3. Azure Integration#
In order for TrustView to gain access to Microsoft Azure, some requirements are needed.
3.1. Create app registration#
Create an app registration that should be used for TrustView, to access Azure APIs:
Before creating an
App registration, go to the Azure portal where you create your Azure Key Vaults, and make sure to set an expiration date for the secret, associated with the key vault that you want to see and get an overview of in TrustView.Important
Enable the checkbox
Set expiration dateand then choose a expiration date for theSecret. Enabling this, when creating a new secret for a designated key vault, will allow you to then be able to not only see the key vault in TrustView, but also see the content of the key vault. If you do not set an expiration date, you will not be able to see the content of the key vault.Select
App registrationNew registration
Select a name and select
Accounts in this organizational directory only (Single tenant)Leave
Redirect URIas blank, because it is not usedAfter creating the app, store the values of:
Application (client) ID - (client id)andDirectory (tenant) ID - (tenant id)You then need to create a client secret. This can be done by Choosing
Add a certificate or secretand then chooseNew client secretStore the
secretvalue.The last thing needed is the
subscriptions idwhich can be seen by choosingSubscriptionsunderAzure services.Store the
subscription id.We now have
client id,client secret,tenant idand thesubscription idavailable and saved.In TrustView, choose
Azure integrationand type in the values and select a name and clickAddto finish the setup.
The Azure integration is now configured in TrustView, however, the client need some permissions in order to be allowed to list apps and key vaults:
Under the client overview page in Azure, go to
App registrationsthen selectAPI permissionsand clickAdd a permissionSelect
Microsoft Graphapplication permissionsApplication.Read.All
Select the next permission under
Azure KeyVaultuser_impersonation
select
Grant admin consent
The client should now be able to list all apps located under the Azure subscription. The App also need some permissions so that key vaults can be listed. The operation below should be performed for all the key vaults that the app needs to access:
In Azure portal, select the key vault, click on
Access control (IAM)and selectRole assignments.
In the job function roles type:
Select
Key Vault Contributorand click next.
Click
Membersand search after the App registration created above, then click select and next. Lastly, clickReview + assign. The app registration should now be added with the roleKey Vault Contributor.The last thing needed is to add some access policies. Click
Access policiesand clickCreateand then select the permissions as listed below:
Click next, then search after the App registration, and then select and click
Nextand then finallyCreate. Your App registration should now be able in TrustView, to list all keys, secrets and certificates created under that specific key vault.In the permissions above, also select (Key Management Operations)
Create, (Cryptographic Operations)Signand (Certificate Management Operations)CreateandBackup. These permissions are needed if you want to create an automation task in TrustView, to create and upload certificates to Azure. For listing only, they can be left out. But for listing theListpermission is required for all Management Operations.Repeat the above steps for all key vaults that TrustView should be able to read.
3.2. Quick overview of permissions and access rights#
Here is a quick overview of what is needed. For a more detailed explanation, look at the guide above.
API Permissions
Microsoft Graph application permissions Application.Read.All
Azure KeyVault user_impersonation
Grant admin consent
Access control (IAM)
Key Vault Contributor
Access rights
Key Management Operations Create
Cryptographic Operations Sign
Certificate Management Operations Create and Backup
All Management Operations List