Azure Active Directory

Professional Enterprise

runZero integrates with Azure AD to allow you to sync and enrich your asset inventory, as well as gain visibility into Azure AD users and groups. Adding your Azure AD data to runZero makes it easier to find assets that are not part of your domain.

How runZero maps Azure AD hosts to assets:

  • For Azure AD hosts that can be matched to an existing runZero asset, asset-level attributes such as operating system, hardware platform, hostname, and MAC address will be updated, and Azure AD-specific attributes will be added.
  • For hosts that cannot be matched with an existing runZero asset, a new asset will be created in the site specified when the integration task is set up.

runZero is able to merge existing assets with Azure AD data when the hostname or MAC address overlaps. Azure AD devices can also be manually merged into runZero assets using the Merge button on the Asset Inventory page.

Getting started

To set up the Azure AD integration, you’ll need to:

  1. Configure Azure to allow API access through runZero.
  2. Add the Azure AD credential in runZero.
  3. Activate the Azure AD connection to sync your data with runZero.

Requirements

Before you can set up the Azure integration:

  • Verify that you have runZero Professional or Enterprise.
    • runZero Professional and Enterprise users will be able to view and query LDAP assets.
    • runZero Enterprise users will also be able to view and query LDAP users and groups.
  • Make sure you have access to the Microsoft Azure portal.

Step 1: Register an Azure application for Azure AD API access

runZero can authenticate to the Azure AD API using either a username and password or a client secret. Register an application to configure Azure AD API access.

  1. Log into the Microsoft Azure portal.
  2. Go to Azure Active Directory > App registrations and click on New registration.
    • Provide a name.
    • Select the supported account types.
    • Optionally add a redirect URI.
  3. Click Register to register the application.
  4. Once the application is created, you should see the Overview dashboard. Note the following information:
    • Application (client) ID
    • Directory (tenant) ID
  5. From the application’s details page, go to API permissions > Add a permission.
  6. Select Microsoft Graph from the list of Microsoft APIs.
  7. Select the correct permissions type for your needs:
  • Username & password: select Delegated permissions
  • Client secret: select Application permissions
  1. Search for and select the following required permissions:
  • DeviceManagementManagedDevices.Read.All
  • Group.Read.All
  • User.Read.All
  1. Click Add permissions to save the permissions to the application.
  2. If using a client secret, also perform the following steps:
  • Navigate to Azure Active Directory > App registrations and select the application you created.
  • Go to Certificates & secrets and click on New client secret.
    • Enter a description.
    • Select the expiration.
  • Click Add to create the client secret and save the client secret value.

Add the Azure AD credential to runZero

Step 2a: Add an Azure Username & Password credential to runZero

  1. Go to the Credentials page in runZero and click Add Credential.
  2. Provide a name for the credential, like Azure User/Pass.
  3. Choose Azure Username & Password from the list of credential types.
  4. Provide the following information:
    • Azure application (client) ID - The unique ID for the registered application. This can be found in the Azure portal if you go to Azure Active Directory > App registrations and select the application.
    • Azure directory (tenant) ID - The unique ID for the tenant. This can be found in the Azure portal if you go to Azure Active Directory > App registrations and select the application.
    • Azure username - The username for your Azure cloud account. This cannot be a federated user account.
    • Azure password - The password for your Azure cloud account.
  5. If you want other organizations to be able to use this credential, select the Make this a global credential option. Otherwise, you can configure access on a per organization basis.
  6. Save the credential. You’re now ready to set up and activate the connection to bring in data from Azure.

Step 2b: Add an Azure Client Secret credential to runZero

This type of credential can be used to sync all resources in a single directory (across multiple subscriptions).

  1. Go to the Credentials page in runZero and click Add Credential.
  2. Provide a name for the credential, like Azure Client Secret.
  3. Choose Azure Client Secret from the list of credential types.
  4. Provide the following information:
    • Azure application (client) ID - The unique ID for the registered application. This can be found in the Azure portal if you go to Azure Active Directory > App registrations and select the application.
    • Azure client secret - To generate a client secret, go to Azure Active Directory > App registrations, select your application, go to Certificates & secrets and click on New client secret.
    • Azure directory (tenant) ID - The unique ID for the tenant. This can be found in the Azure portal if you go to Azure Active Directory > App registrations and select the application.
    • Select the Access all subscriptions in this directory (tenant) option to sync all resources in your directory. Otherwise, specify the Azure subscription ID - The unique ID for the subscription that you want to sync. This can be found in the Azure portal if you go to Subscriptions and select the subscription.
  5. If you want other organizations to be able to use this credential, select the Make this a global credential option. Otherwise, you can configure access on a per organization basis.
  6. Save the credential. You’re now ready to set up and activate the connection to bring in data from Azure.

Step 3: Set up and activate the Azure AD connection to sync data

After you add your Azure AD credential, you’ll need to set up a connection to sync your data from Azure AD. A connection requires you to set a schedule and choose a site. The schedule determines when the sync occurs, and the site determines where any new Azure AD-only assets are created.

  1. Activate a connection to Azure AD. You can access all available third-party connections from your inventory or tasks page.
  2. Choose the credential you added earlier. If you don’t see the credential listed, make sure it has access to the organization you are currently in.
  3. Enter a name for the task, like Azure AD sync.
  4. Schedule the sync. A sync can be set to run on a recurring schedule or run once. The schedule will start on the date and time you have set.
  5. Under Task configuration, choose the site you want to add your assets to.
  6. Activate the connection when you are done. The sync will run on the defined schedule. You can always check the Scheduled tasks to see when the next sync will occur.

Step 4: View Azure AD assets

After a successful sync, you can go to your inventory to view your Azure AD assets. These assets will have an Active Directory icon listed in the Source column.

To filter by Azure AD assets, consider running the following queries:

Click into each asset to see its individual attributes. runZero will show you the attributes returned by Azure AD.

Enterprise

For Enterprise users, the Azure AD integration provides details about users and groups in addition to enriching asset inventory data. Go to Inventory > Users or Inventory > Groups to view the data provided by Azure AD.