3. Azure Integration#

In order for TrustView to gain access to Microsoft Azure, some requirements are needed.

3.1. Create app registration#

Create an app registration that should be used for TrustView, to access Azure APIs:

Select App registration New registration

How to register an Azure application

  • Select a name and select Accounts in this organizational directory only (Single tenant)

  • Leave Redirect URI as blank, because it is not used

After creating the app, store the values of:

Application (client) ID - (client id) and Directory (tenant) ID  - (tenant id)

You then need to create a client secret. This can be done by Choosing Add a certificate or secret and then choose New client secret

Store the secret value.

The last thing needed is the subscriptions id which can be seen by choosing Subscriptions under Azure services.

Store the subscription id.

We now have client id, client secret, tenant id and the subscription id available and saved.

In TrustView, choose Azure integration and type in the values and select a name and click Add to finish the setup.

Azure integration setup

The Azure integration is now configured in TrustView, however, the client need some permissions in order to be allowed to list apps and key vaults:

  • Under the client overview page in Azure, go to App registrations then select API permissions and click Add a permission

  • Select Microsoft Graph application permissions Application.Read.All

Azure permissions

  • Select the next permission under Azure KeyVault user_impersonation

Azure Key Vault

  • select Grant admin consent

Azure - grant admin consent

The client should now be able to list all apps located under the Azure subscription. The App also need some permissions so that key vaults can be listed. The operation below should be performed for all the key vaults that the app needs to access:

In Azure portal, select the key vault, click on Access control (IAM) and select Role assignments.

Azure access control

In the job function roles type:

Select Key Vault Contributor and click next.

Azure role assignments

Click Members and search after the App registration created above, then click select and next. Lastly, click Review + assign. The app registration should now be added with the role Key Vault Contributor.

The last thing needed is to add some access policies. Click Access policies and click Create and then select the permissions as listed below:

Azure setup permissions

Click next, then search after the App registration, and then select and click Next and then finally Create. Your App registration should now be able in TrustView, to list all keys, secrets and certificates created under that specific key vault.

In the permissions above, also select (Key Management Operations) Create, (Cryptographic Operations) Sign and (Certificate Management Operations) Create and Backup. These permissions are needed if you want to create an automation task in TrustView, to create and upload certificates to Azure. For listing only, they can be left out. But for listing the List permission is required for all Management Operations.

Repeat the above steps for all key vaults that TrustView should be able to read.