Create Azure Tenant Connector

Azure Tenant is an account management service that allows you to consolidate multiple Azure accounts into a Tenant you centrally manage. As an administrator of a Tenant, you can create accounts in your Tenant and invite existing accounts to join the Tenant as subscriptions. Qualys lets you set up a Tenant connector and attach subscription connectors in minutes.

Azure Organization Connectors API

The Azure Tenant connectors are known as Azure Organization connectors in our API library.

You can download the Postman collection for the Azure Organization APIs on our GitHub page.

Follow the Azure Console Configurations for Organization Connector to get started with Azure Org APIs.

Refer to the Connector API guide to create, view, and update your Azure Organization connectors.

Create Azure Tenant Connectors

In the Connectors tab, click Microsoft Azure > Tenant > Create Connector, and our wizard will walk you through the steps.

Step 1:  Basic DetailsBasic Details

Provide a name and description for the connector. We recommend you provide a unique name for the connector.

Select applications that apply to the connector. 

Select Enable Remediation to enable remediation on the connector. You need to configure additional permissions before you enable remediation for Azure connectors. 


Step 2: Tenant DetailsTenant Details

Account Type

Azure Tenant connector currently only supports the Global Account type.

Polling Frequency

Select a frequency at which the Tenant connector should poll the cloud provider and fetch data. The designated interval for the Tenant connector determines when it automatically runs scans for new or deleted accounts. Choose any period under 24 hours as the interval to auto-run the scan.

By default, the connector polling frequency is configured for every 4 hours. As a result, the connector will connect with the cloud provider every 4 hours to fetch the data.

Tenant Details

Enter the authentication information of the Tenant.

- Tenant Name
Provide a name for the Tenant

- Application ID and Directory ID

For details on creating an application and retrieving its application ID and directory ID, see Create Application and get Application ID, Directory ID. 

- Authentication Key 

For details on generating an authentication key, see Generate Authentication Key.

Test Connection

Click Test Master Account to verify whether the Tenant connector can authenticate using the provided Tenant details information. If the test connection is successful, proceed with the connector creation process. If the test connection fails, you may need to check and update the authentication details.

 The next step is enabled only after the successful test connection.

Step 3: Subscription DetailsSubscription Details

Polling Frequency

Select a frequency at which the Subscription connector should poll the cloud provider and fetch data. The designated interval for the Subscription connector determines when the connectors will be automatically run. Choose any period under 24 hours as the interval to auto-run the scan.

By default, the connector polling frequency is configured for every 4 hours. As a result, the connector will connect with the cloud provider every 4 hours to fetch the data.

Connector Name Pattern

Enter the prefix that will be added to the Subscription connector. This prefix will show which Tenant the Subscription connector is attached to.

Step 4: Connector DetailsConnector Details

Configure the Tenant connector. Here, you can select the management groups where Subscription connectors are created for the accounts under it.

You have two options when choosing management groups.

All- Subscription connectors are created for all the accounts under all the management groups.

Select management groups- Subscription connectors are created for all the accounts under the selected management groups.

Selecting All enables another option.

Exclude management groups- Subscription connectors are not created for the accounts under the excluded management groups.

The connector details for Azure Tenant connectors also allow you to:

1) Create Subscription connectors for new accounts by selecting the 'Automatically create connectors for new accounts' checkbox. 

2) Automatically detach and disable subscription connectors for your deleted accounts by selecting the 'Detach and Disable connectors for deleted accounts' checkbox. 

The connector will automatically scan for these changes during the polling frequency interval.

Step 5: Tags and ActivationTags and Activation

We can activate assets for scanning automatically so you don't have to take this extra step. Select the required check box to enable activation for the required app. We automatically activate the resources as they are discovered and even assign them tags if you want.

Enabling Cloud Perimeter Scan 

When you select the Automatically activate all assets for VM Scanning application check box, you can see a check box to enable cloud perimeter scan.

Select the Enable Cloud Perimeter Scan if you want to enable launching perimeter scans on Microsoft Azure resources.

Perimeter scan jobs are run automatically based on the settings defined in the Scan Settings step or in the Cloud Perimeter Scan - Global Scan Configuration.

Select Asset Tags

We recommend you create at least one generic asset tag (for example, azure) and have the connector automatically apply that tag to all imported assets. You can add more tags to your assets based upon discovered azure metadata.

Step 7: Assign TagsAssign Tags

Assign tags to the connector that you are creating. You can also create a new tag. For details on creating new tags, see Configure Tags in Qualys CyberSecurity Asset Management documentation. 

Step 8: ConfirmationConfirmation

Review the connector settings you configured and then click Create Connector.

That’s it! The Tenant connector is created and so are its subscription connectors. The subscription connectors connects with Microsoft Azure to discover resources from the configured region.

 Any changes made to the Azure account will only reflect on the connectors after manually running it or waiting for the auto-run to sync the changes.