HomeLiongardRequest a DemoKnowledge Base

Azure Active Directory: Using Existing Azure Application

This document provides the steps required to configure the Azure Active Directory, using the Azure Active Directory application you configured for the Office 365 Inspector in Liongard.

Suggest Edits

Azure Active Directory (delegated access): Using Existing Azure Application

Inspector Setup Preparation

Step 1: Update your Azure Active Directory application

  • Log in to your Azure account (i.e.: portal.azure.com)
  • On the lefthand navigation menu or under the Azure services section of the dashboard, select Azure Active Directory
192
  • In the slide out panel, select App registrations
238
  • Select the existing application you would like to use, We would recommend using the application created from the Office 365 Inspector setup
1914

*Select API Permissions on the left hand side

1914

To add missing permissions select Add a Permission
Choose Microsoft Graph, then select Application Permission

1914

❗️

Application Permissions vs. Delegated Permissions

It is important that you select all the permissions below from the "Application Permissions" section and not the "Delegated Permissions" section. Choosing permissions from the "Delegated" section may prevent the Inspector from working correctly.

1914

*Make sure the below permissions are added to the application

📘

API Permissions

These Permissions will ensure that the application can be used for both Office 365 and Azure AD Inspectors.

  • Select the following permissions:
    • AccessReview.Read.All
    • AuditLog.Read.All
    • Contacts.Read
    • Devices.Read.all
    • DeviceManagementApps.Read.All
    • DeviceManagementConfiguration.Read.All
    • DeviceManagementManagedDevices.Read.All
    • DeviceManagementRBAC.Read.All
    • DeviceManagementServiceConfiguration.Read.All
    • Directory.Read.All
    • EduAdministration.Read.All
    • Group.Read.All
    • IdentityProvider.Read.All
    • IdentityRiskEvent.Read.All
    • IdentityRiskyUser.Read.All
    • InformationProtectionPolicy.Read.All
    • MailboxSettings.Read
    • Member.Read.Hidden
    • PrivilegedAccess.Read.AzureAD
    • PrivilegedAccess.Read.AzureADGroup
    • ProgramControl.Read.All
    • Policy.Read.All
    • Reports.Read.All
    • RoleManagement.Read.Directory
    • SecurityEvents.Read.All
    • Sites.Read.All
    • User.Read.All
  • Click on the Add permissions button at the bottom of the screen.

Next under the Grant consent section click on the Grant admin consent for ____ button.

1144
  • Click Accept when prompted about accepting permissions for your organization
425
  • Next under the Grant consent section click on the Grant admin consent for ____ button.
  • If Grant Consent worked you should see the following checkboxes turn green
1857

*Next go to your Certificates & Secrets

328

❗️

Client Secrets

You must generate a different secret key for each Inspector for which you want to use this application.

You cannot use the same secret key for both Office 365 and Azure AD Inspectors

  • Under Client secrets select the New client secret button
    • In the top panel that appears, fill in the Description and set the value for Expires to Never
1130
  • Click the Add button

A row will appear in the Secrets table. Make sure to copy the Secret.It will not be available once you navigate away from this page.

🚧

Secret Storage

This Secret value is sensitive and can facilitate access into your customers' Office 365 and Azure Active Directory instances.

If you choose to store this value after completing these steps, store it as securely as you would a highly credentialed password.

  • In the slide-out panel that appears, select Overview
328
  • Copy down your Application (client) ID and your Directory (tenant) ID.

📘

Setting Up Liongard Inspectors

You will need the Application ID and Secret plus the Tenant ID in order to set up your Liongard Inspectors now and any in the future. We recommend securely documenting those values.

Step 2: Pre-Consent all of your delegated tenants to the Azure Active Directory Application

To pre-consent the Application permissions for all of your customers with the permissions configured above, please use the scripts below.

These scripts can be run from either a local Windows Server with Azure AD Connect installed through a PowerShell command window or Azure Cloud Shell through PowerShell

Running these scripts will automatically allow consent for all future customers without needing to rerun these commands.

Windows Server with Azure AD Connect

When running the script on a Windows server with AD Connect, the PowerShell terminal running the script will need to be run as an administrator for the installation of any missing modules.

# Run this full script as-is in Powershell. It will prompt for input as-needed.

#checks to see if AzureAD Module is installed, if not installed will proceed to install with prompt for consent to install module (select [A])
$moduleCheck = Get-Module -ListAvailable | Where { $_.Name -eq 'AzureAD' }
Try {
   If (!$moduleCheck) {
       Write-Warning "The AzureAD module is not installed, prompting to install..."
       $resp = Read-Host "If you would like to install AzureAD module, please type 'install'"
       if (($resp -ne "install") -And ($resp -ne "'install'")) {
        Write-Host "Input other than 'install' confirmation. Exiting.."
        return
       }

       Install-Module AzureAD -Confirm:$False
   } Else {
       Write-Output "Verified AzureAD Module is installed"
   }
} Catch {
   Write-Warning "There was an issue installing the AzureAD module, please retry, and/or reach out to Liongard if you need further assistance!"
}

#asks for Application ID from Azure

$appId = Read-Host "Please paste your Liongard Application ID"

