Begin Selective Scanning Using Azure Active Directory Groups

Configure an app registration on Azure Active Directory to enable Aperture to begin selective scanning of groups.
Aperture allows you to integrate with an Azure Active Directory to manage cloud-based identity, and access management service. Once Microsoft AD connects, the Aperture service retrieves your Azure AD group information, enabling you to select which groups to include or exclude from global scan settings, policy rules, and monitor for risks.
Before you can begin scanning your cloud app, you need to collect information from your Azure AD and select which groups to include or exclude. An example of how to use selective scanning with a SaaS application would be in the case of needing to exclude a group with different data privacy rules than another group. Another example would be to exclude users within a group due to having confidential assets.
To begin scanning your Azure AD groups, you need to register an application one of two ways —

Register an application on Azure Active Directory

  • Gather information needed to connect Azure AD to Aperture.
    You need the Directory ID, Application ID, and Application Key to establish a connection between the Aperture service and Azure Active Directory, to retrieve user group and membership information.
    1. Log in to Microsoft Azure and select Azure Active DirectoryApp registrationsNew registration.
      azure-ad-app-registrations.png
    2. Enter a Name, select Accounts in this organizational directory only, and click Register.
      azure-ad-register-application.png
    3. Copy the Application (client) ID.
    4. Copy the Directory (tenant) ID.
      azure-ad-client-tenant-id.png
    5. Click API permissionsAdd a permissionMicrosoft GraphApplication permissions
      azure-ad-api-permissions.png
    6. Select DirectoryDirectory.Read.All.
      Enable permissions to read directory data to allow the Aperture service to connect to the Azure AD application to read users, groups, and apps in the organization’s directory.
    7. Select GroupGroup.Read.All and Add permissions.
      Enable permissions to read all groups to allow Azure Active Directory to list groups, read their properties and membership, and enable the Aperture service to populate a list of groups to scan.
    8. Click Grant consent and click Yes to confirm permission change.
      azure-ad-grant-consent.png
    9. Select Certificates & secretsNew client secret, enter a Description, select an expiration, and click Add.
      azure-ad-client-secret.png
    10. Copy the unique Client secret (Aperture Application Key).
      azure-ad-copy-client-secret.png
  • Connect Azure Active Directory to Aperture.

Register an application (Legacy) on Azure Active Directory

  • Complete new and improved app registration on Azure Active Directory.
    You need the Directory ID, Application ID, and Application Key to establish the connection between the Aperture service and Azure Active Directory, to retrieve user group and membership information.
    1. Log in to Microsoft Azure, select Azure Active DirectoryProperties and copy the Directory ID.
      copy-azure-ad-directory-id.png
    2. Select App registrations New application registration and enter in Name and Sign-on URL.
      add-app-azure-ad.PNG
    3. Click Create.
    4. Copy the Application ID.
      copy-azure-ad-application-id.png
    5. Select SettingsRequired PermissionsAddSelect an APIMicrosoft Graph.
      To scan groups, permissions to Read all groups, and Read directory data need to be added. Read all groups allows Azure Active Directory to list groups, read their properties, and group memberships. Read directory data enables Azure Active Directory to read users, groups, and apps in the organization’s directory.
      configure-permissions-azure-ad.png
    6. Click Select to open the Enable Access list, and choose Read all groups and Read directory data.
      azure-active-directory-permissions.png
    7. Click Select to enable access and Done to add permissions.
    8. Select Keys, enter a Description, select a Duration, and paste the Application ID.
      azure-active-directory-application-key.png
    9. Click Save and copy the Application Key.
      copy-azure-ad-application-key.png

Connect Azure Active Directory to Aperture

  1. Connect the Azure AD in Aperture to populate groups to scan.
    Ensure the Azure AD role you are connecting to Aperture has Administrator privileges.
    1. Log in to Aperture.
    2. Select SettingsDirectory ServicesConnect New .
    3. Select Azure Active Directory and enter the Directory ID, Application ID, and Authentication Key.
      azure-active-directory-fields.png
    4. Click Save to authenticate Azure Active Directory and retrieve the group lists and membership information.
      You can give your Azure AD instance a descriptive name other than the default name which is Azure Active Directory n.
      descriptive-name-for-azure-active-directory-instance.png
  2. Connect the Azure AD in Aperture to populate groups to scan.
    Ensure the Azure AD role you are connecting to Aperture has Administrator privileges.
    1. Log in to Aperture.
    2. Select SettingsDirectory ServicesConnect New .
    3. Select Azure Active Directory and enter the Directory ID, Application ID, and Authentication Key.
      azure-active-directory-fields.png
    4. Click Save to authenticate Azure Active Directory and retrieve the group lists and membership information.
      You can give your Azure AD instance a descriptive name other than the default name which is Azure Active Directory n.
      descriptive-name-for-azure-active-directory-instance.png
  3. Add a subset of groups to scan or exclude from scanning.
    1. From SettingsDirectory Services, select the Azure AD instance.
    2. Enter the first few letters or name of the group you want to scan for.
      You can add all groups using >> or a single group using > but can only add 100 groups in total. If a group is edited or removed from selective scanning, it can take up to 7 days to remove assets or activities, and close any related incidents. Adding a group back to selective scanning will record new user activities but not older, previously removed user activities.
      add_groups_to_azure_active_directory.png
    3. Select Save.
  4. Connect your Box app to Aperture.
    Begin Scanning a Box App and enable selective scanning to choose a subset of Azure Active Directory groups to scan.

Related Documentation