Onboard Azure assets

Step 1: Create an application credential in Azure

This step creates an application and its service principal in the Azure portal and generates a client secret for API authentication. Obtain the following credentials: Application (client) ID, Directory (tenant) ID, and the Value of the client secret.

1. Create an application

   1. Log on to the Azure console.

   2. In the left-side navigation pane, select All services. In the Identity service category, click App registrations, or search for and go to App registrations in the top search bar.

   3. On the App registrations page, click New registration.

   4. On the application registration page, complete the following settings and then click Register.

      • Name: Enter an easily recognizable name, such as aliyun-sasc-connector, for easier search and management later.

        Important

        This name will appear as the member name in the later "role assignment" step.

      • Supported account types: Configure the account scope that can access this application based on your permission requirements.

   5. After the application is created, the overview page displays the application information. Copy and save the Application (client) ID and Directory (tenant) ID, which will be used in subsequent steps.

2. Certificates and secrets

   1. On the application details page created in Step 1, click Manage in the left-side navigation pane, and then click AccessKey Leak Detection.

   2. On the Client secrets tab, click + New client secret and complete the configuration with reference to the following instructions.

      • Description: Describe the purpose of this secret.

      • Expires: The validity period of the client secret. We recommend that you set it to 180 days.

        Important

        Create a credential rotation plan and update the secret before it expires to avoid service disruptions caused by credential expiration.

   3. After you click Add, the Value of the client secret is displayed.

      Warning

      The Value of the client secret is visible only once at creation. After you leave this page, you cannot view it again. Copy and save it immediately before proceeding.

Step 2: Grant subscription access to the application credential

To ensure that Security Center can read asset information, you must assign read-only permissions for the Azure subscription to the application created in the previous step.

1. Go to the Role assignment page

   1. Log on to the Azure console.

   2. In the left-side navigation pane, select All services. In the General service category, click Subscriptions. Search for and go to Subscriptions in the top search bar.

   3. Click the name of the target subscription to go to the subscription details page. On the details page, click Access control (IAM).

      Note

      If you have not activated a subscription, create one first and select the required services.

   4. On the Access control (IAM) page, click Add in the upper-left corner and select Add role assignment.

2. Assign a role: On the role assignment page, select the corresponding role and click Next.

   Feature	Role	Notes
   Host	Reader	None
   CSPM (CSPM)	Reader	None
   Agentic SOC	Reader Custom role: Requires Microsoft.Network permissions. For the creation steps, see Azure advanced configuration (Agentic SOC).	To enable automated threat response (such as integrating with Azure Firewall through Response Rules), you must additionally grant Microsoft.Network permissions. For more information, see Third-party cloud components (OpenAPI). Important You must complete the assignment for each role separately. Azure allows only one role assignment at a time.
   Agentless Detection	Reader Disk Snapshot Contributor	None

   On the Access control (IAM) page in the Azure portal, click Add role assignment, select the roles listed in the preceding table, and complete the assignment.

3. Add members: Go to the Members management page, click Select members, and select the application created in Step 1.

   Note

   You can quickly search and locate the target application by application name.

   For the selected role Reader, assign access to User, group, or service principal.

4. After confirming the members, click Review + assign in the lower-left corner to complete the authorization.

   Note

   The authorization may take a moment. Please wait.

Step 3: Complete the onboarding configuration in Security Center

1. Go to the authorization page

   1. Recommended path:

      1. Log on to the Security Center console.

      2. In the navigation pane on the left, select System Settings > Feature Settings. In the upper-left corner of the console, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.

      3. On the Multi-cloud Configuration Management > Multi-cloud Assets tab, click Grant Permission, and then select Azure.

   2. Alternative entry points:

      On the following pages, in the Multi-cloud Service Access or Add Multi-cloud Asset section, find and click the Onboard or Authorize button below the icon:

      • Assets > Host

      • Risk Governance > CSPM > Cloud Service Configuration Risk

      • Protection Configuration > Host Protection > Agentless Detection

2. Configure access credentials

   1. In the Add Assets Outside Cloud panel, select the features to onboard and click Next.

      • Host: Allows Security Center to automatically discover and synchronize Azure host assets.

      • CSPM: Use Cloud Security Posture Management to scan the configurations of Azure cloud products to discover and manage configuration risks.

