Microsoft Azure integration

Integrate Identity Security Posture Management (ISPM) with Microsoft Azure by assigning a reader role to the ISPM app. The integration allows ISPM to analyze the access to Microsoft Entra ID cloud resources.

Before you begin

Complete the steps in Microsoft Entra ID integration. This is required to integrate ISPM with Microsoft Azure.

Select the assignment scope

You can assign a role to a subscription, management group, or tenant root group. Each assignment scope gives Identity Security Posture Management the same level of access to your Microsoft Entra ID resources.

Assign the role to a subscription

  1. In the Microsoft Entra ID admin center, go to the Subscriptions panel.
  2. Select the subscription that you want to associate with the Identity Security Posture Management app.
  3. Click Access Control (IAM).
  4. In the Add dropdown menu, select Add role assignment.
  5. Select the Reader role, and then click Next.
  6. On the Members tab, assign access to User, group, or service principal, and then click Select members.
  7. Search for and select the registration app that you created in the Microsoft Entra ID integration task.
  8. Click Review + assign.

Assign the role to a management group

  1. In the Microsoft Entra ID admin center, go to the Management Groups panel.
  2. Select the management group that you want to assign ISPM to.
  3. Click Access Control (IAM).
  4. In the Add dropdown menu, select Add role assignment.
  5. Select the Reader role, and then click Next.
  6. On the Members tab, assign access to User, group, or service principal, and then click Select members.
  7. Search for and select the registration app that you created in the Microsoft Entra ID integration task.
  8. Click Review + assign.

Assign a role to the tenant root group

This method requires you to temporarily elevate your admin role to a user access admin. To avoid this, ISPM recommends that you assign a role to a subscription, or create a management group and then assign the role to it.

  1. In the Microsoft Entra ID admin center, go to the Microsoft Entra ID panel.
  2. Select ManageProperties.
  3. Toggle on Access management for Microsoft Entra ID resources.
  4. Click Save.
  5. Refresh the browser for the changes to take effect.
  6. In the Microsoft Entra ID admin center, go to the Management Group panel.
  7. Click Tenant Root Group.
  8. Click Access Control (IAM).
  9. In the Add dropdown menu, select Add role assignment.
  10. Select the Reader role, and then click Next.
  11. On the Members tab, assign access to User, group, or service principal, and then click Select members.
  12. Search for and select the registration app that you created in the Microsoft Entra ID integration task.
  13. Click Review + assign.
  14. Go to Microsoft Entra IDManageProperties and toggle off Access management for Microsoft Entra ID resources.

Enable the integration in ISPM

  1. In the Identity Security Posture Management console, go to SettingsSources gallery.

  2. Select Azure Cloud, and then click Connect.

  3. Select the Related AAD and choose a Source name.

  4. Click Add Azure connection.