User Guide
Release Notes

Microsoft Azure

Instructions for integrating Veza with an Azure tenant.

Veza connects to Azure tenants using an App Registration granted read-only permissions for the Microsoft Graph API. You will need an app client ID, client secret, and the Azure tenant ID to enable the connection in Veza.

Adding an Azure tenant will parse all its services, including Azure AD as an Identity Provider (IdP), and SharePoint Online as an additional data source.

See Notes & Supported Entities for more details on the Veza-Azure connector and supported Microsoft services.

Setup Guide

To integrate with Microsoft Azure, you will need to create an App Registration with read permission, and enter its credentials when adding the Veza integration:

1. Register a new application for Veza

  1. From your Azure tenant profile, navigate to App Registrations > New Registration

  2. Name the new application (for example Veza Integration)

  3. Select Accounts in this organizational directory only (tenantname only - Single tenant), and click "Register" to save your changes.

For more information, see the full instructions from Microsoft.

2. Grant Active Directory permissions for the new app

  1. With the new app registration selected, choose Manage > API Permissions and click "Add a Permission"

  2. Select Microsoft Graph. Click "Application Permissions" and add the permissions:

    • Application.Read.All

    • Files.Read.All,

    • Group.Read.All,

    • GroupMember.Read.All

    • RoleManagement.Read.All

    • Sites.Read.All

    • User.Read.All

    • Directory.Read.All

    • Reports.Read.All (Required when connecting to SharePoint Online)

    • CustomSecAttributeAssignment.Read.All (Required to gather custom security attributes)

    • AuditLog.Read.All (Required to collect last login date for users)

  3. Enable "Grant Admin Consent" on the API permissions screen.

The delegated User.Read permission should be granted automatically. If it isn't present, add the permission from Add a Permission > Microsoft Graph > Delegated Permissions.

3. Enable SharePoint integration (optional)

Additional API permissions are required if you plan to connect to SharePoint Online. To grant read-only access for Veza, choose SharePoint on the app registration "Add a Permission" screen, and grant the application permissions:

  • User.Read.All

  • Sites.Read.All

The app registration will also need the Reports.Read.All Microsoft Graph permission from the previous step.

For a complete overview and visual guide, see the official Azure documentation on configuring client application access.

Enable audit log parsing for activity-based extraction

Audit log extraction for SharePoint is provided as an Early Access feature. Please contact your support team to enable this configuration option.

When audit log extraction is enabled for an Azure tenant, Veza will gather audit logs using the Office 365 Management Activity API, and only connect to SharePoint Online for a full update when changes occur.

Enabling activity-based scheduling should help reduce lag between extractions, reducing the total time required to ingest large SharePoint environments. Please see below for the requirements and optional steps to enable:

  1. Auditing must be enabled in the Microsoft Purview compliance portal

    1. Go to https://compliance.microsoft.com and sign in. Click Audit.

    2. If auditing isn't enabled, a banner will prompt to Start recording user and admin activity.

    3. Click the banner to enable auditing, and wait for the changes to propogate.

    4. Alternatively, use the Exchange Power Shell:

      1. Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

  2. The Enterprise App used by Veza must have ActivityFeed.Read permission on the Office 365 Management API:

    1. When adding permisions to Enable SharePoint integration (optional), add the additional permission for the app registration: API permissionsOffice 365 Management APIsApplication permissionsActivityFeed.Read

  3. After you finish integrating the Azure tenant, enable audit log extraction under Veza ConfigurationCloud Providers. The audit log status column should update to show that extraction is enabled:

4. Generate a Client Secret

  1. From Certificates & Secrets, click "New Client Secret" and select an expiration date. Click "Add" to generate a new client secret value and ID.

  2. Copy the client secret Value, which you'll use to configure the integration within Veza.

5. Get the Application and Directory unique identifier

  1. Open the Overview screen for the new application. Copy the Application (client) ID.

  2. Copy the value for Directory (tenant) ID. You will need both values when adding the provider to Veza.

6. Assign the Reader role for the Veza app

For each Azure subscription to discover, you will need to add the new Veza app as a Reader. If you don't have any subscriptions (as will be the case if only integrating with Azure AD as an identity provider), this step is optional.

  1. From the Azure Subscription, select Access control (IAM)

  2. Click on "+ Add" -> "Add role assignment"

  3. Select "Reader" as the role

  4. Select User, Group, or Service Principal" under Assign Access To

  5. Select or search for the Veza app, and assign it the "Reader" role

  6. Save your changes

7. Add Key Vault Permissions (Optional)

To connect to Azure Key Vault, a Key Vault access policy must grant the Veza app List permissions on Keys, Secrets, and Certificates. To create this policy:

  1. From the Key Vaults services page**,** select the vault Veza will discover.

  2. Select Access policies.

  3. Click + Create.

  4. Select List under Key Permissions, Secret permissions, and Certificate permissions.

  5. Click Next.

  6. Search and select the Veza app as __ the Authorized Application.

  7. Click Next, Next, and Create to save the policy_._

8. Add the Azure tenant to Veza

After completing the earlier steps, you can add the credentials and enable discovery by navigating to Veza Integrations > Add Integration. Pick Azure for the Integration Type.

