USM Anywhere™

Create an Application and Obtain Azure Credentials

Role Availability Read-Only Analyst Manager

To enable USM Anywhere to monitor your Microsoft Azure subscription, you must create an application that grants permission to USM Anywhere to fetch data using the Azure software development kit (SDK) and Azure Representational State Transfer (REST) API. USM Anywhere requires the following credentials:

Required Azure Credentials
Azure Credential USM Anywhere Field Name
azure_tenant_id Azure Tenant ID
azure_subscription_id Azure Subscription ID
azure_application_id Azure Application ID
azure_application_key Azure Application Key

If you're a Microsoft Windows operating system (OS) user, you can create the application in one of two ways:

If you're not a Microsoft Windows OS user, you must create the application manually from your Azure subscription.

Important: You must have global administrator privileges to create an application and obtain credentials.

The subscription identifier (ID) is required when you complete the Azure Credentials step of the sensor setup in USM Anywhere.

To get the Azure subscription ID

  1. Log in to the Azure console (https://portal.azure.com).

  2. From the Azure Dashboard, select your subscription.

  3. From the Subscription page, copy your subscription ID and save it somewhere that you can access later.

To allow USM Anywhere to access Azure resources, you must set up an Azure Active Directory (AD)Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. application and complete the Azure standard procedure for adding a new application registration, and then either upload a certificate or create a client secret for Azure AD:

  1. Go to Azure Active Directory > App registrations > New registration.
  2. Enter a name for the application and select the desired account type.
  3. Enter the redirect Uniform Resource Identifier (URI) if required.
  4. Click Register.

Once you have completed the registration, you need to either upload a certificate or create a client secret by following the process listed in the Microsoft documentation. After saving the client secret, the value displayed in the Azure portal is the Azure Application Key.

As you add and configure the new application, you may need the application ID, directory ID, and object ID. This information is required when you complete the Azure Credentials step of the sensor setup in USM Anywhere.

To locate the IDs, go to Azure Active Directory > App registrations and select the new application you created.

To let your application collect users, you need to grant Microsoft Graph API permissions.

To grant API permissions

  1. Log in to the Azure portal (https://portal.azure.com).

  2. Go to API Permissions and click Add a permission.

    Azure Portal

  3. Go back to Required Permissions and click Add so that permissions for pulling Azure Active Directory Users through the app are added.

  4. Select Microsoft Graph.

  5. Select User.Read.All.

    Azure Portal

  6. These permissions require admin approval, so make sure the tenant administrator click Grant Admin consent for.

    Azure Portal

If you want to use USM Anywhere to monitor all of your Azure resources, you should associate it with your Azure subscription as a whole.

To associate the application with the entire subscription

  1. Log in to the Azure portal (https://portal.azure.com).
  2. Go to More Services > Subscriptions, locate the subscription, and select it.

  3. Select Access control (IAM) in the navigation list.

    This reveals a new blade that displays the roles and permissions that exist for the subscription.

    Select the Access control (IAM) for the subscription

  4. At the top of the blade, click Add.

  5. Select the Reader role (recommended).

    This role allows assigned users to fetch new Azure logs.

    Warning: IAM Contributor role is a requirement if you choose to use Microsoft Internet Information Services (IIS), Azure SQL Server, and Windows logs.

  6. Select the service principle you created previously to assign the role to the subscription.

  7. Click Save and OK.

Related Video Content

To view other related training videos, click here.