#Makes connection to Azure AD Module
Connect-AzureAd
#Looks for AD Group "Adminagents"
$group = Get-AzureADGroup -Filter "displayName eq 'Adminagents'"
#Finds the Service Principal for Liongard application by the Application ID inputed above
$sp = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
#Adds the Liongard Application Service Principal into the Adminagents group
Add-AzureADGroupMember -ObjectId $group.ObjectId -RefObjectId $sp.ObjectId
1250
  1. Enter in "Install" in the prompt to initiate the installation of Azure AD module. This will only appear if the module is not installed.
  2. Type "A" to accept the installation prompt for the module.
  3. Enter in your Liongard Application ID that you created for your Liongard API and hit Enter.
1041
  1. Next, you'll be prompted for your Microsoft login. Proceed through the pop-up and enter in your CSP admin credentials.
  2. Once the script completes, you should see your information displayed with no errors, and the script will take you back to your cursor prompt

Azure Cloud Shell through PowerShell

Since Azure Cloud Shell has the Azure AD module included, there is no need to prompt an install for the module. For this reason, the method uses a shorter script from the one listed above. 

#Asks for Application ID from Azure
$appId = Read-Host "Please paste your Liongard Application ID"

#Makes connection to Azure AD Module
Connect-AzureAd
#Looks for AD Group "Adminagents"
$group = Get-AzureADGroup -Filter "displayName eq 'Adminagents'"
#Finds the Service Principal for Liongard application by the Application ID inputed above
$sp = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
#Adds the Liongard Application Service Principal into the Adminagents group
Add-AzureADGroupMember -ObjectId $group.ObjectId -RefObjectId $sp.ObjectId
1761
  1. Copy and paste the script into the Prompt
  2. Enter in your Liongard Application ID
  3. Navigate to the returned link and enter the provided code. Click Next.
1918 1918
  1. Select or login with your delegated access admin account
  2. Return to your Cloud Shell after authentication. Hit Enter one last time to process the last command
  3. Once the script completes, you should see your information displayed with no errors, and the script will take you back to your cursor prompt

📘

Clarification for Pre-Consent Script

This script will add the Service Principal associated with the application you created to the Admin Agents group in Azure Active Directory. This will grant the set of API permissions you configured for your application to all customer tenants tied to your CSP partner tenant.

For more information, see Microsoft's article on this subject

Liongard Inspector Setup

Step 1: Parent Inspector Setup

Since Azure Active Directory is a multi-tenant system where a single portal is used to manage many Environments, you will set up a single "Parent" Inspector with the Azure Application ID that will then auto-discover "Child" Inspectors for each Environment.

In Liongard, navigate to Admin > Inspectors > Navigate to the Azure Active Directory Inspector > Add System.

Fill in the following information:

  • Type of Inspector: Parent
  • Environment: Select your MSP's Environment
  • Friendly Name: Suggested Naming: [MSP Name] Azure AD Parent
  • Agent: Select CLOUD-LINUX
  • Azure Application (Client) ID: Paste in your Azure Application ID copied in Step 1
  • Azure Application (Client) Secret: Paste in your Azure Application Secret copied in Step 1
  • Azure Directory (Tenant) ID: Paste in your Azure Tenant ID copied in Step 1
  • Enable Microsoft Intune Data: Leave the toggle enabled. If your Inspector fails and the log indicates the failure is due to issues with the Intune data, turn off the toggle and rerun the Inspector.
  • Scheduling: The Inspector will default to run once a day at the time the Inspector is set up. Here you can adjust the schedule
  • Inspector Version: Latest

Select Save. The Inspector will now be triggered to run within the minute.

Step 2: Child Inspector Setup

After the first run of the Parent Inspector, your clients' Azure AD organizations will be Auto-Discovered in the Discovered Systems tab on the Inspectors > Azure Active Directory page.

Navigate to the Discovered Systems tab in your Inspectors > Azure Active Directory page

  • Activate or Archive your Discovered Systems by ensuring that they're mapped to the correct Environment > Check the checkbox to the left of Inspector(s) > Select the Actions drop down menu > Activate Launchpoints

Optional: Turn on Flexible Asset/Configuration Auto-Updating

If you would like this Inspector's data to be sent to ConnectWise and/or IT Glue, turn on Flexible Assets/Configurations for this Inspector:

  • ConnectWise: Admin > Integrations > ConnectWise > Configuration Types > Confirm the "Configuration Auto-Updating" toggle is enabled
  • IT Glue: Admin > Integrations > IT Glue > Flexible Assets > Confirm the "Flexible Asset Auto-Updating" toggle is enabled

Troubleshooting

Please check the following if you are receiving an error message:

  • Ensure that the Permissions you've added (e.g. 'user.read.all') line up with the permissions listed above.
  • Ensure that each of the API Permissions you've added to your Azure AD application have been added as Application Permissions and NOT Delegated Permissions

Once you've done so, ensure that admin consent has been granted on behalf of the users in your Azure AD directory using the button at the bottom of the API Permissions page:

1144

Finally, make sure that Supported account types is set to Accounts in any organizational directory under the authentication settings for the application you've created.

If you're still running into issues after running through those steps, please reach out to Liongard Support.

Updated 5 months ago