Premium

Azure AD

This plugin is in preview.

The CloudQuery Azure AD source plugin extracts Azure information regarding object/user/tenant relationships (i.e. Azure AD or Microsoft Entra ID) and loads it into any supported CloudQuery destination.

Publisher

year-of-the-nimbus

Latest version

v1.0.3

Type

Source

Platforms

Date Published

January 4, 2024

Price

Free while in preview

Documentation Tables Changelog Destinations

Overview Configuration

Set up process #

brew install cloudquery/tap/cloudquery

1. Download CLI and login

See installation options

2. Create source and destination configs

Plugin configuration

cloudquery sync azure-ad.yml postgresql.yml

3. Run the sync

CloudQuery sync

Overview #

Azure AD Source Plugin

Authentication #

Authentication with Environment Variables #

You will need to create a service principal for the plugin to use:

Creating a service principal

First, install the Azure CLI (az).

Then, login with the Azure CLI:

az login

Then, create the service principal the plugin will use to access your cloud deployment. WARNING: The output of az ad sp create-for-rbac contains credentials that you must protect - Make sure to handle with appropriate care. This example uses bash - The commands for CMD and PowerShell are similar.

export SUBSCRIPTION_ID=<YOUR_SUBSCRIPTION_ID>
az account set --subscription $SUBSCRIPTION_ID
az provider register --namespace 'Microsoft.Security'

# Create a service-principal for the plugin
az ad sp create-for-rbac --name cloudquery-sp --scopes /subscriptions/$SUBSCRIPTION_ID --role Reader

(you can, of course, choose any name you'd like for your service-principal, cloudquery-sp is just an example. If the service principal doesn't exist it will create a new one, otherwise it will update an existing one)

The output of az ad sp create-for-rbac should look like this:

{
  "appId": "YOUR AZURE_CLIENT_ID",
  "displayName": "cloudquery-sp",
  "password": "YOUR AZURE_CLIENT_SECRET",
  "tenant": "YOUR AZURE_TENANT_ID"
}

Exporting environment variables

Next, you need to export the environment variables that plugin will use to sync your cloud configuration. Copy them from the output of az ad sp create-for-rbac (or, take the opportunity to show off your jq-foo). The example shows how to export environment variables for Linux - exporting for CMD and PowerShell is similar.

AZURE_TENANT_ID is tenant in the JSON.
AZURE_CLIENT_ID is appId in the JSON.
AZURE_CLIENT_SECRET is password in the JSON.

export AZURE_TENANT_ID=<YOUR AZURE_TENANT_ID>
export AZURE_CLIENT_ID=<YOUR AZURE_CLIENT_ID>
export AZURE_CLIENT_SECRET=<YOUR AZURE_CLIENT_SECRET>

Granting AD Permissions #

We need to ensure that our service principal is able to read at a global level and have permissions to access the Microsoft Graph API.

Granting Global Read Access

First we need to go to Microsoft Entra ID (formerly Azure AD) within the Portal Extension.
Then we go to the "Roles and Administrators" tab and add your service principal to the "Global Reader" role
- It may not show up at first, entering the display name explicitly should resolve this.

Granting API Permissions

This part might be a bit tedioius, depending on how many tables you're using and while it can be done through either the portal extension or the az cli, unless you already have an automation in place, the portal extension will be the faster method.
Go into the service principal's application through the portal extension. You can either search for the name directly or you can search the application ID. The search results should bring up the application and service principal; you will want the application.
Press "add a permission"
Select "Application permissions"

If you plan on using every table, you'll want the full list, if you plan on using one or two, the names of the permissions are accurate to what they allow:

AccessReview.Read.All
Application.Read.All
AppRoleAssignment.ReadWrite.All
AttackSimulation.Read.All
AuditLog.Read.All
Device.Read.All
DeviceManagementConfiguration.Read.All
DeviceManagementManagedDevices.Read.All
Directory.Read.All
Domain.Read.All
Group.Read.All
GroupMember.Read.All
IdentityProvider.Read.All
IdentityRiskEvent.Read.All
IdentityRiskyServicePrincipal.Read.All
IdentityRiskyUser.Read.All
IdentityUserFlow.Read.All
LicenseAssignment.ReadWrite.All
Member.Read.Hidden
MultiTenantOrganization.Read.All
NetworkAccess.Read.All
NetworkAccessPolicy.Read.All
Organization.Read.All
People.Read.All
Policy.Read.All
Policy.Read.IdentityProtection
PrivilegedAccess.Read.AzureAD
PrivilegedAccess.Read.AzureADGroup
PrivilegedAccess.Read.AzureResources
RoleManagement.Read.All
User.Read.All

Once all permissions are added, press "Grant admin consent for default directory"

At this point, you should be ready to sync!

Configuration #

CloudQuery Azure AD Source Plugin Configuration Reference

Example #

This example connects the Azure AD of your Service Principal's tenant to a single destination. The (top level) source spec section is described in the Source Spec Reference.

kind: source
spec:
  # Source spec section
  name: "azure-ad"
  path: "year-of-the-nimbus/azure-ad"
  registry: "cloudquery"
  version: "v1.0.2"
  destinations: ["postgresql"]
  tables: ["azure_ad_users"]
  spec:
    # Optional parameters
    # concurrency: 50000

Azure AD Spec #

This is the (nested) spec used by the Azure AD source plugin.

concurrency (int) (default: 50000):
The best effort maximum number of Go routines to use. Lower this number to reduce memory usage.