10/2022 - rev 5
Oort’s platform can analyze authentication events in Azure AD to give insights into how users are accessing your applications. In order to provide Insights, you have to set up an integration between Azure AD and Oort for analysis. This document will walk you through the process of setting up API access inside of Azure AD and will also walk you through the complementary setup inside of the Oort console.
The goal of this document is to serve as a guide to set up an Azure AD integration in Oort so that the Oort Cloud service can ingest authentication events and user directory information.
This document is meant for the CISO to share with their teams to set up the integration with Azure AD that Oort will use to provide analysis on user identities.
Once the integration is complete and the Oort platform has completed the analysis of the data, Oort will set up a review with you and your team to share insights discovered through the integration.
Azure Active Directory has different activity log types which each contain different sets of information. Oort will ingest the Sign-ins as well as the Directory. Sign-in logs are available through the Azure Active Directory portal.
- Sign-ins – Information about sign-ins and how your resources are used by your users.
- Directory - User and Group information from your Azure Directory.
Sign-in logs are available via Microsoft Graph API for 30 days inside Azure AD with a Premium subscription (P1 or P2).
Note - sign-in logs are NOT available via Graph API with non-P1 or P2 Azure AD subscriptions, e.g Azure AD Free.
Based on this 30 day retention, Oort will start ingestion with the last 30 days of logs. On subsequent log collections, Oort will ingest only the latest logs.
To add the necessary configuration in Azure AD, you need to be one of the following:
- Azure AD - Global Administrator or Service Administrator role
- Azure Subscription - Owner role https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-subscription-admin
The main thing that you will need to configure in Azure AD:
- Add an App inside your Azure AD tenant that defines the keys and permissions needed by Oort
There are 3 steps you need to go through to set up your Azure AD API key then connect it to Oort.
- Enable Azure AD resource provider
- Setup App and API secret in Azure AD
- Add Azure API to Oort Dashboard
Note - If you already have an active Azure subscription and resource provider configured in your tenant, SKIP THIS SECTION and proceed to the next section.
Enable AzureAD resource provider under your license.
- Go to Home...Subscriptions…
- Search for Microsoft.AzureActiveDirectory and select it.
- If the Status says NotRegistered, click on the Register button to register the Microsoft Azure AD resource provider.
- If the Status says Registered, you can move on to the next step.
Next, we will create the app in your Azure AD tenant, assigning the correct permissions, and add an API secret.
Add an app in your Azure AD tenant
Go to Azure Active Directory...App registrations
Click on New registration
Fill in the details for the new app
- Make sure to select “Accounts in any organizational directory (Any Azure AD directory – Multitenant)”
Click on Register
Save the following information as it will get entered into the Oort dashboard.
- Application ID
- Directory (tenant) ID
- Go to API Permissions under your newly created Oort Integration app
- Click on Add a permission
- Click on Microsoft Graph
- Click on Application Permissions
NOTE - Permissions to be added below must all be of type Application
- Search for “AuditLog.Read.All”
- Check the box next to AuditLog.Read.All
- Please repeat steps 5 and 6 for all of the following permissions. See notes for details.
AuditLog.Read.All Directory.Read.All Group.Read.All GroupMember.Read.All Reports.Read.All User.Read.All Policy.Read.All
Intune Device Management (if in use):
DeviceManagementApps.Read.All DeviceManagementConfiguration.Read.All DeviceManagementManagedDevices.Read.All
IdentityRiskyUser.Read.All* (requires Azure AD P2 license)
- Once added to the list, click Add Permissions
Click on Grant admin consent
Click on Yes
When finished, the API Permissions should look as follows:
- Go to Certificates & Secrets under your Oort Integration app
- Click on New client secret
- Fill in the description, such as "Oort Integration", and the desired Expiration timeframe for the secret. Click Add.
Save the Secret Value as this will be used later in the Oort dashboard
- Click the copy icon to copy and save it somewhere
- Important: Once you leave this page you WILL NOT be able to get the key again. If lost, you will have to delete and create a new one.
Next, we will add the integration in the Oort dashboard.
- Login to the Oort Dashboard
- Click on Add Integration
- Click on Add Integration under Azure AD
- Fill in the details for the Azure AD Integration. Enter the values saved from earlier on in the Azure AD setup:
- Directory ID
- Application ID
- You will now have a new integration listed on the Integrations page.
- For more details click on integration name for details.
- You can also click on Test Connectivity to test the API connectivity with Azure
- If you see “Connected!” everything is working.
9. IMPORTANT - Now click the Azure integration bar again and click Collect Now to begin the first data collection.
- Congratulations, you have successfully set up the Azure AD Integration!