FieldNotes

Cloud Provider

AWS, Azure, or Google Cloud

Data Plane

Leave default unless using an Insight Point

Name

Friendly name for the account

Tenant ID

Azure tenant ID to discover

App ID

App UUID

Client Secret Value

App client secret value

Auth Certificate

Optional cert for connecting to SharePoint

Auth certificate password

Password for SharePoint certificate (optional)

Limit Azure services extracted

See below

Troubleshooting

If the initial connection fails with the status "Insufficient privileges to complete the operation," validate that the correct API Permissions are granted, and are granted with the type application and not delegated.

Limiting discovered resources and identities

Additional options on the "add provider" panel enable limits on the data sources and identities extracted:

OptionDetails

Domains

Comma-separated list of domains to discover, ignoring any others

Gather disabled users

Whether to include disabled users

Gather guest users

Whether to parse identity metadata for Azure AD Guest users

Gather personal sites

Whether to include personal SharePoint sites

Data source allow/deny lists

Indicate resources to ignore by name or *

Custom Properties

Indicate custom security attributes to gather

Extract PIM Eligibility

Optionally discover temporary role assumptions based on Privileged Identity Management schedling rules.

Dynamics 365 Environments

Optional list of Dynamics 365 environments to discover, e.g. https://org50e57fbd.crm.dynamics.com. Note that the full URL including "https" is required.

Connecting to SharePoint

You can connect to SharePoint Online by uploading a .PFX certificate generated for app-only access, and optionally providing a password for the certificate. For information about generating the certificate, please see the Microsoft documentation. You will also need to update the permissions granted the Veza app to include User.Read.All and Sites.Read.All, as outlined in the SharePoint setup instructions.

Custom Security Attributes

Veza can optionally gather and show custom security attributes on Azure AD objects. The custom properties to discover must be identified by name and type in the Azure tenant configuration.

An Azure AD Premium P1 or P2 license is required to use Custom Attributes for Azure AD. The Enterprise Application used by Veza must have the CustomSecAttributeAssignment.Read.All Microsoft Graph permission.

To enable custom property extraction:

  1. Add or edit a new Azure cloud provider configuration.

  2. On the provider configuration modal, click + Add Custom Property.

  3. Provide the type and name of the custom property.

    1. For Azure AD, the name is the attribute name of the custom security attribute. The data type is a property of the custom security attribute (Boolean, Integer, or String).

    2. For example: (EngineeringCertification, Boolean), (MarketingLevel, String).

    3. If the custom properties are part of an Attribute Set, include the attribute set name as a prefix, for example <AttributeSetName>_<AttributeName>.

  4. Save the configuration. The custom attributes will be collected the next time the data source is parsed.

Enable Dynamics 365

Early Access: Dynamics 365 support is currently provided on an experimental basis. Contact our support team to enable this feature.

The Microsoft Azure integration includes optional support for Dynamics 365, including Business Units, Users, Teams, Application Uses, and Security Roles. Veza discovers and shows connections between Azure AD Users, Groups, and Service Principals, and the permissions they can assume within a Dynamics 365 environment.

You can specify one or more environments to discover when adding a Microsoft Azure integration or editing an existing one.

Grant Azure AD Enterprise Application access to Dynamics 365 Environment

In order for Veza to extract Dynamics 365 data, you need to grant Azure AD Enterprise App access to the Dynamics 365 environments you want to discover. To do so, manually create an Application User in the environment:

  1. Visit Power Platform Admin Center and choose the environment to connect to.

  2. Go to Settings > Users + Permissions > Application Users and click New app user

  3. Select one of the existing Microsoft Azure AD (Entra ID) applications. This should be the same one used for the Veza-Azure integration. Pick the Business unit. Pick a Service Reader security role to enable read access to your Dynamics 365 environment. Optionally add other security roles necessary for accessing the Dynamics 365 environment. Confirm with Create.

  4. Log in to Veza and configure the Microsoft Azure integration. In the Dynamics 365 Environments field, enter a comma-separated list of environments to discover, for example https://org1.crm.dynamics.com,https://org2.crm.dynamics.com. Addresses must include the https:// protocol and omit any trailing / at the end of the URL.

Enabling Enterprise App to access your Dynamics 365 Environment does not use a paid license. For more details about managing application users in Power Platform see the Microsoft documentation Manage Application Users and Connect as an App.

PreviousMicrosoft ADNextAzure SQL Database

Last updated