Note: If you connected Azure to Vanta prior to October 1, 2021, you must reconnect Azure to Vanta to avoid service interruptions due to Azure migrating applications from Azure Active Directory Graph to Microsoft Graph. You can find more information about the migration in this article from Microsoft. |
Prerequisites
Organization Administrator or Global Administrator access in Azure
Administrator Access in Vanta
Connect Azure in Vanta
From the left-hand navigation panel in Vanta, select Integrations.
Select the Available tab and search for Azure.
Click View Details.
In the right panel that slides out, select Connect.
Choose your connection type
Select the connection type:
Subscription - Choose this option if you have one or a few subscriptions. Each subscription must be linked individually.
Tenant - Choose this option if you manage multiple subscriptions under a single tenant.
Select Azure Portal, then click Next
Select Products
Microsoft Azure is enabled by default and cannot be disabled.
If you use Microsoft Azure Kubernetes Monitoring and/or Microsoft Defender for Cloud for vulnerability scanning, enable these options to populate the Vulnerabilities page in Vanta. Hover over the tooltip for more information.
If you use the CIS Azure Foundations Benchmark, enable this option to allow Vanta to evaluate your Azure environment against CIS benchmark controls and populate related compliance checks.
Click Next.
Select your Azure subscription
Note: These steps assume you have at least one Azure subscription. If you do not see any subscriptions, verify that your account has access to a subscription in Azure.
Click the Subscriptions hyperlink on this page, or navigate directly to Subscriptions in the Azure portal.
Copy the subscription ID.
Paste the Subscription ID into the corresponding field in Vanta.
Select your Azure environment type:
Global - For standard commercial Azure environments.
US Government - For Azure Government environments.
Register the Vanta application
In the Azure Portal, navigate to App Registrations.
Click + New registration.
Enter vanta-scanner as the application name and keep all default settings.
Click Register.
Copy the Application (client) ID and the Directory (tenant) ID to paste into Vanta.
Paste the values into their respective fields on the Register the Vanta Application page in Vanta.
Create a client secret
In the Azure portal, open the newly created app registration.
Navigate to Certificates & secrets.
Under Client secrets, click + New client secret.
Click Add.
Copy the Client Secret Value immediately.
Important:The Client Secret Value is only visible at the time it is created. Once you leave the Certificates & secrets page, you will not be able to retrieve it again. Be sure to copy and store it securely before proceeding.
Paste the Client Secret Value on the Create a Client Secret page in Vanta and click Next.
Configure app access
In the Azure Portal, open the same app registration and navigate to API permissions.
Click + Add a permission.
Select Microsoft Graph.
Choose application permissions.
Search for and select Directory.Read.All.
Click Add permissions.
Click Grant admin consent for Your Organization.
Confirm by selecting Yes.
Return to Vanta and click Next.
Assign the reader role
In the Azure Portal, navigate to your Subscription.
Select Access control (IAM).
Click + Add, then select Add role assignment.
Under Role, select Reader, then Click Next.
Click + Select members.
Search for the vanta-scanner application you created earlier and select it.
Click Select.
Review the configuration and click Review + assign.
Return to Vanta and click Next.
Check connection
If the setup was completed successfully, Vanta will display a confirmation screen indicating that the connection was established.