1.0 Introduction
This article describes the minimum access privileges required for Fortanix Key Insight to scan the Azure cloud subscription(s) or management groups using Azure built-in roles.
2.0 Configure Azure Cloud in Fortanix Key Insight
This section outlines the necessary steps to securely integrate an Azure cloud with Fortanix Key Insight, which enables streamlined monitoring, management, and optimization of key resources. The integration leverages Azure's Role-Based Access Control (RBAC) for granular permission management.
For more details on Azure built-in role permissions required to onboard an Azure connection, refer to the Fortanix Key Insight – Azure Connection Permissions.
2.1 Prerequisites
The following are the prerequisites to configure an Azure cloud in Fortanix Key Insight:
The supported Azure agreement types: Enterprise Agreement, Microsoft Customer Agreement, and Pay-as-you-go.
Access to your Azure subscription: You should be a Global Administrator with elevated access to set up Azure integration in Fortanix Key Insight as shown in the following diagram. Refer to Elevated access to manage Azure Management Groups and Subscriptions for more details.
Figure 1: Global administrator with elevated access
A registered Fortanix Key Insight Account. For detailed steps to get started with Fortanix Key Insight, refer to Fortanix Key Insight - Getting Started With Cloud Connection.
2.2 Create a Service Principal in Microsoft Entra ID (Azure Active Directory)
Perform the following steps to create a service principal in Microsoft Entra ID:
Navigate to the Azure portal and search for Microsoft Entra ID.
Select App registrations under Manage in the left navigation panel on the Microsoft Entra ID page.
NOTE
You can also search for App registrations in the Microsoft Azure search bar.
Click New registration.
On the Register an application page, configure the following fields:
Name: The user-facing display name for this application. For example, key-insight-app.
Supported account types: Select Accounts in this organizational directory only (<your organization name> only - Single tenant).
Redirect URI: This is optional.
Click Register to register an application. The new application will be registered in Microsoft Azure.
NOTE
Ensure to copy and save the Directory (tenant) ID and Application (client) ID values. These values are required during the Azure cloud connection onboarding on Fortanix Key Insight.
Perform the following steps to create a new client secret:
Navigate to Certificates & secrets from the left navigation panel.
Click New client secret.
On the Add a client secret panel, enter the following:
Description: Enter the description for this secret. For example, key-insight-app-client-secret.
Expires: Select 730 days (24 months).
Click Add.
Figure 2: Add a new client secret
NOTE
You can only view Client secret value immediately after creation. Ensure to copy and save the secret value before leaving the page. This value is required during the Azure cloud connection onboarding on Fortanix Key Insight.
2.3 Choose the Scope
You can choose Management Groups or Subscription scopes during Azure cloud setup in Fortanix Key Insight. For more details on Azure cloud setup, refer to Fortanix Key Insight - Getting Started With Cloud Connection.
If you select Management groups, you must enter your Management Group ID. Refer to Section 2.3.1: Obtain a Management Group ID for details on how to get a management group ID.
If you select Subscription, you must enter Subscription ID. Refer to Section 2.3.2: Obtain a Subscription ID for details on how to get a subscription ID.
2.3.1 Obtain a Management Group ID
Perform the following steps to obtain a management group ID:
Navigate to Management groups on Microsoft Azure.
Copy the value from the column ID in your Azure Management groups. For example, engineering-management-group from the ID column as shown below:
Figure 3: Get a management group ID
2.3.2 Obtain a Subscription ID
Perform the following steps to obtain a subscription ID:
Navigate to Management groups on Microsoft Azure.
Select your subscription.
Copy the Subscription ID from your Azure subscription. For example, the Subscription ID is copied from the Fortanix-Internal subscription as shown below:
Figure 4: Get a subscription ID
2.4 Provide Access to Built-In Roles in Your Azure Service Principal
You must provide access to the following built-in roles in your Azure service principal at the management group and subscription levels to help users scan the required Azure keys and services on Fortanix Key Insight:
Reader
Key Vault Reader
Storage Blob Data Reader
2.4.1 Provide Access to Built-In Roles at the Management Group Level
Perform the following steps to provide access to the built-in roles at the Management group level:
Navigate to Access control (IAM) in the selected management group.
Click Add role assignment.
Perform Steps 3 to 6 mentioned in Section 2.4.2: Provide Access to Built-In Roles at the Subscriptions Level and provide permissions for the selected management group.
Reader, Key Vault Reader, and Storage Blob Data Reader roles will be automatically inherited for all the linked subscriptions. You do not have to go to individual subscriptions to provide access permissions.
2.4.2 Provide Access to Built-In Roles at the Subscriptions Level
Perform the following steps to provide access to the built-in roles at the subscription level:
Navigate to Access control (IAM) in the selected subscription.
Click Add role assignment.
Provide access to the specific role using the following steps:
Reader
On the Role tab, select the Reader role and click Next.
Perform the following steps to select members:
Click Select members on the Members tab.
Add your app (for example, key-insight-app), as created in Section 2.2: Create a Service Principal for Microsoft Entra ID.
Click Select.
After adding the members, click Review + assign.
Figure 5: Add a Reader role
Key Vault Reader
On the Role tab, select the Key Vault Reader role and click Next.
Perform the following steps to select members:
Click Select members on the Members tab.
Add your app (for example, key-insight-app), as created in Section 2.2: Create a Service Principal for Microsoft Entra ID.
Click Select.
After adding the members, click Review + assign.
Figure 6: Add a Key Vault Reader role
Storage Blob Data Reader
On the Role tab, select the Storage Blob Data Reader role and click Next.
Perform the following steps to select members:
Click Select members on the Members tab.
Add your app (for example, key-insight-app), as created in Section 2.2: Create a Service Principal for Microsoft Entra ID.
Click Select.
After adding the members, click Review + assign.
Figure 7: Add a Storage Blob Data Reader role
After access is granted to the built-in roles, as outlined in Section 2.4: Provide Access to Built-In Roles in Your Azure Service Principal, at either the management group or subscription level, all necessary permissions required for Fortanix Key Insight to scan Azure keys and services will be automatically provisioned.
3.0 Help and Support
If there are any issues with the configuration or permissions, you may need to review and adjust them accordingly. Refer to Fortanix Key Insight - Getting Started With Cloud Connection for guidance on establishing a connection to Azure within Fortanix Key Insight.
For Fortanix Key Insight and Azure terminologies, refer to Key Insight - Concepts Guide and Key Insight – Azure Concepts Guide.
If you need further assistance, contact Fortanix Support.