View Categories

Best Practices: Enabling user monitoring in Azure

2 min read

Azure Identity and Access Management ( IAM ) is Microsoft Azure ‘s identity governance system , enabling organizations to define who can access cloud resources and what permissions each user or service has. Based on roles and security policies, Azure IAM makes it easy to enforce the principle of least privilege, ensuring that each identity has only the access it needs. It also supports multi-factor authentication (MFA) , group management, and integration with corporate directories, strengthening security and compliance.

The Cloud8 Platform has automation rules that require extra permissions (in addition to the Azure Access Credential permissions required for integration) to be able to monitor the Azure environment. Below you will see how to configure these permissions.

Extra permissions for Azure IAM rules #

1. First, access your account in the Azure Portal

2. If you have access to multiple tenants, use the Directory + Subscriptions filter in the top menu to select the tenant that contains your client application registration.

Azure Active Directory

3. Select Azure Active Directory > App registrations and select the client application. Click the app that has the credentials integrated with “ Best Practices ”.

Azure App Registrations

4. Select API Permissions > Add a Permission

Azure API Permissions

5. Then Microsoft Graph > App Permissions

Azure Request API Permissions

All permissions exposed by Microsoft Graph are shown under Select permissions .

6. Under Select permissions , expand User and select the User.Read.All permission , then expand Group and select Group.Read.All .

Azure Request API Permissions

7. After selecting, add the permissions

NOTE : The “Add permissions” button is not enabled because the permissions already exist for the sample App.

8. Finally, admin consent will be required for the permissions to take effect. After giving consent, the permissions that required admin consent will show as having been consented.

NOTE: The “give administrator consent” button is disabled if you are not an administrator or if no permissions have been configured for the application:

Azure Configured Permissions