Azure Active Directory Integration

10/2022 - rev 5

Overview

Oort’s platform can analyze authentication events in Azure AD to give insights into how users are accessing your applications.  In order to provide Insights, you have to set up an integration between Azure AD and Oort for analysis.  This document will walk you through the process of setting up API access inside of Azure AD and will also walk you through the complementary setup inside of the Oort console.

Goal

The goal of this document is to serve as a guide to set up an Azure AD integration in Oort so that the Oort Cloud service can ingest authentication events and user directory information.   

Audience

This document is meant for the CISO to share with their teams to set up the integration with Azure AD that Oort will use to provide analysis on user identities.

Next Steps

Once the integration is complete and the Oort platform has completed the analysis of the data, Oort will set up a review with you and your team to share insights discovered through the integration.

Azure AD Integration

Azure Active Directory has different activity log types which each contain different sets of information. Oort will ingest the Sign-ins as well as the Directory.  Sign-in logs are available through the Azure Active Directory portal.

  • Sign-ins – Information about sign-ins and how your resources are used by your users.
  • Directory  - User and Group information from your Azure Directory.

Azure AD Sign-in Log Availability

Sign-in logs are available via Microsoft Graph API for 30 days inside Azure AD with a Premium subscription (P1 or P2).

Note - sign-in logs are NOT available via Graph API with non-P1 or P2 Azure AD subscriptions, e.g Azure AD Free.

Based on this 30 day retention, Oort will start ingestion with the last 30 days of logs.  On subsequent log collections, Oort will ingest only the latest logs.

Permission requirements for setting up Azure AD integration

To add the necessary configuration in Azure AD, you need to be one of the following:

The main thing that you will need to configure in Azure AD:

  • Add an App inside your Azure AD tenant that defines the keys and permissions needed by Oort

Setup Steps

There are 3 steps you need to go through to set up your Azure AD API key then connect it to Oort.

  1. Enable Azure AD resource provider
  2. Setup App and API secret in Azure AD
  3. Add Azure API to Oort Dashboard

Enable Azure AD resource provider

Note - If you already have an active Azure subscription and resource provider configured in your tenant, SKIP THIS SECTION and proceed to the next section.

Enable AzureAD resource provider under your license.

  1. Go to Home...Subscriptions…...Resource Providers
  • Search for Microsoft.AzureActiveDirectory and select it.
  1. If the Status says NotRegistered, click on the Register button to register the Microsoft Azure AD resource provider.

azure subscription 1   microsoft azure

  1. If the Status says Registered, you can move on to the next step.

Setup App and API secret in Azure AD

Next, we will create the app in your Azure AD tenant, assigning the correct permissions, and add an API secret. 

Add an app in your Azure AD tenant

  1. Go to Azure Active Directory...App registrations

  2. Click on New registration

    screenshot 2022 04 12 104028

  3. Fill in the details for the new app

    • Make sure to select “Accounts in any organizational directory (Any Azure AD directory – Multitenant)

    screenshot 2022 04 12 104139

  4. Click on Register

  5. Save the following information as it will get entered into the Oort dashboard.

    • Application ID
    • Directory (tenant) ID

screenshot 2022 04 12 104543

Add API Permissions

  1. Go to API Permissions under your newly created Oort Integration app
  2. Click on Add a permission
  3. Click on Microsoft Graph

screenshot 2022 04 12 105034

  1. Click on Application Permissions
    NOTE - Permissions to be added below must all be of type Application
  2. Search for “AuditLog.Read.All
  3. Check the box next to AuditLog.Read.All 

screenshot 2022 04 12 105332

  1. Please repeat steps 5 and 6 for all of the following permissions. See notes for details.

AuditLog.Read.All Directory.Read.All Group.Read.All GroupMember.Read.All Reports.Read.All User.Read.All Policy.Read.All

Intune Device Management (if in use):
DeviceManagementApps.Read.All DeviceManagementConfiguration.Read.All DeviceManagementManagedDevices.Read.All

IdentityRiskEvent.Read.All
IdentityRiskyUser.Read.All* (requires Azure AD P2 license)

  1. Once added to the list, click Add Permissions

    Click on Grant admin consent

  1. Click on Yes

  2. When finished, the API Permissions should look as follows:

    2022 11 07 14 51 01

Create API secret

  1. Go to Certificates & Secrets under your Oort Integration app
  2. Click on New client secret

  1. Fill in the description, such as "Oort Integration", and the desired Expiration timeframe for the secret. Click Add.

screenshot 2022 04 12 110059

  1. Save the Secret Value as this will be used later in the Oort dashboard

    • Click the copy icon to copy and save it somewhere
    • Important: Once you leave this page you WILL NOT be able to get the key again. If lost, you will have to delete and create a new one.

screenshot 2022 04 12 110511

Add Azure AD Integration to Oort Dashboard

Next, we will add the integration in the Oort dashboard. 

  1. Login to the Oort Dashboard
  2. Click on Add Integration

screenshot 2022 04 12 110752

  1. Click on Add Integration under Azure AD

screenshot 2022 04 12 110852

  1. Fill in the details for the Azure AD Integration. Enter the values saved from earlier on in the Azure AD setup:
  • Directory ID
  • Application ID
  • Secret

screenshot 2022 04 12 111023

  1. You will now have a new integration listed on the Integrations page.
  2. For more details click on integration name for details.
  3. You can also click on Test Connectivity to test the API connectivity with Azure

screenshot 2022 04 12 111218

  1. If you see “Connected!” everything is working.

screenshot 2022 04 12 111306

9. IMPORTANT - Now click the Azure integration bar again and click Collect Now to begin the first data collection.

  1. Congratulations, you have successfully set up the Azure AD Integration!