Create Azure Tenant Connector

Azure Tenant is an account management service that allows you to consolidate multiple Azure accounts into a Tenant you centrally manage. As an administrator of a Tenant, you can create accounts in your Tenant and invite existing accounts to join the Tenant as subscriptions. Qualys lets you set up a Tenant connector and attach subscription connectors in minutes.

  1. Basic Details
  2. Tenant Details
  3. Subscription Details
  4. Connector Details
  5. Tags and Activation
  6. Assign Tags

Azure Organization Connectors API

The Azure Tenant connectors are Azure Organization connectors in our API library.

You can download the Postman collection for the Azure Organization APIs on our GitHub page.

Follow the Azure Console Configurations for Organization Connector to get started with Azure Org APIs.

Refer to the Connector API guide to create, view, and update your Azure Organization connectors.

Steps to Create an Azure Tenant Connectors

In the Connectors tab, click Microsoft Azure > Tenant > Create Connector, and our wizard will walk you through the steps.

Basic Details

Provide a name and description for the connector. We recommend you provide a unique name for the connector.

Under applications, you can find two checkboxes.

  • AssetView: Asset Inventory - The connector fetches cloud resource data and populates your Asset Inventory on CSAM.  This is active by default for all connectors. This cannot be disabled.
  • CSPM - The connector fetches cloud resource data and populates your Cloud Inventory on TotalCloud.

Select Enable Remediation to enable remediation on the connector. You need to configure additional permissions before you enable remediation for Azure connectors. 

Tenant Details

Authenticate your cloud Tenant account with Qualys.

Account TypeAccount Type

Azure Tenant connector currently only supports the Global Account type.

Polling FrequencyPolling Frequency

Select a frequency at which the Tenant connector should poll the cloud provider and fetch data. The designated interval for the Tenant connector determines when it automatically runs scans for new or deleted accounts. Choose any period under 24 hours as the interval to auto-run the scan.

By default, the connector polling frequency is configured for every 4 hours. As a result, the connector will connect with the cloud provider every 4 hours to fetch the data.

Tenant DetailsTenant Details

Enter the authentication information of the Tenant.

- Tenant Name
Provide a name for the Tenant

- Application ID and Directory ID

For details on creating an application and retrieving its application ID and directory ID, see Create Application and get Application ID, Directory ID. 

- Authentication Key 

For details on generating an authentication key, see Generate Authentication Key.

Test Connection

Click Test Master Account to verify whether the Tenant connector can authenticate using the provided Tenant details information. If the test connection is successful, proceed with the connector creation process. If the test connection fails, you may need to check and update the authentication details.

 The next step is enabled only after the successful test connection.

Subscription Details

Authenticate your cloud subscription account with Qualys.

Polling FrequencyPolling Frequency

Select a frequency at which the Subscription connector should poll the cloud provider and fetch data. The designated interval for the Subscription connector determines when the connectors will be automatically run. Choose any period under 24 hours as the interval to auto-run the scan.

By default, the connector polling frequency is configured for every 4 hours. As a result, the connector will connect with the cloud provider every 4 hours to fetch the data.

Connector Name PatternConnector Name Pattern

Enter the prefix that will be added to the Subscription connector. This prefix will show which Tenant the Subscription connector is attached to.

Connector Details

Configure the Tenant connector. Here, you can select the management groups where Subscription connectors are created for the accounts under it.

You have two options when choosing management groups.

All- Subscription connectors are created for all the accounts under all the management groups.

Select management groups- Subscription connectors are created for all the accounts under the selected management groups.

Selecting All enables another option.

Exclude management groups- Subscription connectors are not created for the accounts under the excluded management groups.

The connector details for Azure Tenant connectors also allow you to:

1) Create Subscription connectors for new accounts by selecting the 'Automatically create connectors for new accounts' checkbox. 

2) Automatically disable subscription connectors for your deleted accounts by selecting the 'Detach and Disable connectors for deleted accounts' checkbox. 

The connector will automatically scan for these changes during the polling frequency interval.

Tags and Activation

We can activate assets for scanning automatically, so you don't have to take this extra step. Select the required check box to enable activation for the required app. We automatically activate the resources as they are discovered and even assign them tags if you want.  Enable Vulnerability Management (VM) Scanning to scan discovered assets for vulnerabilities.

Enabling Cloud Perimeter Scan 

When you select the Automatically activate all assets for VM Scanning application checkbox, you can see a checkbox to enable cloud perimeter scan.

Select the Enable Cloud Perimeter Scan to enable launching perimeter scans on Microsoft Azure resources.

Perimeter scan jobs are run automatically based on the settings defined in the Scan Settings step or the Cloud Perimeter Scan - Global Scan Configuration.

You can enable scanning discovered assets on other Qualys applications for a thorough result. We offer activating scans from Policy Compliance (PC), Software Composition Analysis (SCA) and Certficate View (CertView). 

Activating assets for PC Scanning can only be accomplished after enabling PC Agent and Compliance Manager. Contact support to enable them.

Select Asset Tags

We recommend you create at least one generic asset tag (for example, Azure) and have the connector automatically apply that tag to all imported assets. You can add more tags to your assets based on discovered Azure metadata.

Assign Tags

Assign tags to the connector that you are creating. You can also create a new tag. For details on creating new tags, see Configure Tag

Confirmation

Review the connector settings you configured and then click Create Connector.

That’s it! The Tenant connector is created, and so are its subscription connectors. The subscription connectors connect with Microsoft Azure to discover resources from the configured region.

 Any changes made to the Azure account will only reflect on the connectors after manually running it or waiting for the auto-run to sync the changes.