Skip to content

Azure Active Directory (EntraID) Assessment Setup

SolCyber will perform a bi-annual assessment of your Azure Active Directory environment(s) and provide a report and analysis of critical findings. Please follow the steps below to create an Azure App registration that will provide us read-only access to your Azure Active Directory.

There are a handful of checks performed that require specific Azure AD license types and/or an active Azure subscription. See Exposures Assessed.

Create an Azure AD App Registration#

  1. In the Azure portal, select the Azure Active Directory service.
  2. In the Azure AD portal, select App registrations under the Manage menu in the
    navigation pane.
  3. Click + New registration.
  4. On the Register an application screen, enter “SentinelOne EntraID Assessment”. You can keep all of the default settings, and click Register.
  5. Take note of the App’s Directory/Tenant ID and Application/Client ID. You will need to provide this to SolCyber.

Set App Permissions#

  1. Select API permissions under the Manage menu in the navigation pane.
    The Configured permissions table on the API permissions screen displays the access granted to the application. Initially, you will see the default permission (User.Read) is assigned to the application.

  2. Click + Add a permission.

  3. In the Request API permissions pane (right pane), select Microsoft Graph.

  4. Click Application permissions.

  5. In the Select permissions pane, search for and select the following Application permissions:

    • AuditLog.Read.All
    • Directory.Read.All
    • Policy.Read.All
    • Reports.Read.All
    • User.Read.All

    Click the Add permissions button.

  6. Back on the API permissions screen, click Grant admin consent for <Azure AD tenant>.

    On the Grant admin consent confirmation message at the top of the page, click Yes. Once the permissions are successfully granted, the Status displays a green check and “Granted for <Azure AD tenant>” status message for the above permissions.

  1. In the Azure AD portal, while in the application, select Certificate & secrets under the Manage menu in the navigation menu.
  • Under the Client secret pane, click + New client secret.
  • In the Add a client secret pane (right pane), enter the following information:
  • Description: Enter descriptive text for your client secret.
  • Expires: Select the life span for the client secret. Click Add. We suggest creating a secret that will last two years.
  1. Back on the Certificates & secrets screen, the secret is displayed. Copy the Value of the secret (not the secret ID). NOTE: this value is only shown once.

Apply Reader Role to App#

If you do not have an active Azure subscription, you can skip this step.

After completing the creation of the App Registration, we must apply the “reader” role to the app.

  1. In the search bar at the top of the Azure portal, search for “Subscriptions”.

  2. Click the Subscriptions icon, then select the appropriate Azure subscription.

  3. On the subscription Overview page, click Access Control (IAM).

  4. Click Add+, then Add Role Assignment.

  5. Search for the “Reader” role. Select it and click Next at the bottom of the page.

  6. In the Members tab, in the Assign access to section, select User, group, or service principal. To select your Azure Application, click + Select Members. The Select members plane appears.

  7. Search for the Azure application you just created and select the required application from the list.

  8. In the Review + assign tab, review the selected role and members.

  9. Click Review + assign.

Send Credentials to SolCyber#

Please send the following information to SolCyber using a tool like onetimesecret.com or an encrypted email:

  • Directory/Tenant ID
  • Application/Client ID
  • Secret VALUE (not the secret ID)