Table of Contents

Cloud Onboarding
Onboard Azure 2

Page: 1 of 9
Onboard Azure
Onboard your entire Azure organization or individual subscriptions in Tenable Cloud Security to get full
visibility and risk assessment for all cloud identities and resources associated with the subscription/s,
including information about permissions, subscription usage, and security configurations. Tenable
collects inventory and configuration data from Azure API.

After you complete onboarding, Tenable displays a status for each subscription, indicating, for
example, whether Tenable can connect to the account, and helping you troubleshoot potential
onboarding issues.

Considerations for Onboarding an Organization Versus Individual

Subscriptions
When deciding whether to onboard your entire Azure organization as opposed to individual
subscriptions, it's important to consider how this decision impacts features in Tenable Cloud Security.
Tenable recommends onboarding your entire organization to ensure that the management group is
connected to Tenable, and to ensure that the most accurate least privilege recommendations are
provided for your Azure resources.

Onboard Your Azure Organization

Onboard your entire Azure organization to expedite and automate the onboarding process in cloud
environments with many accounts. Doing so allows you to:

Simultaneously onboard all subscriptions to Tenable at once.

Automatically onboard new subscriptions added in Azure at a later stage. See Automatic
Onboarding of New Subscriptions for more information.
Ensure visibility related to the full range of platform features.

Prerequisites:

Add the Azure Active Directory (AD) tenant that is used to establish trust for the management
group.

To onboard an Azure organization:

Be aware that during the wizard you will need to navigate back and forth between the Tenable
Cloud Security Console and the Azure portal.

1. In the Tenable Cloud Security Console, navigate to Settings > Integrations and click on
Azure Organization .

2. Click Lets Start . The Add Azure Organization wizard opens.

3. Select an Azure AD tenant (Step 1 in wizard). Select the Azure Active Directory tenant linked
to the organization you want to add. If the tenant doesn't appear in the dropdown, you'll need
to add it before you proceed to add your organization.

4. Click Next .

Page: 2 of 9
 5. Enter your Organization Details (Step 2 in wizard).

1. Enter an Organization Name . By default, the name is taken from the name of the
Azure AD tenant you chose in the previous step, but you can edit as desired.

2. Choose whether to Automatically update management group structure .

Copy your Azure management group structure into Tenable, keeping your
subscription hierarchy intact and continuously synchronized. Learn more about
account hierarchy .

3. Choose whether to Create a dedicated folder for the Azure AD tenant .

Select this option if you are planning to onboard multiple Azure AD tenants. This
will automatically create a dedicated folder for the Azure AD tenant in Tenable and
map child entities to their respective sub-folders. If you don't plan to onboard more
than one tenant, unselect the checkbox.

6. Click Next .

7. Choose Permissions (Step 3 in wizard). Choose which features to enable, keeping in mind
that each feature requires different permissions. You can modify your selection after the initial
onboarding.

Monitoring (read-only). Gain full visibility for all cloud assets, including information
about permissions, subscription usage, and security configurations.

Virtual Machine Scanning (Workload Protection). Scan virtual machines for

vulnerabilities and misconfigurations.

Relevant if you're working with Tenable Cloud Security Workload Protection

(requires Standard/Enterprise license). See the relevant Workload Protection
documentation for more information.

Remediation (read-write). Allow Tenable to make changes in your environment. This

lets you automatically remediate findings with one click, for example (One-click
remediation is still available via OTP without these permissions).

8. Click Next .

9. Assign roles to Tenable Cloud Security either via ARM, PowerShell, or manually (Step 4 in
wizard).

Page: 3 of 9
 ARM (Azure portal):
1. Log in to the Azure portal for the organization that you want to onboard and navigate
to the root management group.
2. Click here to create a Custom deployment.
3. Configure the project and instance details as instructed to in the Tenable Cloud
Security wizard:
- Management Group: Tenant Root Group
- Region: Specify a single region
- Principal ID: Copy the val ue di spl ayed i n the wi zard
- Monitoring: Copy the val ue di spl ayed i n the wi zard
- Remediation: Copy the val ue di spl ayed i n the wi zard
- Workload Scanning: Copy the val ue di spl ayed i n the wi zard
- Just-in-time Access: Copy the val ue di spl ayed i n the wi zard
4. Click Review + create .
5. Click Create .
6. [Tenable Cloud Security Console] Click Finish .

PowerShell (Azure CLI):

1. Log in to the Azure portal and open a new Cloud Shell session (Switch to
PowerShell and click Confirm).

Administrator privileges are required to create the role assignments.

2. Copy the $roleDefinitionNames command displayed in the Tenable Cloud

Security wizard and run it in your shell.

3. [Tenable Cloud Security Console] When the script completes successfully, click
Finish .

