In this article:  

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

 Objective   

This article explains how to configure the Attack Surface Analyzer in ADAudit Plus for monitoring and auditing cloud infrastructure for Azure. By integrating ADAudit Plus with these cloud platforms, administrators can visualize and analyze the potential attack surface of their cloud environments, helping identify security gaps and take preventive actions.

Understanding the attack surface of your cloud environment helps:

• Identify over-privileged accounts.

• Detect unused assets.

• Minimize exposure to threats.

• Ensure security compliance across cloud environments.

 Prerequisites   

• ADAudit Plus build 8000 or above to configuring Attack Surface Analyzer for Azure.

• Internet connectivity for ADAudit Plus is essential to establish connections with these platforms.

• For Azure, a user with the Global Administrator or Privileged Role Administrator role (required only during configuration).

 Step to follow 

 Attack Surface Analyzer for Azure cloud   

With the Attack Surface Analyzer, you can spot threats within your Azure cloud and enhance cloud security.

Listed below are the services tracked by the Attack Surface Analyzer for Azure:

• Azure Compute

• Azure Networking

• Azure Storage

• Azure Web

• Azure Monitor

• Azure Integration

• Azure Database

• Azure Security

• Azure Container

• Azure Recovery Service

There are two scenarios when configuring your Azure cloud for attack surface analysis:

• Syncing an existing Entra ID tenant configured in ADAudit Plus

• Configuring a new Azure cloud for attack surface analysis

Step 1: Sync an existing Microsoft Entra ID (formerly Azure AD) tenant  

If you want to add a MicrosoftEntra ID tenant that is already configured for auditing in ADAudit Plus for attack surface analysis, you need to assign additional permissions to the registered application.

Retrieve the registered application's name and client ID from ADAudit Plus  

• Log in to the ADAudit Plus web console.

• Navigate to the Cloud Directory tab > Auditing > Configuration > Cloud Directory.

• Click the Modify option for the cloud directory that you want to configure for Attack Surface Analysis.

• From the Cloud Directory pop-up, copy the Client ID.

Retrieve the client secret and subscription ID from the Azure portal  

• Log in to the Azure portal.

• In the search toolbar, paste the Client ID to find the associated registered application, and note down the application's name.

• Select the application and go to Manage > Certificates & secrets > New client secret.

• In the Add a client secret panel, give a suitable Description, select 730 days (24 months) from the Expires drop-down, and click Add.

• Copy the Value. This will be needed when configuring the Azure cloud in ADAudit Plus.

• In the Azure portal, navigate to Subscriptions, select the subscription you want to configure in ADAudit Plus, and copy the Subscription ID. This will be needed when configuring the Azure cloud in Attack Surface Analyzer.

Step 2: Assign required permissions  

1. Log in to the Azure Portal

2. Navigate to Subscriptions and select the subscription you want to configure in ADAudit Plus.

3. From the left menu, navigate to Access control (IAM) > + Add > Add role assignment.

4. In the Role tab, search for and select the Reader role and click Next.

5. In the Members tab, click + Select Members, search for the name of the application that you copied in the previous section, click Select > Review + Assign.

6. Repeat steps 3 to 5 for the Storage Account Contributor role.

7. If you want ADAudit Plus to verify policies against your keys, secrets, and certificates in Azure Key Vaults, then navigate to the Key Vault resource you want to monitor, click Access Configuration from the left menu, and based on the permission model you have selected, follow the steps below:

1. If you have selected Azure role-based access control (recommended), click Access control (IAM) and add the Key Vault Contributor role for the application by following steps three to five.

2. If you have selected Vault Access Policy, click Go to access policies >Create. Under Key permissions, Secret permissions, and Certificate permissions, select the List check box and click Next. In the Principal tab, search for and select the name of the application that you created, and click Next. Review your settings and click Review + Create.

Note: If you have multiple subscriptions, repeat the steps for each of them.

Step 3: Add the existing Microsoft Entra ID (formerly Azure AD) tenant in Attack Surface Analyzer  

You can add your Microsoft Entra ID tenant for attack surface analysis either automatically or manually.

