Guardian can utilize the Azure Resource Manager (ARM) API to represent a resource group as a node. To do so, you will need your subscription, AD tenant and AD client IDs, along with a user account that has access to at least one non-empty resource group. In addition, a Windows connection manager of at least version 4.8.0 is required to facilitate the scan.

Prerequisites

• You will need a Microsoft Azure account.
• You will the subscription, AD tenant and AD client IDs for that account.

Adding

1. Log into Guardian and select Discover -> Discover.
2. From the node select screen click Windows and then select Manual
3. On the resulting page, fill out the fields as follows:

4. Click Add Node to add the node at the bottom of the form.
5. Click "Scan" on the node's show page.

Subscription ID, AD Tenant ID and AD Client ID

• Your Azure subscription ID can be found on the settings page after logging into the Azure management portal.

• Your Active Directory Tenant ID can be found in the URL for your AAD management page, per the following screenshot.
  

• Your Active Directory Client ID can be found on the Active Directory Application page for the application that you wish to use when scanning your Azure resources.

Azure Active Directory Applications

You must specify an AAD application (via its client ID) to use when connecting from Guardian to Azure. This can be an existing native AAD application, or you can create a new one per the following steps:

1. Navigate to the Active Directory management page for your Azure account.
   
2. Select the Active Directory to use.
3. Select "Applications", and click "Add" at the bottom of the page.
   
4. Enter a name for the application, and choose Native Client Application.
   
5. Enter a sign-on URL. Guardian does not use this URL, so it can be any valid URL.
6. You will now be presented with your new application. Select "Configure" at the top.
   
7. The "Client ID" field on this page contains the ID that you will use when connecting from Guardian to Azure.
   
8. Under "permissions to other applications", you must have the "Windows Azure Service Management API" entry, with the "Access Azure Service Management..." delegated permission enabled.
   
9. You will then need to grant these delegated permissions to this application. You can do so under "Azure Active Directory" > <Your directory name> > "App Registrations" > <The name of the newly created application> > Settings > Required Permissions
   

Common failure scenarios

• The following message indicates that you have not entered a password, or that the password cannot be decrypted by the current connection manager. Re-enter your credentials and try again.
  

• The following message indicates that you are using a Web API application instead of a Native Client application to connect to Azure. Specify a Native Client application client ID and try again.
  

• The following message indicates that either the resource group you are attempting to scan either contains no resources or the user account specified does not have the required permissions. In the latter case, add the user to the resource group and try again.
  

• The following message indicates that you need to use the "Grant Permissions" function on the application you are using to connect Guardian to Azure. Follow the directions under Azure Active Directory Applications, step 9 and try again.

AADSTS65001: The user or administrator has not consented to use the application with ID . Send an interactive authorization request for this user and resource.