Discovering Microsoft Azure

Microsoft Azure is a cloud service provided by Microsoft. Microsoft Azure provides virtualized computing platforms. It is organized into various regulatory domains worldwide, helping organizations to store and manage data in compliance with local laws specific to each country.

Related topics

Cloud provider

Discovering-Cloud-Tags

Microsoft-Azure-Supported-Cloud-Regions


Discovered services and regulatory domains

You can access and configure all your services in the Azure Public cloud by using the Microsoft Azure portal.

For the list of Microsoft Azure services that can be discovered with the latest Technology Knowledge Update, select the service name from the documentation tree. You can discover cloud services running in supported regions. For more details, see Microsoft-Azure-Supported-Cloud-Regions.

The following regulatory domains can be discovered with the latest Technology Knowledge Update:

  • Azure China 21Vianet
  • Azure Government
  • Azure Public
  • Azure Stack


Creating a credential

Before you start discovering Microsoft Azure services, make sure to have an application ID and authentication key (credential) for the BMC Discovery application. These are prerequsuites with which BMC Discovery can access the cloud. You create the access key by using the Microsoft Azure portal.

Creating a credential is a two-stage process. In the Microsoft Azure Portal, you obtain a Directory ID, Application ID, and Authentication Key. Then, in BMC Discovery, you use this information to add the cloud discovery credential. These two steps are mandatory for setting the Microsoft Azure discovery. 

(Optional) For Microsoft Azure Stack discovery credentials, you will also need to include the Azure Stack Management URI and the Azure Stack Domain (those are two parts of the Azure Resource Manager endpoint). 

To find the Directory ID, Application ID, and Authentication Key in the Microsoft Azure Portal

  1. Log in to Microsoft Azure Portal and find the Directory ID for your Microsoft Azure account by selecting Microsoft Entra ID > Properties. The Directory ID is a GUID, also known as the Tenant ID.
  2. Register your BMC Discovery appliance in the Microsoft Entra ID > Manage > App registrations section. You must provide a name, for example, BMC Discovery, supported account types, and other mandatory fields:

Register an application.png

     3. After registering the application, obtain the following information for the application:

  • Application (client) ID  Shown in the Essentials of the application in Microsoft Entra ID > Manage > App registrations. The Application (client) ID is a GUID. Make sure that you select the Application ID and not the Object ID. Copy and note the Application ID.
  • Application Key —  To create the Application Key, in Microsoft Entra ID > Manage > App registrations, click Certificates & secrets > New client secret.

Important

If you lose the Application Key, you cannot retrieve it from the Microsoft Azure Portal. You must create a new Application Key and use it in the BMC Discovery cloud credential. Hence, make sure to keep a note of the Application Key until you have successfully tested the cloud credential.

For more details, see the official Microsoft Azure documentation.

(Optional) To get the Azure Resource Manager endpoint for Azure Stack Hub integrated systems, contact your service provider.

To assign the required permissions for the BMC Discovery application registration in the Microsoft Azure portal

BMC Discovery will not be able to discover resources in the target subscriptions without permission granted to your application.  The built-in Reader role is sufficient to discover everything except size and encryption (D@RE) values for VHDs used by VMs. To discover size and encryption (D@RE) values for VHDs used by VMs, you need the Microsoft.Storage/storageAccounts/listKeys/action permission.

To grant the application permissions (roles) to your subscriptions:

  1. Go to More services > Subscriptions, select a Subscription, and Access Control (IAM) on it.
  2. Click +Add and select Add role assignments.
  1. Find and select a Reader role from the list and click Next.
  2. From the Select Members list, select the Application name that you want to add.
  3. Click Next and follow the instructions in the UI to add Role Assignment.
  4. For each additional Subscription that you want to be discovered, go to More services > Subscriptions, select the subscription, and repeat steps 1-5.

Important

If you configured Microsoft Azure management groups, you might not need to add an individual service account to each subscription. For more details, see Microsoft Azure Management Groups.

