Skip to main content
All CollectionsConnectionsProvider
Azure Management Groups Connection
Azure Management Groups Connection
Updated over 2 months ago

Connect Azure Management Groups to Drata. This connection allows you to connect multiple Azure subscriptions.

Prerequisites

Note: Azure Management Groups does not currently support Adaptive Automation.

  • Make sure you are logged into your company’s Microsoft Entra tenant with the Global Administrator Microsoft Entra role.

  • If you want to connect multiple Microsoft subscriptions, you’ll need to apply a role to each subscription (this can be done through Management Groups - outlined below).

  • You can limit or customize who is synced into Drata.

    • To learn more about Microsoft's group settings and group object ID, go to Microsoft's Edit group settings.

    • Each member within the top level of a group is synced. Nested groups are synced as one individual. Individual members of any nested group are not synced.

    • For more complex group membership, refer to Microsoft's dynamic group feature.

Enable Azure Management Groups

  1. In Drata, go to the Connections page.

  2. Under the Available connections tab, search for Azure Management Groups and connect.

  3. On the connection drawer, you can:

    • Enable Infrastructure or User Access Review.

    • Enter the required fields: Tenant ID, Application ID, Application Secret (Value), and Subscription ID(s).

      • For more information about required fields, refer to the next sections.

    • Configure who you would like to sync into Drata from Azure via Group Specification.

The following sections correlates to each instruction on the drawer and goes in depth, aiding you in external resources and configuration requirements.

  1. Register a new Drata App.

  2. Create a client secret for your new Drata App.

  3. Add the ReadOnly permissions to your new Drata App.

  4. Add a role to your company’s Entra subscription(s).

Step 1: Register a new Drata App

You must connect a registered application with the specific configurations to Drata.

Register a new application in Microsoft

  1. Go to Microsoft’s Entra portal and log in.

  2. Refer to Microsoft’s documentation on how to register an application. When registering the application, ensure that the fields have the following values.

    • Application name: Enter Drata Entra App.

    • Supported account types: Select Accounts in this organizational directory only.

    • Redirect URL: Leave blank.

  3. Copy the Application (client) ID and Directory (tenant) ID.

  4. After completing registration in Microsoft, enter the fields you copied into the connection drawer within Drata.

    • Tenant ID: Enter the Entra’s Directory (tenant) ID.

    • Application ID: Enter the Entra’s Application (client) ID.

Step 2: Create a client secret for your new Drata App

Note: When creating the client secret, ensure you copy the secret value and not the secret ID.

Next, you’ll need to create a client secret for your new app in Microsoft to identify your app:

  1. Follow Microsoft’s documentation on how to add a client secret.

    • Description: Enter Drata application secret.

    • Expiration: Select 24 Months.

      • Note: Ensure to set a reminder when of the expiration date. The integration gets disconnected when the secret expires.

  2. After adding your client secret, copy the secret’s Value. Do not copy the secret ID.

  3. Refresh the Microsoft's Azure Certificates and Secrets page.

    • Note: Microsoft holds the client secret in a pending state until the page is refreshed.

  4. After refreshing, enter the fields you copied into the connection drawer within Drata.

    • Application (Secret): Paste the secret value you copied

Step 3: Add five read-only permissions to your new Drata App

To learn more about Microsoft's read-only permissions, refer to Microsoft’s documentation: Application permission to Microsoft Graph.

  1. Access the Microsoft’s API Permissions page. To access the API permission page:

    • On your newly registered app overview page, in the left sidebar, expand the Manage menu and select API permissions.

  2. Select + Add a permission.

  3. Select Microsoft graph and then Application permissions.

  4. Add the five permissions:

    • In the search box, search for the following permissions:

    • User.Read.All, then expand down User and select the User.Read.All option.

    • Reports.Read.all, then expand down Reports and select the Reports.Read.all option.

    • Directory.Read.All, then expand down Directory and select the Directory.Read.All option.

    • Policy.Read.All, then expand down Policy and select the Policy.Read.All option.

    • AuditLog.Read.All, then expand down AuditLog and select the AuditLog.Read.All option.

