Azure

3 minute read

The Azure inventory uses the Azure Service scanning module to capture and document Azure resources. This module uses the Azure App for inventory purposes. The results of the inventory process are displayed in the Cloud Infrastructure section.

The Azure inventory wizard can be opened via the Azure Service button. After selecting a company and choosing a tenant domain (see: Basic Steps), the Azure step will be displayed.

In the Azure step, you must select an Azure App for the inventory process.

If no Azure App has been created yet or an additional one is needed, the Manage Azure App dialog can be opened via the Register Entra ID App button.

Clicking the Load Subscriptions button will display all available subscriptions, which can be deselected if necessary. Note that the Azure App must be authorized for all selected subscriptions.

Once a valid Azure App has been selected, the Next button will be enabled, and the inventory process can be started.

Docusnap Inventory Azure

The tree of the Azure environment will be displayed under the Cloud Infrastructure tree. This structure represents subscriptions, resource groups, resources, and their properties retrieved via the Azure API.

Organization:
Summarizes central information about the Azure environment, including basic details like tenant information, verified domains, and contact details.
Subscriptions:
The Subscriptions node represents the top level in the Azure hierarchy and is responsible for resource assignment and billing.
- Resource Groups:
  The Resource Groups node organizes related resources into logical groups for more efficient management.
  - Resources: The Resources node represents individual Azure services such as Virtual Machines, Networks, or Storage Accounts that are contained within subscriptions and resource groups. Beneath each resource, specific properties, configurations, and dependencies are displayed.
    - ARM Template:
      The ArmTemplate node displays Azure Resource Manager (ARM) templates, which describe resources and their configurations in JSON. These templates enable:
      - Visualization: Content is shown in the Output tab (parameters, resources, dependencies).
      - Restoration: ARM templates can be used to quickly and reliably restore existing resources in Azure or migrate them to another environment as needed.
    - Properties:
      Provides detailed information about the resources. Additionally, custom properties can be added in the Management to capture further specific details about Azure resources.
    - Permissions: Displays assigned roles (Owner, Contributor, Reader) and permissions at the subscription, resource group, and resource levels. This feature allows for analyzing user, group, and foreign principal permissions and verifying which resources a specific user has access to.
      - Role Assignment (resolved):
        Shows the effective permissions, including directly assigned roles as well as roles obtained through inheritance or group membership. The view lists users, groups and foreign principals together with their roles (e.g. Owner, Contributor, Reader) and the Inherited Assignment (e.g. subscription, resource group). If the authorization was obtained through group membership, the corresponding group is specified in the Inherited Path; otherwise this field remains empty.
      - Role Assignment (direct):
        Documents specific permissions directly assigned to a resource, resource group, or subscription without inheritance.
    - Dependencies:
      Lists connections between individual resources within resource groups and subscriptions, as well as across subscriptions.
    - Dependency Diagram:
      Visualizes the dependencies between resources within the Azure environment, helping identify relationships and required resources.
Microsoft Entra ID:
The Microsoft Entra ID node provides a comprehensive overview of identity and access management, including users, groups, applications, and domains. Additionally, it allows the analysis of permissions on resources, resource groups, and subscriptions to verify the access rights assigned to users, groups, or applications. This simplifies the identification of access paths and the management of roles and policies across the entire Azure environment.

In the latest version, the inventory process includes all subscriptions, resource groups, resources, and permissions to provide a comprehensive overview of the environment. Previously specific documented resources are now part of a unified approach.
The inventory integrates all Azure elements into a single representation, enhancing consistency and clarity. The focus is on relevant details for efficient and targeted data use.