Discovering Microsoft Azure Stack

If you need to discover Microsoft Azure Stack, the process is pretty similar to the regular Microsoft Azure discovery. The underlying difference is the URL to which the discovery appliance sends API requests. For Microsoft Azure Stack, all of the requests are sent to the Azure Resource Manager endpoint for Azure Stack Hub systems. 

To create the Azure Cloud credential

  1. Follow the usual steps described in this topic.
  2. Make sure that the Directory ID, Application ID, and the Application Key for a given Azure Stack account have been added.
  3. In the Azure Stack Management URI field, input the subdomain part of the Azure Resource Manager endpoint (for example, management and adminmanagement).
  4. In the Azure Stack User Domain field, enter your Azure Stack account name provided by Microsoft.
  5. Click Apply.

       Microsoft Azure Stack.png

Discovering Microsoft Azure storage

If you need to discover Microsoft Azure storage, you must first grant the Microsoft.Storage/storageAccounts/listKeys/action a role for a complete discovery of Azure Storage. However, you do not need this permission if you are only using managed disks. You can use the JSON template file along with the Microsoft Azure command line tools to create a Discovery role that gives the correct permissions. For information about custom roles, see Azure custom roles.

To download the JSON template file, click You must log in or register to view this page

BMC Discovery (on-premises) customers can also download the JSON template from the Manage > Discovery Tools page.

To create a Discovery role for Microsoft Azure storage

  1. Download the JSON template file.
  2. Edit the template file to set the subscription scope. In the SUBSCRIPTION ID HERE field, add your subscription ID.
  3. Rename the template file to azure_discovery_role.json.

  4. Run the following command, depending on your Azure CLI version:

    az role definition create --role-definition <PATH>azure_discovery_role.json

    oraz role create --config <PATH>azure_discovery_role.json

  5. Make sure that the role is created and appears in the Azure Portal roles list.
  6. Assign a recently created custom Discovery role to the application registration you used for BMC Discovery.

To create the Azure cloud credential in BMC Discovery

Create the Azure cloud credential in the same way as any other credential. The Azure cloud credential uses the Directory ID, Application ID, and Application Key as the equivalent of a username and password combination.

  1. On the BMC Discovery Device Credentials page, click Add.
    The Add Credential page is displayed.
  2. Click Add more and add the cloud provider type Microsoft Azure.
  3. Add the credential information:
    • Label.
    • Description.
  4. Specify the additional fields with the information that you copied from the Microsoft Azure Portal:
    1. Directory ID.
    2. Application ID.
    3. Application Key.

    4. CyberArk  If the CyberArk integration is enabled, do not enter a key ID and secret, rather, enter a CyberArk search string in this field to extract a CyberArk credential. An example search string is:
      Object=Cloud Service-Azure-keys-fc2636b7-426d-42df-a13f-f45b903bd40a 
      For more information about the integration, see Integrating with CyberArk Enterprise Password Vault.

      Important

      The Directory ID and Application ID are GUIDs with 32 hex digits grouped 8-4-4-4-12. We recommend to be attentive to not transpose the digits. If you do so, your credential will never work, and the problem will be difficult to diagnose.

  5. (Optional) To use a proxy to access the Microsoft Azure cloud, specify the following fields:
    • Hostname.
    • Port.
    • Username (only for authenticating proxies).
    • Password (only for authenticating proxies).

If your proxy uses self-signed certificates, the TLS Certificate Check option can be disabled. 

Warning

If you disable the certificate check, your credentials could be intercepted by a man-in-the-middle attack.

    6. Click Apply.


To test the credential

After you have created the credential, you must test it to make sure that it works:

  1. Go to Manage > Credentials.
  2. On the Credentials tab, clear all the options except for Cloud > Microsoft Azure.
  3. For the Microsoft Azure cloud credential you added, click Actions and then click Test.
  4. Select Microsoft Azure from the list.
  5. Select the regulatory domain to test.

  6. Click Test.The following screenshot shows a successful test.

    Azure cred Test.jpg

If the credential test is unsuccessful, make sure that you copied the Directory ID and Application ID correctly.

