Aqua CSPM supports organization-level connections in Microsoft Azure. An Organization Subscription is used to automatically enroll and scan all existing subscriptions in a Microsoft Azure Management Group as well as adding new subscriptions to CSPM as they are created within the Management Group. 


We recommend as a best practice to add a new Microsoft Azure subscription as your Organization Subscription, alternatively, you can edit an existing one and convert it.


Creating a New Organization Subscription in Microsoft Azure (Recommended Best Practice)

Adding an Organization Subscription preserves isolation, and follows the principles of least privilege and privilege separation. By leveraging the Organization Subscription, you are not only reducing obstruction to Microsoft Azure API quotas for your existing workloads but also enabling isolated credentials with limited access to audit your subscription's security configuration.

  1. Login to your Microsoft Azure Portal and navigate to the Subscriptions Blade https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade..
  2. Select Add
  3. If you have access to multiple billing accounts, select the billing account for which you want to create the subscription. 
  4. Create a New Subscription named "Aqua-CSPM" which will be isolated to connect your entire Organization to CSPM. Fill the form and click Create
  5. Copy the Subscription Id.
  6. Open a PowerShell window and switch to the Aqua-CSPM subscription as follows:           
Set-AzContext -Subscription "xxxx-xxxx-xxxx-xxxx"


Enable Management Groups in Microsoft Azure

To complete your setup enable Management Groups in the Management Groups Blade.

  1. Login to your Microsoft Azure Portal and navigate to the Management Groups Blade https://portal.azure.com/#blade/Microsoft_Azure_ManagementGroups/ManagementGroupBrowseBlade/MGBrowse_overview.
  2. Click Start using management groups
  3. Create your root management group and the hierarchy below it. For more information, refer Create a management group guide. 


For an official guide on Azure Management Groups please visit: https://docs.microsoft.com/en-us/azure/governance/management-groups/overview


Connect a new Microsoft Azure Org Account in Aqua CSPM

To complete your setup enable Management Groups in the Management Groups Blade.

  1. Log into your CSPM console and navigate to https://cloud.aquasec.com/wizard.
  2. Select your Aqua Group.
  3. Select the Cloud Account Type as Microsoft Azure.
  4. For Method, select Organization(Management Group).
  5. Follow the on-screen Cloud Account Connection Steps (steps 1 to 8 are mandatory; 9 to 15 are optional).
  6. In step 8: on entering the values for the Application ID, Key Value, Subscription ID and Directory ID, Click Connect Account.
  7. For added security, follow the steps from #8 to #15. 


Please note that the management group for the management group id connected will be scanned periodically to retrieve new subscriptions added.


New Microsoft Azure Subscriptions will be added automatically to CSPM

When the Organization Subscription has been connected, all the existing subscriptions under that management group will be automatically added to CSPM.  At once, a maximum of one hundred (100) subscriptions get connected every ten(10) minutes and subsequently until all your subscriptions are connected. 


When new subscriptions are created in Microsoft Azure, after all the existing subscriptions get connected, the new subscriptions will also get connected to CSPM automatically. Organizations are scanned for new subscriptions every ten(10) minutes.


If a subscription is deleted in Microsoft Azure, scans will be disabled in CSPM but the subscription and scans history will remain until it is manually deleted by an administrator of the CSPM account.


Aqua CSPM will also scan the Organization Subscription for misconfigurations.


What happens when Deleting an Organization Subscription

If the Organization Subscription is deleted, CSPM will be disconnected from the Organization and all subscriptions will be disabled from scanning. Scan history will remain available until subscriptions are manually deleted in CSPM. You can request a bulk subscription delete from our support team


Additional Reference

Refer Connecting a Microsoft Azure Account to know how to connect a Microsoft Azure account to Aqua CSPM to scan for security issues.