Microsoft Azure Integration Guide

This guide will walk you through the process of integrating Microsoft Azure with the OneClickComply platform.

In order to integrate the OneClickComply platform with your Microsoft Azure environment, we require the creation and use of an Azure application with Reader access permissions, which can be created either manually, or through CLI commands.

This support article has been created to guide you through the process of creating an Azure application, assigning the correct permissions, and integrating your Azure environment with the OneClickComply platform.

Note: Please ensure you follow the instructions provided in this guide carefully, as incorrectly configuring your Azure environment will result in an unsuccessful integration.

Manually setting up Azure App Registration

  1. Go to the Microsoft Entra Portal and sign in.

  2. Click on New Registration. This will bring you to a page similar to the following:

Azure app registration wizard

  1. Enter a name for the new application. We recommend keeping it simple and easy to identify - for example, "OneClickComply Azure Integration".

  2. Ensure that the Supported account type selected is "Accounts in this organisational directory only (Single tenant)". Any other option will prevent the integration from completing successfully.

  3. Click Register.

  4. You will be redirected to the app registration page for your newly created application. Click on API permissions.

App registration

  1. Click on Add a permission, and then select Microsoft Graph, as indicated below:

Azure API selection

  1. Select Application Permissions and add the following permissions:

    • Directory.Read.All

    • Policy.Read.All

    • UserAuthenticationMethod.Read.All

    • AuditLog.Read.All

  2. Click the Add Permissions button.

  3. Click Grant admin consent for [organisation name].

  4. Now navigate to Subscriptions - Microsoft Azure

  5. Select the subscription that you wish to integrate with the OneClickComply platform.

  6. Click Access Control (IAM) from the left-hand menu.

Access control option

  1. Click Add, then select the Add role assignment option.

Add role assignment option

  1. Click on the Reader role type, as shown below:

Reader role assignment

  1. Click Next and then press Select members.

Select members option

  1. In this new menu, type in the name of the app that you registered. Our example is called "OneClickComply Azure Integration."

Select Member option

  1. Click on your app registration, then click Select at the bottom of the menu.

  2. Click Review + Assign. This will allow you to check that you have selected the correct role and application.

  3. Click Review + Assign again to confirm the role assignment.

  4. Go to App registration - Microsoft Entra admin center and click on your app registration.

  5. Click on the Certificates & Secrets option from the left-hand menu, as shown below:

Certificates & secrets option

  1. Select the New client secret option:

New client secret option

  1. (Optional) Enter a description for the secret so that it can be identified easily by administrators.

  2. Choose an expiry time for the secret, then click Add.

  3. You will now be presented with your client secret. Please make sure that you copy the contents of the "Value" field and store it securely, as it is required for the integration process. (If you refer to the example below, please copy the string that would appear in place of the black bar.)

Client secret example

Using CLI commands to create the Azure application

If you would prefer a less manual method, we have provided several CLI commands that you can paste directly into your Microsoft Azure terminal to create the app registration, grant Graph permissions, assign the reader role to the subscription, and create a client secret.

Note: We strongly recommend keeping the default names that we have provided for these CLI commands (e.g. APP_NAME). Editing these to match your own internal naming conventions may make potential troubleshooting and support more difficult later on.

  1. Replace the following values in the command below and run once

Replace <your-subscription-id>with the ID of the Azure subscription you want to connect. (Optionally - change the SECRET_YEARS= value if you would like a different expiry length)

# Azure subscription to connect
SUBSCRIPTION_ID="<your-subscription-id>"

# Name for the app registration / service principal
APP_NAME="OneClickComply Azure Integration"

# Secret expiry in years (1, 2, etc.)
SECRET_YEARS=2

  1. Create app registration and service principal

APP_REG=$(az ad app create \
  --display-name "$APP_NAME" \
  --sign-in-audience "AzureADMyOrg")

APP_ID=$(echo "$APP_REG" | jq -r '.appId')

SP=$(az ad sp create --id "$APP_ID")
SP_ID=$(echo "$SP" | jq -r '.id')

  1. Add Microsoft Graph permissions

# Add Microsoft Graph permissions
# 7ab1d382-f21e-4acd-a863-ba3e13f7da61 = Directory.Read.All
# 246dd0d5-5bd0-4def-940b-0421030a5b68 = Policy.Read.All
# 38d9df27-64da-44fd-b7c5-a6fbac20248f = UserAuthenticationMethod.Read.All
# b0afded3-3588-46d8-8b3d-9842eff778da = AuditLog.Read.All

az ad app permission add \
  --id "$APP_ID" \
  --api "00000003-0000-0000-c000-000000000000" \
  --api-permissions \
    "7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role" \
    "246dd0d5-5bd0-4def-940b-0421030a5b68=Role" \
    "38d9df27-64da-44fd-b7c5-a6fbac20248f=Role" \
    "b0afded3-3588-46d8-8b3d-9842eff778da=Role"

az ad app permission grant \
  --id "$APP_ID" \
  --api "00000003-0000-0000-c000-000000000000"

az ad app permission admin-consent --id "$APP_ID"

This applies the three Graph application permissions and performs the admin consent equivalent.

  1. Assign 'Reader' on the subscription

az role assignment create \
  --assignee-object-id "$SP_ID" \
  --assignee-principal-type ServicePrincipal \
  --role "Reader" \
  --scope "/subscriptions/$SUBSCRIPTION_ID"

  1. Create the client secret

SECRET=$(az ad app credential reset \
  --id "$APP_ID" \
  --display-name "OneClickComply secret" \
  --years "$SECRET_YEARS")

CLIENT_SECRET=$(echo "$SECRET" | jq -r '.password')

echo "App (client) ID: $APP_ID"
echo "Directory (tenant) ID:"
az account show --query tenantId -o tsv
echo "Client secret (copy this now and store securely): $CLIENT_SECRET"

Copy the following values, and store them securely, as they are required during the integration process with the OneClickComply platform:

  • App (client) ID

  • Directory (tenant) ID

  • Client secret

Integrating your Azure environment with OneClickComply

Please follow the steps outlined below to connect your Microsoft Azure environment to the OneClickComply platform.

  1. Select Integrations from the main navigation bar.

  2. Once on the Integrations page, you will be shown a list of all integrations currently available on the OneClickComply platform. You can use the search bar at the top of the page to filter for the Microsoft Azure integration.

  3. Select the Microsoft Azure integration to open a side window, and then select Connect Microsoft Azure. This will open a pop-up modal which will guide you through the connection process.

  4. First, assign a Connection name. The name should be clearly recognisable, and one that you don’t mind seeing in various areas within the platform.

    Note: If you have multiple connections within an integration, ensure the names are unique and can be easily distinguished.

  5. Next, provide your Subscription ID. You can also optionally assign an Alias (e.g. Production)

  6. Ensure the Authentication method is set to Service Principle.

  7. Then provide your Tenant ID, Client ID (App registration), and Client Secret in the remaining boxes.

  8. Finally, click Connect cloud account.

  9. Once all of these steps are completed, the OneClickComply platform will have successfully paired with Microsoft Azure, and will begin scanning the connected environment for gaps and misconfigurations.