Manual (Azure portal):

1. Log in to the Azure portal for the organization that you want to onboard, and
navigate to the Access control (IAM) tab within the root management group.
2. Assign roles to the Tenable Cloud Security Connector app by repeating the
steps that follow below for each of the roles displayed in the Tenable Cloud
Security wizard.
3. Click on Add > Add role assignment .
4. Search for and select a role from the list in the wizard and click Next .
5. Click + Select members .
6. Search for and select Tenable Cloud Security Connector and then click
Select .
7. Click Next and then click Review + assign to finish. Repeat these steps for all
additional roles.
8. [Tenable Cloud Security Console] Click Finish .

After your Azure organization is added successfully, click Done to return to the Integrations > Azure
Organization page, where you will see your newly added organization. Subscriptions that belong to
the organization are displayed in the Azure > Accounts page.

Page: 4 of 9
 After being added successfully, data about resources in your organization will start to appear in
Tenable Cloud Security. The time it takes for all data to appear varies depending on the size of your
cloud environment. See Manage Your Accounts in Tenable for more information.

Automatic Onboarding of New Subscriptions

During initial organization onboarding, all existing subscriptions are automatically onboarded to
Tenable Cloud Security. Afterwards, by default, any new subscriptions you add in Azure are also
automatically onboarded to Tenable. You can change this behavior, to prevent new subscriptions from
being automatically onboarded to Tenable.

To prevent automatic onboarding of subscriptions:

1. In the Tenable Cloud Security Console, navigate to Integrations > Azure Organization .
2. Edit the relevant organization.
3. On the Organization Details page (step 2), uncheck Automatically onboard new
subscriptions .

Onboard a Subscription
Use this procedure to onboard an individual account. Alternatively, you can onboard your entire
organization. Follow the wizard to choose which features to enable, and then add role assignments in
Azure to grant the Tenable Cloud Security app access to the subscriptions.

Prerequisites:

Add the Azure Active Directory (AD) tenant that is used to establish trust for the subscription.

To onboard an Azure subscription:

Be aware that during the wizard you will need to navigate back and forth between the Tenable
Cloud Security Console and the Azure portal.

1. In the Tenable Cloud Security Console, navigate to Accounts > Azure and click and then
Add subscription . The Add Subscription wizard opens.

2. Select Azure AD Tenant (Step 1 in wizard). Select the Azure AD tenant linked to the Azure
organization you want to add and then click Next . If the tenant doesn’t appear in the
dropdown, add it it before you proceed to add your organization.

3. Provide Subscription ID (Step 2 in wizard). Enter the relevant Subscription ID and then
click Next . You can find the Subscription ID in the Azure portal, in your list of subscriptions.

4. Choose Permissions (Step 3 in wizard). Choose which features to enable, keeping in mind
that each feature requires different permissions. You can modify your selection after the initial
onboarding. When finished, click Next .

Monitoring (read-only). Gain full visibility for all cloud assets, including information
about permissions, subscription usage, and security configurations. This permission
can't be disabled.

Virtual Machine Scanning (Workload Protection). Scan workloads for vulnerabilities

and misconfigurations.

Page: 5 of 9
 Relevant if you're working with Tenable Cloud Security Workload Protection
(requires Standard/Enterprise license. See the relevant Workload Protection
documentation for more information.

Remediation (read-write). Allow Tenable to make changes in your environment. This

lets you automatically remediate findings with one click.

Just-in-time Access (User Access Administrator). Grant users access to cloud

accounts for a predetermined period of time and on an as-needed basis.

Terraform State (Blob Container). To analyze Terraform resources, permissions are

required to read from the blob container storing the state data.

Relevant in you're working with IaC, and you want to trace issues back to code.
This permission can only be enabled by editing the account, after successful
onboarding. See Trace Issues Back to Code for more information.

5. Assign roles to Tenable Cloud Security either via ARM, PowerShell, or manually (Step 4 in
wizard).

ARM (Azure portal): .

1. Log in to the Azure portal for the organization that you want to onboard.
2. Click the link in the Tenable Cloud Security wizard to create a Custom
deployment.
3. Configure the project and instance details as instructed to in the Tenable Cloud
Security wizard:
Subscription: Choose the subscription you want to add
Region: Specify a single region
Principal ID: Copy the val ue di spl ayed i n the wi zard
Monitoring: Copy the val ue di spl ayed i n the wi zard
Remediation: Copy the val ue di spl ayed i n the wi zard
Workload Scanning: Copy the val ue di spl ayed i n the wi zard
Just-in-time Access: Copy the val ue di spl ayed i n the wi zard

4. Click Review + create .

5. Click Create and wait until the deployment is completed successfully.
6. [Tenable Cloud Security Console] Click Finish .

