How to Setup an Azure AD Application (Office 365) and Hardware Resource Scan

This lesson will explain how to set up a scan job to scan for Office 365 Applications and Hardware Resources from Azure cloud Active Directory.

Asset Vision® uses an agentless method of scanning.  Agentless scanning has the profound benefit of being non-disruptive to the configuration of your target systems.  The method we use to perform discovery is based on the creation of scanning jobs that run according to a particular schedule.  The scan jobs implement the various discovery techniques built into Asset Vision®.

1. Create a New Office 365 Azure AD Scan

Azure AD Scan selection

Navigate to: Setup > Discovery > Scan Jobs > Manage. This data view displays all of the currently existing scan jobs.

  1. Click New at bottom of page to launch the Scan Job Setup Wizard.
  2. In the Selection dialog, select either the Network Devices or Applications and Licenses job category. Either will provide the same option for the Azure scan.
  3. In the job type: drop-down, select Office 365 Applications from Azure AD and Azure Resources.
  4. Click OK.

2. Configure the Azure AD Settings

2. Configure the Office 365 Azure AD Settings

In the Azure AD Settings section, enter the following:

  1. Tenant ID: The Tenant ID for your Azure AD tenant which may be left blank.
  2. Scan Directory: Check to scan the entire Azure AD directory for applications, users and groups.
  3. Import Locations: Check to configure the scan to import the locations.
  4. Scan All Office 365 Services: Check to scan all Office 365 services. Note: this checkbox may be not be visible depending on your instance configuration.
  5. Selected Office 365 Services to Scan: Check individual Office 365 services to scan. Note: this checkbox may be not be visible depending on your instance configuration
  6. Scan Management: Check to scan Azure AD for virtual machines and other resources.
  7. Subscription ID: Enter the specific Subscription ID to scan, or leave blank to scan all subscriptions available to the supplied credentials.
  8. Import RateCard: Import Azure Rate Card billing/pricing data. A valid subscription ID must be entered for this option to become enabled.
  9. Offer ID: Select an Offer ID related to the subscription. Import RateCard must be checked for this option to become enabled.

Note: if the Azure AD probe receives an AADSTS65001 "invalid_grant" error, you may need to provide consent for the probe to scan your Azure AD domain.  Please login to the Azure portal in your browser, and visit this link, where you will be presented with a consent page: click for consent

2. Select PAD

Select PAD

Select a PAD from a list of existing PADs from the drop down list. Click Next to continue.

3. Select Credentials

Credentials

Add Credentials to be used for rights to successfully scan using the desired probes:

  1. Mark the Select credentials to be used for current scan: check box to use only the specified credentials for the current Scan Job.
    To use any available, pre-defined credentials, leave this box unchecked. The Scan Job will go through each available credential until the scan is successful.
  2. For any given credential type, click the Add (plus sign) button.
  3. In the Credential User Name dialog, select the credential or credentials required for the Scan Job. These credentials shall have sufficient rights to the endpoints to be successfully scanned.
    At this point, you may also create a new Credential by clicking New. This will begin the Create a New Credential process.
    Note: It's most beneficial for the SQL scan that both the Windows Credentials and SQL Credentials be specified, as the scan incorporates two different probes returning two different sets of information.
  4. Click the Remove (minus sign) button to remove any unwanted Credentials.
  5. Click Next to continue.

4. Configure the Schedule for the Job

Schedule
  1. Select the desired Scan Window, or leave as Default if you would like for the scans to run at any time. For more information see Setting up a Scan Window.
  2. Pick the desired Schedule Type for the scan job.
  3. Check Enabled if you want to enable the scan job to run as scheduled once you save and finish the wizard.
  4. Select the Time Zone and Time. Note that the time zone will be saved in GMT/UTC time.
  5. Configure remaining options (Day of week:, Run on:, Repeat every:, etc.)
  6. Click Next.

5. Review and Implement

Review and Implement
  1. Provide a Name for the Scan Job.
  2. Review the Scan Job configuration summary. Click Back to modify any of the specified configurations.
  3. Click Save and Run to save the scan job and initiated it immediately, or Save and Finish to save the scan job and let it run at the scheduled time.