Gathering logs, security configurations, and access controls across Azure services can be tedious and error-prone. The Complyance Azure integration automates this by pulling the latest compliance evidence, ensuring it stays up to date before expiration.
This integration covers additional Microsoft services such as Defender and Intune. Please contact your implementation lead for the permissions for any additional services.
Register Complyance app
- Go to the
App registrationspage in the Azure Portal: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade -
Click
New registration. -
Fill the form:
- Name:
Complyance - Supported account types:
Accounts in this organizational directory only - Redirect URL (optional): Leave empty
Click
Register. - Name:
- You will be redirected to the
Overviewpage of the newly created app. Please save theApplication (client) ID, as it will be needed later.
Configure Permissions
Each Azure integration check requires configuring permissions to allow the app registered in Step 1 to pull necessary data. There are two places where permissions can be configured:
- API permissions at the App registration level
- Access control (IAM) at the Azure subscription level
If you are unsure which of these is required, please message your implementation lead!
1. API Permissions on the App registration level
-
Go to
App registrationspage in Azure portal: https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps InAll applicationstab search for the app created in step1. Register Complyance appand open it’s page -
Go to the
API permissionstab. -
Click on the
Add a permissionbutton. -
Select
Microsoft Graph. -
Select
Application permissions, search for the required permissions, tick the checkbox for each of them, and clickAdd permissionsbutton. -
Click on the
Grant admin consent for {tenant_name}button. -
Confirm the admin consent modal.
-
Confirm, that the permission’s status became
Granted for {tenant_name}.
2. Access control (IAM) on the Azure subscription level
If this is the first time configuring permissions at the Azure subscription level, please follow the Create custom role and Assign custom role to app instructions.
If you have configured these permissions before, please follow the Updating custom role permissions instructions below.
Create custom role
-
Go to your Azure Subscription and select
Access control (IAM). ClickAdd→Add custom role. -
In the
Basicstab, fill inCustom role name(e.g.Complyance Integration) and clickNext. -
In the
Permissionstab, clickAdd permissionsand add the permissions needed for the integration check to fetch the required data (should be communicated by the CE team). ClickReview + create. -
In the
Review + createtab, clickCreate.
Assign custom role to app
-
Go to your Azure Subscription and select
Access control (IAM). ClickAdd→Add role assignment. -
In the
Roletab, select the role created in theCreate custom rolestep and clickNext. -
In the
Memberstab, clickSelect membersand select the app created in theRegister Complyance appstep. ClickReview + assign. -
In the
Review + assigntab, clickReview + assign.
Update custom role permissions
- Go to your Azure Subscription and select
Access control (IAM). SelectRolestab, search for theComplyance Integrationrole created in the previous step and clickEditin it’s dropdown menu. - Go to
Permissionstab. - Click
Add permissionsbutton, search for the required permissions, tick their checkboxes and clickAdd. - Click
Review + updatebutton. - Confirm that all the required permissions are in the list and click
Update.
Create app client secret
-
On the
Complyanceapp registration page, clickCertificates & secrets. -
Click
New client secret. -
Fill the form:
- Description:
Complyance Client Secret - Expires: Choose an expiry period that balances your security requirements with how often it will need to be updated in the Complyance platform
Click
Add. - Description:
-
Save the secret before leaving the page, as it will not be visible again.
Securely provide the following credentials to the Complyance team
- Tenant ID - Microsoft Entra ID, can be found in
Tenant Properties - Subscription ID - ID of the subscription containing the resources to be checked, available on the
Subscriptionspage in the Azure portal - Client ID - App registration ID from the
Register Complyance appstep -
Client secret - App registration client secret from the
Create app client secretstep