Create an Azure app for Workload Security

In your operating environment, it may not be desirable to allow the Workload Security to access Azure resources with an account that has both the Global Administrator role for the Azure Active Directory and the Subscription Owner role for the Azure subscription. As an alternative, you can create an Azure app for Workload Security that provides read-only access to Azure resources.

If you have multiple Azure subscriptions, you can create a single Workload Security Azure app for all of them, as long as the subscriptions all connect to the same Active Directory. Details are provided within the set of instructions below.

To create an Azure app, you will need to:

  1. Assign the correct roles.
  2. Create the Azure app.
  3. Record the Azure app ID, Active Directory ID, and password.
  4. Record the Subscription ID(s).
  5. Assign the Azure app a role and connector.

Assign the correct roles

To create an Azure app, your account must have the User Administrator role for the Azure Active Directory and the User Access Administrator role for the Azure subscription. Assign these roles to your Azure account before proceeding.

Create the Azure app

  1. In the Azure Active Directory blade, click App registrations.
  2. Click New registration.
  3. Enter a Name (for example, Workload Security Azure Connector).
  4. For the Supported account types, select Accounts in this organizational directory only.
  5. Click Register.

    The Azure app appears in the App registrations list with the Name you chose in Step 3 (above).

Record the Azure app ID, Active Directory ID, and password

  1. In the App registrations list, click the Azure app.

    The Azure app will display with the Name you chose for it in Step 3 of the Create the Azure app procedure.

  2. Record the Application (client) ID.
  3. Record the Active Directory ID
  4. Click Certificates & secrets.
  5. Click New client secret.
  6. Enter a Description for the client secret.
  7. Select an appropriate Duration. The client secret expires after this time.
  8. Click Add.

    The client secret Value appears.

  9. Record the client secret Value. This will be used as the Application Password when registering the Azure app with Workload Security.

    The client secret Value only appears once, so record it now. If you do not, you must regenerate it to obtain a new Value.

    If the client secret Value expires, you must regenerate it and update it in the associated Azure accounts.

Record the Subscription ID(s)

  1. On the left, go to All Services and click Subscriptions.

    A list of subscriptions appears.

  2. Record the Subscription ID of each subscription you want to associate with the Azure app. You will need the ID(s) later, when adding the Azure account(s) to Workload Security.

Assign the Azure app a role and connector

  1. Under All Services > Subscriptions, click a subscription that you want to associate with the Azure app.
  2. You can associate another subscription with the Azure app later if you want to.

  3. Click Access Control (IAM).
  4. In the main pane, click Add and then select Add Role Assignment from the drop-down menu.
  5. Under Role, enter Reader and then click the Reader role that appears.
  6. Under Assign access to, select Azure AD user, user group, or service principal.
  7. Under Select, enter the Azure app Name (for example, Workload Security Azure Connector).

    The Azure app appears with the Name you chose for it in Step 3 of the Create the Azure app procedure.

  8. Click Save.
  9. If you want to associate the Azure app to another subscription, repeat this procedure (Assign the Azure app a role and connector) for that subscription.

You can now configure Workload Security to add Azure virtual machines by following the instructions in Add a Microsoft Azure account to Workload Security.