To filter by Azure AD assets, consider running the following queries:
Click into each asset to see its individual attributes. runZero will show you the attributes returned by Azure AD.
Enterprise
For Enterprise users, the Azure AD integration provides details about users and groups in addition to enriching asset inventory data. Go to Inventory > Users or Inventory > Groups to view the data provided by Azure AD.