Azure Subscription

Azure Active Directory is now Microsoft Entra ID. You can learn more about this change from Microsoft.

Integrating your Entra ID account requires API credentials. Azure API credentials have four elements and all are needed to connect to Security Manager.

  • Subscription ID is a unique identifier of the Entra ID subscription you would like to use for API usage.

  • Tenant ID is a unique identifier of your Entra ID Instance.

  • Application (client) ID is a unique identifier of your registered application.

  • Client Secret Value is a key created that serves as proof you own the application ID.

To add Microsoft Entra ID device (Azure Subscription), complete the following steps.

Step 1: Configure the Device

FireMon strives to provide up-to-date product information, however we are not always aware when vendors change their device UI. If any Configure the Device procedure differs from your device version (UI location of fields, not information needed), please consult your device's user guide.

  1. Log on to Microsoft Azure portal.
  2. Copy the following to notepad:
    • The Subscription ID. More services > search for subs > click Subscriptions.
    • The Tenant ID. Microsoft Entra ID > Properties > Tenant ID.
  3. Register an application.
    1. Microsoft Entra ID > App registrations and click New registration.
    2. Enter a Name for the application.
    3. For Supported account types, select Accounts in this organizational directory only.
    4. Leave Redirect URL (optional) blank.
    5. Click Register.
    6. Copy the Application (client) ID to notepad.
  4. Create a client secret.
    1. From the Manage menu, click Certificates & secrets.
    2. Click New client secret.
    3. Enter a Description for the client secret key.
    4. Select an Expires option from the list that meets your business standards.
    5. Click Add.
    6. Copy the data in the Value field to notepad.

Save the Value before you leave the Certificates & Secrets page. Once you leave the page, you will not be able to view the Value again. The Secret ID is not used.

  1. Grant access from Azure to Security Manager.
    1. Open the subscription.
    2. Click Access control (IAM).
    3. Click Add.
    4. For the Role field, select Reader or if you will be using rule hit count retrievals, select Reader and Data Access.
    5. Leave the Assign access to field as is.
    6. In the Select field, find the name of your application (used in step 3).
    7. Click Save.
  2. Set a Proxy Server (optional).

Step 2: Onboard the Device in the Administration Module

  1. On the toolbar, click Device > Devices.
  2. Click Create, and then click Microsoft > Azure Subscription.
  1. Complete the General Properties section.
  1. In the Name box, type the name of the device as you want to see it in SIP.
  2. In the Description box, type an optional description of the device being added.
  3. In the Management IP Address box, type the IP address of the device.

    A Management IP Address is not needed, however assigning an arbitrary, but unique IP is suggested. For example, 0.0.0.0 with an incremental increase for each similar vendor management station used (0.0.0.0, 0.0.0.1, 0.0.0.2, etc.). Without a Management IP address assigned, retrieval logs will not be generated.

  1. In the Data Collector box, type the IP address of the data collector that will collect data from this device.
  2. In the Central Syslog Server box, type the syslog server from the list (optional).

Syslog fields are optional if the device uses the same IP for syslog and management.
A central syslog server is required only if syslog messages come from a different IP. A central syslog server must be created before it can be assigned to a device. To track usage via syslog, the device must support Level 3+.

  1. In the Syslog Match Name box, type the syslog match name (optional).
  2. By default, the Automatically Retrieve Configuration check box is selected.
  3. In the External ID box, type a unique identifier to be used when the device identifier is different than what is displayed in SIP.

  4. Collection Configuration is enabled on the management station or by duplicating and then editing the default configuration.

  1. Device Settings section.

    Credentials

  1. Enter the Subscription ID.

  2. Enter an alternate Subscription ID to be used for hit count retrievals if the NSGs in this subscription log to a storage account with a different Subscription ID.

  3. Enter the Tenant ID in the Directory ID field.

  4. Enter the Application (client) ID in the Application ID field.

  5. Enter the Client Secret Value in the Key field, and then enter it again.

    Proxy

  1. Enter your Proxy Server.
  2. Enter the Proxy Port.
  1. Monitoring section.

You must first configure hit counters in the Azure portal.

Select the Enable Log Monitoring check box to begin monitoring.

  • By default, Track Usage Via is set to Hit Counters.

  • By default, the Count Retrieval Interval is set to 10 minutes.

  1. Retrieval section.

Scheduled Retrieval

Select the Enable Scheduled Retrieval check box to perform a retrieval at a set time regardless of change detection. This will activate additional fields to complete.

  • Set the Scheduled Retrieval Time to fit your requirements.

  • Select the Scheduled Retrieval Time Zone from the list.

Check for Change Retrieval

Select the Enable Check for Change check box to check for configuration changes after the specified interval and perform a retrieval if changes are detected. This will activate an additional field to complete.

  • The default Check for Change Interval time is 1440 minutes (every 24 hours). You can change the check interval time to best fit your requirements. The minimum required interval is 60 minutes (1 hour).

  1. Advanced section.
    • The NTP server will be used to check for clock offset if Azure rejects the device credentials. Leaving this setting blank disables this check.
    • Use the Retrieval Timeout in Seconds field to set a maximum time to wait for a response during retrieval.
    • Select the Use Azure China Endpoint checkbox to enable retrievals for Azure China users. Azure China differs from Azure global.
  1. Enforcement section.

Select one of the available enforcement options:

  •  Allow All: All automation is allowed (enforcement, change, manual).

  • Manual Only: When selected all changes must be manually pushed for this device.

  •  Prevent All: No automation is allowed.

  • Window Only: Automation can only take place in the assigned enforcement window.

If this device is assigned to an enforcement or change window, it will be listed. If no assignment, changes must be manually pushed for this device.

  1. Supplemental Routes section.

Supplemental routes cannot be added until after a retrieval normalizes successfully. You can perform a manual retrieval before continuing.

  1. Click Add.

  2. Complete fields in the Add Supplemental Routes dialog box:

  • Select an Interface.

If you select an Interface, you will not need to select a virtual router and next virtual router. If no interface is selected, you will need to select a Virtual Router and Next Virtual Router.

  • Type the Destination IP address.
  • Type the Gateway IP address.
  • Select a Virtual Router.
  • Select a Next Virtual Router.
  • Switch the Drop toggle to enable (disabled = Accept).
  • Click Add.
  1. Click Save.