PowerShell (Azure CLI):

1. Log in to the Azure portal and open a new Cloud Shell session (Switch to
PowerShell and click Confirm).

Administrator privileges are required to create the role assignments.

2. Copy the $roleDefinitionNames command displayed in the Tenable Cloud

Security wizard and run it in your shell.

Page: 6 of 9
 3. [Tenable Cloud Security Console] When the script completes successfully, click
Finish .

Manual (Azure portal):

1. In the Azure portal, navigate to the Subscriptions page, and then click on the
subscription you want to add.
2. Assign roles to the Tenable Cloud Security Connector app by repeating the
steps that follow below for each of the roles displayed in the Tenable Cloud
Security wizard.
3. Navigate to Access Control (IAM) and click on Add > Add role assignment .
4. Search for and select a role from the list in the wizard and click Next .

The User Access Administrator (for JIT) role is in the Privileged

administrator roles tab.

5. Click + Select members .

6. Search for and select Tenable Cloud Security Connector and then click
Select .
7. Click Next and then click Review + assign to finish. Repeat these steps for all
additional roles.
8. [Tenable Cloud Security Console] Click Finish .

After your Azure subscription is added successfully, click Done to return to the Accounts > Azure page,
where you will see your newly added subscription.

After being added successfully, data about resources in your subscription will start to appear in
Tenable Cloud Security. The time it takes for all data to appear varies depending on the size of your
cloud environment. See Manage Your Accounts in Tenable for more information.

Required Azure Permissions

Page: 7 of 9
 Azure
Feature Notes
Permissions
Reader The Key Vault Reader role only allows read access
Key Vault to metadata of key vaults and its certificates, keys,
Reader and secrets. It doesn’t grant access to read sensitive
Azure values such as secret contents or key material. For
Kubernetes more information, refer to the relevant Microsoft
Service documentation.
Monitoring Cluster The two Kubernetes roles provide visibility and risk
(read-only) User Role assessment for cloud identities and resources
Azure associated with AKS clusters. For more information
Kubernetes about AKS cluster onboarding and requirements,
Service including 1) additional permissions required for full
RBAC IAM visibility, and 2) network access requirements,
Reader see Onboard an Azure AKS Cluster.

Virtual
Machine Using this feature requires the Standard/Enterprise license.
Disk Snapshot
Scanning See Workload Protection documentation for more
Contributor
(Workload information.
Protection)
Remediation
Owner
(read-write)
Just-in-time User Access Using this feature requires a separate JIT license. See JIT
Access Administrator documentation for more information.
IaC - Trace This permission can only be enabled by editing the account,
Storage Blob
Issues Back after successful onboarding. See Trace Issues Back to Code
Data Reader
to Code for more information.

Subscription Status and Troubleshooting

Tenable Cloud Security displays a Status for each subscription on the Accounts > Azure page,
indicating, for example, whether Tenable can connect to the subscription, and helping you
troubleshoot potential onboarding issues.

Status Description
Azure AD is not The Azure Active Directory tenant is not connected. See Add an Azure
connected Active Directory Tenant for more information.
Tenable Cloud Security successfully connected to the subscription, and the
Connected
subscription is up and running.
Deleting... this
You deleted the subscription in Tenable Cloud Security, and the process
may take up to an
hasn't completed yet.
hour
Tenable Cloud Security failed to connect to the subscription. This might
happen for one of the following reasons:
Failed to connect The subscription was deleted in Azure, but not deleted from the
Tenable Cloud Security Console.
The service principal is unauthorized

Missing One or more of the listed roles are missing, and need to be added to the
permissions subscription. See Required Azure Permissions for more information.
The subscription is Expired, Past Due, or Warned, in Azure. Refer to the
Subscription is not
relevant Azure documentation for more information about subscription
enabled
states.
Subscription is The subscription is Deleted or Disabled in Azure. Refer to the relevant
pending deletion Azure documentation for more information about subscription states.

Page: 8 of 9
 Frequently Asked Questions
Q: What are the minimum roles/permissions that my Azure AD user needs to authorize the
Tenable Cloud Security app in Azure, when I add an Azure AD tenant in Tenable ?

A: Granting admin consent requires you to sign in to Azure as a user that is authorized to consent on
behalf of the organization. For more information about the specific roles needed to do this, refer to
Microsoft documentation.

Q: Why does Tenable need to be granted the Key Vault Reader role assignment? Does
this role grant Tenable access to key material?

A: The Key Vault Reader role only allows read access to metadata of key vaults and its certificates,
keys, and secrets. It doesn’t grant access to read sensitive values such as secret contents or key
material. For more information, refer to the relevant Microsoft documentation.

Powered by Document360

Page: 9 of 9