Fortanix Key Insight - Azure Configuration for Scanning Using Built-In Roles

1.0 Introduction

The purpose of this article is to describe the minimum access privileges required for Fortanix Key Insight to scan the Azure cloud subscription(s) or management groups.

2.0 Configure Azure Cloud in Fortanix Key Insight

This section outlines the necessary steps to securely integrate an Azure cloud with Fortanix Key Insight, which enables streamlined monitoring, management, and optimization of key resources. The integration leverages Azure's Role-Based Access Control (RBAC) for granular permission management.

2.1 Prerequisites

The following are the prerequisites to configure an Azure cloud in Fortanix Key Insight:

The supported Azure agreement types: Enterprise Agreement, Microsoft Customer Agreement, and Pay-as-you-go.
Access to your Azure subscription: You should be a Global Administrator with elevated access to set up Azure integration in Fortanix Key Insight as shown in the following diagram. Refer to Elevated access to manage Azure Management Groups and Subscriptions for more details.
Figure 1: Global Administrator with Elevated Access
A registered Fortanix Key Insight Account. For detailed steps to get started with Fortanix Key Insight, refer to Fortanix Key Insight – Getting Started Guide.

2.2 Create a Service Principal in Microsoft Entra ID (Azure Active Directory)

Perform the following steps to create a service principal in Microsoft Entra ID:

Navigate to the Azure portal and search for Microsoft Entra ID.
Select App registrations under Manage in the left navigation menu on the Microsoft Entra ID page.
Figure 2: Access App Registrations
NOTE
You can also search for App registrations in the Microsoft Azure search bar.
Click New registration.
Figure 3: Add a New App Registration
On the Register an application page, configure the following fields:
- Name: The user-facing display name for this application. For example, key-insight-app.
- Supported account types: Select Accounts in this organizational directory only (<your organization name> only - Single tenant).
- Redirect URI: This is optional.
Figure 4: Register the New Application
Click Register to register an application. The new application will be registered in Microsoft Azure.
Figure 5: View the Registered Application
NOTE
Ensure to copy and save the Directory (tenant) ID and Application (client) ID values. These values are required during the Azure cloud connection on the Fortanix Key Insight.
Perform the following steps to create a new client secret:
- Navigate to Certificates & secrets from the left navigation menu.
- Click New client secret.
- On the Add a client secret panel, enter the following:
  - Description: Enter the description for this secret. For example, key-insight-app-client-secret.
  - Expires: Select 730 days (24 months).
- Click Add.
Figure 6: Add a New Client Secret
NOTE
You can only view Client secret value immediately after creation. Ensure to copy and save the secret value before leaving the page. This value is required during the Azure cloud connection on Fortanix Key Insight.

2.3 Choose the Scope

You can choose Management Groups or Subscription scopes during Azure cloud setup in Fortanix Key Insight. For more details on Azure cloud setup, refer to User Guide: Key Insight Getting Started Guide.

If you select Management groups, you must enter your Management Group ID. Refer to Section 2.3.1: Obtain a Management Group ID for details on how to get a management group ID.
If you select Subscription, you must enter Subscription ID. Refer to Section 2.3.2: Obtain a Subscription ID for details on how to get a subscription ID.

2.3.1 Obtain a Management Group ID

Perform the following steps to obtain a management group ID:

Navigate to Management groups on Microsoft Azure.
Copy the value from the column ID in your Azure Management groups. For example, engineering-management-group from the ID column as shown below:

2.3.2 Obtain a Subscription ID

Perform the following steps to obtain a subscription ID:

Navigate to Management groups on Microsoft Azure.
Select your subscription.
Copy the Subscription ID from your Azure subscription. For example, the Subscription ID is copied from the Fortanix-Internal subscription as shown below:

2.4 Provide Permissions in Your Azure Service Principal

You must provide permissions in your Azure service principal at the management group and subscription levels to help users scan the required keys and services on Fortanix Key Insight.

2.4.1 Permissions at the Management Group Level

Perform the following steps to provide permissions at the Management group level:

Navigate to Access control (IAM) in the selected management group.
Click Add role assignment.
Perform Steps 3 to 6 mentioned in Section 2.4.2: Permissions at the Subscriptions Level and provide permissions for the selected management group.
Reader and Key Vault Reader roles will be automatically inherited for all the linked subscriptions. You do not have to go to individual subscriptions to provide the access permissions.

2.4.2 Permissions at the Subscriptions Level

Perform the following steps to provide permissions at the subscription level:

Navigate to Access control (IAM) in the selected subscription.
Click Add role assignment.
Figure 9: Add a Role Assignment
Select Reader role and click Next.
Figure 10: Select a Reader Role
For the Reader role, perform the following steps to select members:
1. Click Select members.
2. Add your app (for example, key-insight-app), as created in Section 2.2: Create a Service Principal for Microsoft Entra ID.
3. Click Select.
Figure 11: Add a Role Assignment
Click Review + assign.
Figure 12: Reader Role Assignment
Perform the following steps to provide the Key Vault Reader role permission for your Azure app:
1. Repeat Steps 1 to 2 above.
2. Select the Key Vault Reader role and click Next.
  Figure 13: Key Vault Reader Role Assignment
3. Select members to add a Key Vault Reader role for your app and click Select.
  Figure 14: Add a Key Vault Reader Role
4. Click Review + assign.
  Figure 15: Review and Assign the Permissions

3.0 Help and Support

If there are any issues with the configuration or permissions, you may need to review and adjust them accordingly. Refer to User Guide: Key Insight Getting Started Guide for guidance on establishing a connection to Azure within Fortanix Key Insight.
For Fortanix key Insight and Azure terminologies, refer to Key Insight - Concepts Guide and Key Insight – Azure Concepts Guide.
If you need further assistance, contact Fortanix Support.

Fortanix Key Insight - Azure Configuration for Scanning Using Built-In Roles

1.0 Introduction

2.0 Configure Azure Cloud in Fortanix Key Insight

2.1 Prerequisites

2.2 Create a Service Principal in Microsoft Entra ID (Azure Active Directory)

2.3 Choose the Scope

2.3.1 Obtain a Management Group ID

2.3.2 Obtain a Subscription ID

2.4 Provide Permissions in Your Azure Service Principal

2.4.1 Permissions at the Management Group Level

2.4.2 Permissions at the Subscriptions Level

3.0 Help and Support

PLATFORM

Key Insight

Data Security Manager™

Confidential Computing Manager

Enclave Development Platform®

Request A demo

Contact Us

Free Trial

SOLUTIONS

AWS KMS External Key Store (XKS)

Google External Key Manager

Bring Your Own Key (BYOK)

HSM Modernization

Multicloud Key Management

Post Quantum Cryptography

Code Signing

Secrets Management

Tokenization Transparent

Database Encryption

Filesystem Encryption

Confidential Data Search

Confidential AI

Healthcare

Banking & Financial Services

Fintech

Manufacturing

Web 3.0

Federal Government

RESOURCES

Blog

Whitepapers

Datasheets

Solution Briefs

Ebooks

Reports

Case Studies

Webinars

University

Media Kit

Newsletters

COMPANY

About

Careerswe’re hiring

Customers

Partners

Awards

Events

Press

News

Services

Support

FAQ

4.6