      • Agentic SOC: Works with the Response Rules Script orchestration feature to automate the handling of security event threats. For more information, see Third-party cloud components (OpenAPI).

      • Host ProtectionAgentless Detection: Uses snapshot scanning technology to detect security risks on Azure virtual machines, including vulnerabilities, baselines, and malicious files, without installing a client.

   2. On the Submit AccessKey Pair page, accurately enter the credential information created earlier.

      • Enter an AppID: Corresponds to the Application (client) ID obtained from Azure app registration.

      • Enter a password: Corresponds to the client secret obtained from Azure app registration.

      • tenant: Corresponds to the Directory (tenant) ID obtained from Azure app registration.

      • Domain (Select Chinese Edition for China and International Edition for others): For 21Vianet users, select Chinese Edition.

3. Configure the synchronization policy

   On the Policy Configuration page, configure the settings based on your management requirements:

   • Select region: Select the regions where the Azure assets to be onboarded are located.

     Note

     Asset data is automatically stored in the data center corresponding to the region selected in the upper-left corner of the Security Center console.

     • Chinese Mainland: Data center in Chinese Mainland.

     • Outside Chinese Mainland: Data center in Singapore.

   • Region Management: We recommend that you select this option. After you select this option, assets in new regions added to this Azure account in the future will be automatically synchronized without manual configuration.

   • Host Asset Synchronization Frequency: Set the interval for automatically synchronizing Azure host assets. If you do not need synchronization, you can set it to "Off".

     Note

     This parameter is required only when the onboarded features include Host.

   • Cloud Service Synchronization Frequency: Set the interval for automatically synchronizing Azure cloud product configurations. If you do not need synchronization, you can set it to "Off".

     Note

     This parameter is required only when the onboarded features include Cloud Security Posture Management.

   • AK Service Status Check: Set the interval for Security Center to automatically check the validity of the Azure account credentials. You can select "Off" to disable the check.

4. After the configuration is complete, click Synchronize Assets. The system automatically synchronizes data from the Azure account to Security Center.

Host

Go to the Assets > Host page. In the Add Multi-cloud Asset section, click the icon to view the onboarded Azure hosts. You can follow the steps below to apply advanced protection and management to the onboarded hosts.

1. Install the agent: Install the Security Center agent on the Azure hosts. When you run the installation command, select Azure for Service Provider. For detailed steps, see Install the agent.

2. Upgrade to obtain full protection: The default Free edition provides only basic security detection. To obtain full security protection capabilities (such as anti-virus, vulnerability fixing, and intrusion prevention), bind a paid edition (Anti-virus or higher) to the Azure hosts. For detailed steps, see Manage host and container security quotas.

CSPM

Go to the Assets > Overview > Cloud Product page. In the All Alibaba Cloud Services navigation pane on the left, click Azure to view the onboarded Azure assets. For onboarded Azure assets, you can use the following CSPM features:

1. Run configuration risk checks: Check for configuration risks in Azure products. For detailed steps, see Set up and run cloud platform configuration risk check policies.

2. Handle risk items: View and fix failed risk check items based on the check results to improve the compliance and security of cloud assets. For detailed steps, see View and handle failed cloud platform configuration risk checks.

Agentic SOC

Go to Agentic SOC > Response Rules. When creating a custom playbook, you can select the Azure component from Third-party cloud components (OpenAPI) to automate the handling of detected Azure asset security events.

Host ProtectionAgentless Detection

Go to Protection Configuration > Host Protection > Agentless Detection. On the Server Check, Server Check, or Custom Image Check tab, in the Add Multi-cloud Asset section, click the icon to view the scanned risk items. The operation instructions are as follows:

1. Run detection tasks: Perform multi-dimensional security detection on Azure servers for vulnerabilities, malicious software, configuration baselines, sensitive files, and other security dimensions to discover potential security risks.

2. Analyze and handle risks:

   1. Vulnerability risks: Supports Add to Whitelist.

      Warning

      Agentless detection does not support fixing vulnerabilities.

   2. Baseline check risks: Supports Add to Whitelist.

   3. Malicious sample risks and sensitive file risks: Supports Add to Whitelist, Manually Handled, Mark as False Positive, and Ignore.