Automatic configuration  

Once the required permissions are assigned, your Microsoft Entra ID tenant will be enabled for attack surface analysis automatically through a sync process that regularly runs daily at 12am.

Manual configuration  

If you want to configure the Microsoft Entra ID tenant manually for attack surface analysis, proceed with the steps under Add the existing Entra ID tenant or the new Azure cloud in Attack Surface Analyzer.

Step 4: Configure a new Azure cloud in ADAudit Plus  

Before configuring your Azure cloud for attack surface analysis, you need to create an application in the Azure portal and assign the appropriate role.

Create an application in the Azure portal  

• Log in to the Azure portal and navigate to Microsoft Entra ID.

• Go to Manage > App registrations > + New registration to open the Register an application window.

• Enter a suitable Name for the application (for example, ADAudit Plus Application), retain the default values for other options, and click Register.

• On the application's Overview page, copy the Application (client) ID. This will be needed when configuring the Azure cloud in ADAudit Plus.

• Go to Manage > Certificates & secrets > New client secret.

• In the Add a client secret panel, give a suitable Description, select 730 days (24 months) from the Expires drop-down, and click Add.

• Copy the Value. This will be needed when configuring the Azure cloud in ADAudit Plus.

• In the Azure portal, navigate to Subscriptions, select the subscription you want to configure in ADAudit Plus, and copy the Subscription ID. This will be needed when configuring the Azure cloud in ADAudit Plus.

• From the left menu, go to Access control (IAM) > + Add > Add role assignment.

• In the Role tab, search for and select the Reader role, and click Next.

• In the Members tab, click + Select Members, search for the name of the application that you created in step three of the previous section, click Select > Review + Assign.

• Repeat step 9 to 11 for the Storage Account Contributor role.

• If you want ADAudit Plus to verify policies against your keys, secrets, and certificates in Azure Key Vaults, then navigate to the Key Vault resource you want to monitor, click Access Configuration from the left menu, and based on the permission model you have selected, follow the steps below:

• If you have selected Azure role-based access control (recommended), click Access control (IAM) and add the Key Vault Contributor role for the application by following steps nine to 11.

• If you have selected Vault Access Policy, click Go to access policies, and then click Create. Under Key permissions, Secret permissions, and Certificate permissions, select the List check box and click Next. In the Principal tab, search for and select the name of the application that you created, and click Next. Review your settings and click Review + Create.

Note: If you have multiple subscriptions, repeat the steps for each of them.

Step 5: Add the existing Microsoft Entra ID tenant or the new Azure cloud in Attack Surface Analyzer  

• Log in to the ADAudit Plus web console.

• Navigate to the Cloud Directory tab > Attack Surface Analyzer > Configuration > Cloud Directory.

• Click + Add Cloud Directory located in the top-right corner.

• From the Add Cloud Directory pop-up, select Azure Cloud.

• Enter the Display Name, Tenant Name, Client ID, Client Secret, Subscription ID, and Cloud Type.

• Enable the Audit Log check box if you want to fetch the audit logs and monitor all the operations performed in the Azure cloud, and then click Next.

• Review your settings and click Finish.

Validation and confirmation  

After configuring the respective cloud platforms:

• Navigate to Cloud Security Analyzer > Attack Surface Analyzer.

• Select the configured cloud platform.

• Validate that ADAudit Plus retrieves and displays:

• Identities and permissions.

• Unused resources.

• High-privilege roles.

• Potential security risks.

Perform minor changes or testing in your cloud environment and ensure the changes reflect in the Attack Surface Analyzer reports.

Tips

• Regularly review the attack surface for anomalies.

• Set up alerts in ADAudit Plus for privilege escalations or suspicious activities.

• Review unused resources and delete or remediate them.

• Conduct periodic audits for over-privileged identities.

Related topics and articles  

• Attack Surface Analyzer for Azure Cloud

• Attack Surface Analyzer for AWS Cloud

• Attack Surface Analyzer for Google Cloud Platform

• Cloud Security Analyzer in ADAudit Plus