Microsoft Azure Integration

Description:

The Microsoft Azure integration allows Truzta to continuously monitor your Azure environment for compliance and security best practices. With this integration, Truzta tracks user roles, IAM assignments, and cloud resource configurations to ensure that privileged access is properly managed and that critical services remain securely configured.

By connecting Azure, Truzta validates your cloud environment against compliance frameworks and benchmarks—keeping you audit-ready with automated scans and evidence collection.

Scopes and Permissions Required

To successfully integrate Azure with Truzta and automate compliance checks, the following permissions are required to retrieve and monitor critical cloud and directory data:

• User Details in the Organization Directory
  Grants access to retrieve user profiles (names, emails, and roles) to track user access across Azure resources.

• Organizational Structure and Groups
  Provides visibility into group memberships and organizational hierarchy to ensure users have appropriate access aligned to their roles.

• Audit Logs
  Allows access to activity logs, including account changes, directory configurations, and login attempts, to monitor user activity and detect unauthorized access.

These permissions ensure Truzta has the visibility needed to perform compliance checks while maintaining a least-privilege approach.

Integrating Azure

Microsoft Azure is a widely used cloud service provider. Truzta allows you to integrate one or more Azure subscriptions for automated daily scans of misconfigurations.

Once the integration is complete, Truzta will automatically scan your Azure account(s) and display results in your Dashboard, giving you actionable insights into compliance gaps and security risks.

Step 1: Create a Service Principal

1. Go to the Azure Home Page and sign in to the Microsoft Azure Portal (if prompted).

2. Open Azure Active Directory using one of the following methods:

   • Enter Azure Active Directory in the search bar and select it.

   • Select Azure Active Directory from the Azure Services menu (if available).

3. In the left-hand navigation panel, select App registrations.

4. Click + New registration from the top menu to create a new application.

Step 2: Register an Application

1. The Register an Application page will open.

2. Enter a descriptive Name for the application (e.g., Truzta-Azure-Integration).

3. Under Supported account types, select Accounts in this organizational directory only (default).

4. Leave the Redirect URI field blank (this is not required for Truzta integration).

5. Click Register to create the application.

6. Once the registration is complete, copy the following values for later use:

   • Application (client) ID

   • Directory (tenant) ID

Step 3: 

1. In the left-hand navigation menu of your registered application, select API permissions.

2. Click + Add a permission.

3. Choose Microsoft Graph.

4. Select Application permissions.

5. In the Select permissions search field, type AuditLog.Read.All.

   • Expand the result and check AuditLog.Read.All.

6. Search for Directory.Read.All.

   • Check Directory.Read.All.

7. Click Add permissions to apply the changes.

8. Click Grant admin consent for [Default Directory].

9. When prompted, click Yes to confirm.

Step 4: Create a Client Secret for the Registered Application

1. In the left-hand navigation menu of your registered application, select Certificates & secrets.

2. Click + New client secret.

3. Enter a brief Description (e.g., Truzta Integration Secret).

4. From the Expires drop-down menu, choose a duration (recommended: 12 months or longer, depending on your organization’s policy).

5. Click Add to generate the client secret.

6. In the Value column (third column), copy the Client Secret Value and store it securely.

   • ⚠️ Important: This value will only be visible once. Be sure to save it for later use in Truzta.

Step 5: Grant Access to the Azure Service Principal

1. Go to the Azure Home Page and sign in if prompted.

2. In the search bar, type Subscriptions and select it.

3. Choose the subscription where you want to assign the application.

4. In the subscription navigation pane, select Access Control (IAM).

5. Click + Add role assignment.

6. From the Role drop-down menu, select Security Reader, then click Next.

7. Leave the Assign access to field at its default value.

8. Click Select members, then search for your App registration (e.g., Truzta Evidence Collection).

9. Select the application, then click Review + assign to complete the role assignment.

10. Click Save to complete the assignment.

11. Repeat the same process to assign the Log Analytics Reader role to the application.

Step 6: Go to Truzta Integrations

1. Open Truzta, from top bar, click Integrations and select Azure in cloud service provider section.  
   

2. Click the Integrations button located in the upper-right corner of the dashboard.  

        3.  In the Provider dropdown, select Microsoft Azure.  

        4. Enter the following credentials collected during setup:

• Subscription ID

• Tenant ID

• Client ID

• Client Secret

        Click Integrate to establish the connection.