Create an Azure App for Integration

The following procedure describes the common manual steps to create an Azure app for use in either an Azure Configuration (Compliance) integration or Azure Activity Log integration. For instructions on creating the entire integration, see the topics in Azure Terraform or Azure Portal.

To manually create an integration using the Azure Portal and the Lacework Console, you must have access to the following:

• An Entra ID account that has a Global Administrator directory role for your tenant (or equivalent administrator rights to create app registrations).
• Your account must have the Owner permissions role in all Azure subscriptions that you want to monitor.
• A Lacework account with administrator privileges.

Overview

This integration procedure describes how to:

1. Create a new app registration (named Lacework SA Audit).
2. (Optional) Grant it Microsoft Entra ID permissions (Directory Reader role in Entra ID) to read information from your directory.
3. Grant it Azure permissions to read resource configurations from your subscriptions.
4. Assign Azure Key Vault permissions if creating an Azure Configuration (Compliance) integration.

About Entra ID Permissions

If choosing to grant permissions to the directory through the Directory Reader role, Lacework will collect the list of users, groups, members, and app registrations from the Entra ID organization using Microsoft Graph API calls. This information is exposed for LQL datasources and compliance policies.

Disabling this permission may be required if your organization has specific regulatory or privacy requirements that do not allow this information to be collected by third parties. If disabled, LQL datasources and related IAM compliance policies will not be assessed.

For existing integrations, at any time, you can remove the Directory Reader role from the Entra ID service principal used for Lacework (created in the following section).

1. Create an Azure App Registration

info

Learn more about this step in the Microsoft Azure documentation.

1. Sign in to the Microsoft Entra admin center.
2. Ensure you are accessing the correct tenant to which you want to register the application in.
3. Click Identity > Applications > App registrations.
4. Click New registration.
5. In the Register an application panel, enter the following values:
   1. Name - Enter Lacework SA Audit.
   2. Supported account types - Leave the default Accounts in this organizational directory only (my_dir) option.
   3. Redirect URI (optional) - Leave the URL blank.
6. Click Register.

2. Grant the Azure App the Directory Reader Role

note

This section is optional, see About Entra ID Permissions for more information.

The Azure app you created in the previous section must be given basic permissions to read users information from your directory.

Standard Entra ID Steps

info

Learn more about this step in the Microsoft Azure documentation.

To grant the necessary permissions:

1. Sign in to the Microsoft Entra admin center with a minimum of a Privileged Role Administrator.
2. Click Identity > Roles & admins > Roles & admins.
3. Click Directory Reader (click the name, do not select it).
4. Click Add assignments.
5. Go to the Add assignments menu, then search for your app registration name, such as Lacework SA Audit, then click Add.

Privileged Identity Management Steps

info

Learn more about this step in the Microsoft Azure documentation.

If you are using Privileged Identity Management, the flow is slightly different:

1. Sign in to the Microsoft Entra admin center with a minimum of a Privileged Role Administrator.
2. Click Identity > Roles & admins > Roles & admins.
3. Click Directory Reader (click the name, do not select it).
4. Click Add assignments.
5. Under Select member(s), click No member selected, then search for your app registration name, such as Lacework SA Audit, then click Select.
6. Confirm Membership by clicking Next >.
7. Confirm Setting with assignment type Active, and select the Permanently eligible checkbox.
8. Click Assign. Azure will notify other Entra ID admins about this assignment via email.

3. Assign Reader Permissions to Subscriptions

You must give the Azure App (created for Lacework) Reader permissions to access subscriptions that you want to monitor for proper configuration and compliance. For future CIS compliance checks, extra permissions may be needed.

For more information, see the detailed RBAC description of each role in Azure built-in roles documentation page.

Assign Permissions to a Single Subscription

info

Learn more about this step in the Microsoft Azure documentation.

1. In the main search field, enter subscription and select Subscriptions from the drop-down.
2. Browse and click your subscription.
3. Click Access control (IAM).
4. In the Add a role assignment tile, click Add.
5. In the Role field, enter Reader.
6. Leave the Assign access to field set to User, group, or service principal.
7. Use the + Select members option to find and enter the app name (such as Lacework SA). Ensure it is listed in the selected members.
8. Enter an optional Description if desired.
9. Click Next.
10. Click Review + assign to assign the role.

Assign Permissions to All Subscriptions

Repeat the previous steps for all the subscriptions in your tenant. Lacework will automatically detect all visible subscriptions with a single configuration integration.

Optionally, you can assign permissions to a Management Group. Lacework will discover every subscription where the Reader permission has been inherited. This allows organizations with dozens of subscriptions to avoid the manual process of assigning permissions. For more information, visit Azure documentation.

4. Assign Azure Key Vault permissions

note

This step is only required for Azure Configuration (Compliance) integrations.

Azure Key Vault permissions are required to be able to assess some compliance policies in your environment. Not having the appropriate permissions can result in "Could Not Assess" errors on enabled policies that require Key Vault access.

Grant Azure Key Vault by using one of the following methods:

• Vault access policy (default)
• Azure role-based access control (recommended)
  • This method is only available if you have enabled the Azure RBAC access model.
  • This method is recommended as any new key vaults added to your subscription or tenant will automatically be accesible for compliance monitoring.

This grants Lacework access to read the necessary metadata required for the compliance policy assessments. This will not grant Lacework access to read the contents of Keys or Secrets (as this is not required).

Option 1: Vault access policy (default)

note

Key Vault access policies must be added for all existing Key Vaults and any new ones created in the future that you want to monitor.

Follow the steps in Assign a Key Vault access policy and assign the following permissions to the Lacework application (created for the Azure integration):

• Key permissions: List
• Secret permissions: List

Option 2: Azure role-based access control (recommended)

Assign the KeyVaultReader role to the Lacework application (created for the Azure integration) for the subscription or all subscriptions that you are integrating (or have integrated) with Lacework.

note

If you wish to use this role, Azure RBAC must be enabled.

By using this method, any new key vaults added to your subscription or tenant will automatically be accesible for compliance monitoring.