Azure Cloud Connector

Azure Cloud Connector


What evidence does this connector collect?


ControlMap scans your Azure environment on a daily or a weekly basis for CIS best practices such as MFA being used, backups being enabled on RDS instances, and databases being encrypted. 

For the complete list of evidence collected click on the 'Show' list of rules on the Azure integration screen in ControlMap.


What compliance checks does this connector collect?

  1. 'Storage accounts - Secure transfer required must be enabled'
  2. 'Storage Accounts - data must be encrypted with Customer Managed Keys'
  3. 'Storage Accounts that include activity logs should be encrypted with Customer Managed Keys'
  4. 'Storage Accounts - Infrastructure Encryption is enabled'
  5. 'Virtual machines use managed disks'
  6. 'Virtual machines managed disks are encrypted with CMK'
  7. 'Virtual machines OS disks are managed'
  8. 'Virtual machines OS disks are encrypted using CMK'
  9. 'Public access from to all ports (*, ANY) is denied'
  10. 'Ports Allowed as * or 0-65535 are restricted'
  11. 'RDP Port 3389 is restricted to public access'
  12. 'SSH Port 22 is restricted to public access'
  13. 'MS SQL port 1433 is restricted to public access'
  14. 'MYSQL port 3306 is restricted to public access'
  15. 'Postgress port 5432 is restricted to public access'
  16. 'Oracle port 1521 is restricted to public access'
  17. 'Security groups delete is being monitored'
  18. 'Security groups changes are being monitored'
  19. 'SQL database encryption enabled'
  20. 'SQL database threat detection enabled'
  21. 'SQL database threat detection email admin enabled'
  22. 'Collect users, admins and group info from Microsoft Active Directory'
  23. 'Collect evidence of security best practices from MS DevOps'


How does ControlMap connect to your Azure environment?


ControlMap connects to your Azure environment using an App ID and a Client Secret created by you in your subscription and in your tenant. Here are the steps to set up the integration.



1. Finding Subscription Id 

A subscription is a logical grouping of Azure services that are linked to an Azure account. A single Azure account can contain multiple subscriptions. Please refer to How to find your Azure Subscription Id  


2. Finding Tenant Id 

A tenant is an organization that owns and manages a specific instance of Microsoft cloud services. Tenant Id is the unique identifier of the Azure Active Directory instance. Please refer to How to find your Azure Tenant Id  


3. Obtaining an App Id and Client Secret 

To obtain an application ID (client ID) and client secret, you’ll create a 

Step 1. Azure Active Directory (AD) application and service principal, 

Step 2. Assign an RBAC role 

Step 3. Generate a secret. 


Step 1 - Create application Id In the Azure Portal,

Navigate to Azure Active Directory > App registrations, then select the “New registration” button. Enter the details on the page as in the screenshot below and register the app. 

Record the App Id for ControlMap settings. 



Step 2 - Assign Role To assign your service principal a role at the subscription level, 

Navigate to All services > Subscriptions > Subscription ID and select your subscription. Then, select the Access Control (IAM) link and click the “Add” button, then “Add role assignment”:

Select the Reader role. Leave the “Assign access to” field with User, group or service principal selected. In the “Select” field, search for the name of your AD application then select the “Save” button.




Add role assignment



Step 3 - Create Client Secret 

Go to Azure Active Directory > App registrations and select the application you just registered, then select the Certificates & secrets link. Click the “New client secret” button and enter a description for your client secret and set an expiration date, then select “Add.” Copy the VALUE client secret key value to provide in ControlMap settings. 




Step 4 - Add API Permissions 

Go to Azure Active Directory > App registrations and select the application you just registered and then select API Permissions. 

Enable the following permissions for the API in the application 

Type Application

  1. Reports.Read.All
  2. User.Read.All

Type Delegated

  1. User.Read

Note: Ensure that Admin Consent is granted by Clicking on the GRANT ADMIN CONSENT link