Important

The BMC Discovery appliance must be able to access Microsoft Azure by using HTTPS (port 443).

To run a cloud scan

To perform cloud discovery:

  1. Go to Manage > Discovery.
  2. Click Add New Run.
    The Add a New Run box is displayed:
    Add a new run.jpg
  3. Enter a Label for the cloud discovery run.

  4. To add a scheduled cloud run, select Scheduled and fill in the scheduling information.

  5. Select Cloud.
  6. Select the cloud provider type Microsoft Azure.
  7. Select the appropriate cloud credential. If none are available, you must add one.
  8. Select the regulatory domain to scan.
  9. Enable or disable the automatic discovery of Microsoft Azure Kubernetes clusters in the Automatically scan Kubernetes clusters option. For more information, see Microsoft-Azure-Kubernetes.
  10. Click OK.

Scanning the hosts that run the VMs in the cloud

Perform a normal scan on the hosts that run the VMs discovered in the cloud scan. To find hosts that are associated with discovered virtual machines, you must use the Unscanned Cloud Hosts report on the Cloud Overview dashboard. For more details about host scanning in the cloud, see Introduction to cloud discovery.

To scan the hosts, make sure that the Discovery appliance or proxy has network access to hosts that run in the cloud; for example, by using a VPN.

Important

Public IP addresses do not respond to ICMP pings. We recommend that you disable Ping before scanning. Otherwise, all scans will be dropped, reporting no response. For more details about the Ping option, see Performing a discovery run.

Examining results

After you run the scan, you can examine the results. The following screenshot shows a discovered VM running in Microsoft Azure.

AzureScanResult.png


Database discovery

Microsoft Azure supports Microsoft SQL Server. The Microsoft Azure API reports the database. If you only need to discover the database, databases are reported as part of regular cloud discovery, and no further configuration is required.

If you need deeper database discovery (for example, to report the tables or run queries for application-specific data), make sure that appropriate database credentials are created. For more information, see Adding credentials.

To discover database servers and database firewalls

Each database server has a firewall, and you can add a rule stating which IP addresses are permitted access.

  1. From the database server, configure the firewall to enable BMC Discovery to access it.

  2. Add the following information:

    1. Rule name; for example, Discovery Access.
    2. Start IP; for example, 77.168.1.100.
    3. End IP; for example, 77.168.1.100.

    You can now access the database server from BMC Discovery.

In addition to the firewall on the server, configured earlier, you can also configure rules on a firewall on the database. The server firewall and the database firewall must permit BMC Discovery access.

Discovering a database

To discover a Database, an appropriate Database credential must be created. For more information, see Database credentials.

Viewing Microsoft Azure discovery patterns

To view the Microsoft Azure discovery patterns, go to Manage > Knowledge. Then, in the Pattern modules list, click Cloud > Microsoft Azure.

Azure tags discovery

For detailed information about tags, see Discovering Cloud Tags.


Troubleshooting

The following table shows the most frequent issues when creating the Microsoft Azure cloud credential:

Problem

Solution

Failed to get a dynamic parameter

subsribtionid: No values

No role is assigned to the application in the Microsoft Azure portal, so open More services (or the homepage) > Subscriptions, then select Access Control (IAM) > Role Assignments > Add Role Assignment. Select a Reader Role and your application.

Failed to get a dynamic parameter

subscriptionId: 'some request name': Authentication failure: AADSTS7000222: The provided client secret keys are expired

An issue with key encryption. Generate a new key. Your key must include alphanumeric characters, including / and + symbols.

Invalid client secret provided (application in the Microsoft Azure portal is created, Application Key in the BMC Discovery credentials is not set, or the key is expired).

Check the security key or add a new one.

The application with the identifier is not found (the ID is correct, but the Application ID is wrong or does not exist).

Enter the correct Application ID or register a new one.

The tenant ID is not found.

If the tenant ID is incorrect, then go to Azure Active Directory > Properties, and verify Directory ID.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*