  5. Select the Add permissions button.

  6. Grant admin consent to the newly added permissions. To grant admin consent, select Grant admin consent for <name>.

Note: Microsoft includes the User.Read permission permission by default when you register an application in Azure Active Directory, but it is not required for Drata. To learn more about API permission refer to Microsoft Graph permissions reference - Microsoft Graph.

Step 4: Add a role to your company’s Entra subscriptions

This will allow you to auto-assign the Reader role for the Drata Entra App to all your subscriptions.

  1. Create a Management Group: If you don't already have a management group, heres how to create one.

    • Navigate to the Azure portal.

    • At the top search bar, search for "Management groups" and select it.

    • Select Add management group and provide a name and ID for your new management group.

  2. Add Subscriptions to the Management Group: Add the subscriptions you want to manage under the management group.

    • Select your management group.

    • Select Details and then Add subscription.

    • Select the subscriptions you want to add to the management group.

  3. Assign the Drata Application Reader Role to your Management Group:

    • Go to the management group in the Azure portal.

    • Select the management group(s) containing the Subscriptions you wish to monitor in Drata

    • Select Access control (IAM) in the left side navigation, and expand the +Add menu to select Add role assignment.

    • Select the Reader role and then next.

    • Under "Assign access to", select User, group, or service principle.

    • Under “Members”, select the Drata Entra App.

    • Select Review + assign.

Step 5: Include or exclude your subscriptions

Now you can include or exclude your subscriptions within Drata.

  1. Go back to the Azure Management Groups connection drawer.

  2. If you are including all your subscriptions in your Azure tenant, then you can leave the Exclude empty. This will monitor all your subscriptions in Drata.

    • Ensure that all your subscriptions are in a Management Group that you’ve applied the Drata App Reader role to.

  3. Assign to the preferred workspace(s)

  4. Connect.

Step 6: Dynamic and automatic inclusions or exclusions

You can also dynamically manage subscriptions through the DrataInclude or DrataExclude tag.

Creating an Azure Policy to auto-apply tags to all subscriptions within a management group involves several steps. Following the next couple of sections to create such a policy, assign it to a management group, and ensure compliance.

Step 1: Create a Policy Definition

  1. Navigate to Azure Policy:

    • Open the Azure portal.

    • Go to Azure Policy in the left sidebar.

  2. Create a new policy definition:

    • Select Definitions from the left sidebar.

    • Select + Policy definition.

  3. Configure the policy definition:

    • Definition location: Choose the management group where you want to apply the policy.

    • Name: Provide a name for the policy, for example "Enforce Tags on Subscriptions".

    • Description: Provide a description, for example "Automatically applies required tags to all subscriptions within the management group".

    • Category: Choose or create a category, e.g., "Tagging".

  4. Policy rule: Define the policy rule. Here's an example JSON for a policy that adds or updates a tag named DrataInclude:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "field": "type",
      "equals": "Microsoft.Resources/subscriptions"
    },
    "then": {
      "effect": "modify",
      "details": {
        "roleDefinitionIds": [
          "/subscriptions/<subscriptionId>/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
        ],
        "operations": [
          {
            "operation": "addOrReplace",
            "field": "tags.DrataInclude",
            "value": "Production"
          }
        ]
      }
    }
  },
  "parameters": {}
}

5. Role Definitions: Contributor

Step 2: Assign the Policy

  1. Navigate to Assignments:

    • In the Azure Policy service, select Assignments from the left sidebar.

  2. Assign the policy:

    • Select Assign Policy.

    • Scope: Choose the management group and optionally select specific subscriptions

    • Policy definition: Select the policy definition you created earlier.

    • Parameters: If your policy has parameters, configure them accordingly.

    • Select Review + create and then Create to assign the policy.

Step 3: Remediate Existing Resources

  1. Remediate existing resources:

    • Navigate to the Compliance tab in Azure Policy.

    • Select the assignment that you just created.

    • Select Create a remediation task to apply the policy to existing subscriptions and resources.

Did this answer your question?