Documentation on setting up azure mod compliance

[GeeksikhSecurity]

When testing the connection to Azure in Steampipe cloud receive the following error.
resources.GroupsClient#List: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '/subscriptions/REDACTED' or the scope is invalid. If access was recently granted, please refresh your credentials."
Used the link below to generate credentials for the connection.
You can generate the client secret by visiting here. As a minimum, grant your user Global Reader access.

AWS compliance mod was straightforward but need guidance on Azure configuration.

Thanks in advance.

[cbruno10]

Hi @GeeksikhSecurity , please have a look at our configuration documents for Azure and Azure AD, as both of these plugins are used in the Azure Compliance mod, and the provided links have info on which permissions are required, how to setup the configuration .spc files, and more.

[GeeksikhSecurity]

I eventually figured out how to assign Read Only rights on the Azure App which managed to work for the Azure MOD on the Steampipe Cloud after working with Microsoft support.

The AzureAD for compliance connection is giving an error.
UsersClient.BaseClient.Get(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.
Any guidance in pointing me in the right direction would be appreciated.

[cbruno10]

@GeeksikhSecurity Can you please confirm that you've granted your service principal all of the permissions listed under Permissions in https://hub.steampipe.io/plugins/turbot/azuread#credentials?

Also, which configuration method are you attempting to use? Can you please share your azuread.spc file (with any sensitive info removed)?

[GeeksikhSecurity]

Thanks for the update. I am using the Steampipe cloud and not a local install so not sure if the azuread.spc is available.

[cbruno10]

Hi @GeeksikhSecurity , sorry for the late reply!

Can you please check if you have the following permissions assigned:

• In Azure Active Directory, can you please verify the application has all of the permissions as listed in https://hub.steampipe.io/plugins/turbot/azuread#credentials?
• In the Azure subscription, can you please verify the service principal has the Global Reader role assigned?