Return
-
Title
Detailed instructions on how to manually create an Azure Web App for Change Auditor -
Description
What are the detailed instructions to manually create a web application in our Azure tenant that we can then leverage within the CA Azure template wizard using the "use existing web application" instead of the automatic "create a new web application" option? -
Cause
Sometimes, due to firewall restrictions, or permissions issues, it is necessary to create the WebApp used for the Azure/O365 Auditing template manually. -
Resolution
To create an Azure/O365 web application in Azure Portal using the 'new' App Registrations UI:1. If applicable, delete the problematic template from CA client and restart the CA agent where it was assigned.2. In the Azure Portal, navigate to Azure Active Directory | App Registrations | New registration3. Provide the details (example):Note: the name must be unique like ChangeAuditorAppxxxxxxxx where xxxxxxxx are any random letters and numbers to ensure the application name is unique. The Redirect URI should have reply appended to the end of the Application NameName: ChangeAuditorAppxxxxxxxxSupported Account Types: Accounts in this organizational directory only (MSFT only - Single tenant)Redirect URI (for Change Auditor 7.1.1): Select Web and type the following URl https://ChangeAuditorAppxxxxxxxxreplyRedirect URI (for Change Auditor 7.2): Select Web and type the following URl https://TenantName/ChangeAuditorAppxxxxxxxx/reply4. Register the app5. Click on the newly registered app to open its properties.NOTE: The following permissions are needed:Microsoft Graph Application permissions:• AuditLog.Read.All – Application - Read all audit log data• Directory.Read.All – Application - Read directory data• IdentityRiskEvent.Read.All – Application - Read all identity risk informationOffice 365 Management APIs Application permissions:• ActivityFeed.Read – Application - Read activity data for your organization6. On the left menu, click on "API Permissions" and add the additional following permissions:a) Click on "+ Add a permission"b) Click on Microsoft Graphc) Click on Application permissionsd) In the filter, paste in AuditLog.Read.All, expand the list, turn on the checkbox, and then click Add Permissionse) Perform steps a, b & c again, in the filter, paste in Directory.Read.All, expand the list, turn on the checkbox, and then click Add Permissionsf) Perform steps a, b & c again, in the filter, paste in IdentityRiskEvent.Read.All, expand the list, turn on the checkbox, and then click Add Permissionsg) Click on "+ Add a permission"h) Click on Office 365 Management APIsi) Click on application permissionsj) In the filter, paste in ActivityFeed.Read, expand the list, turn on the checkbox (don't check the ActivityFeed.Read permission), and then click Add Permissions7. Click 'Grant admin consent for TenantName', and then click Yes.8. Add a client secret under Certificates & Secrets.a) Click on "Certificates & Secrets" on the left menu when looking at the ChangeAuditorAppxxxxxxxx app's properties.b) Click on "+New Client Secret"c) Enter "ChangeAuditorAppxxxxxxxx" into the description, select an appropriate expiry from the "Expires" dropdown, and then click "Add"9. Copy the now available Secret Value for later use in CA. It cannot be retrieved later.10. Only use this option if you are creating an O365 template - Upload a Certificate under Certificates & Secrets.a) Click on "Certificates & Secrets" on the left menu when looking at the ChangeAuditorAppxxxxxxxx app's properties.b) Click on Certificates, and then select "Upload certificate"c) Select the certificate that you have created and enter "ChangeAuditorAppxxxxxxxx" into the description, and then click "Add"11. Take the Application (client) ID from the Overview tab and the key from step 8 for later. (this is the ID for the ChangeAuditorAppxxxxxxxx WebApp, not for the secret you just created)12. Create a new Azure AD/O365 template for in CA client using the tenant name (adc.onmicrosoft.com), the recently created web app ID, and secret value from earlier steps.Azure AD template:a) From the CA Client, click on View | Administrationb) On Administration Tasks tab, click on the Auditing blade in the lower leftc) Click on Azure Active Directory on the menu on the leftd) On the right-hand pane, click +Add to start the template wizarde) In the pop-up, select the "use existing web application" radio buttonf) Enter the tenant FQDN (i.e., adc.onmicrosoft.com)g) Enter the Secret Value and Application ID that you copied from steps 9 and 11h) Turn on your selected options under the Activity sectioni) Select the agent that you are going to be using to audit the azure data withj) Click on "Finish"O365 template:a) From the CA Client, click on View | Administrationb) On Administration Tasks tab, click on the Auditing blade in the lower leftc) Click on O365 on the menu on the leftd) On the right-hand pane, click +Add to start the template wizarde) In the pop-up, select the "use existing web application" radio buttonf) Enter the tenant FQDN (i.e., adc.onmicrosoft.com)g) Enter the Application ID that you copied at step 11 in the Application ID field, enter the Secret Value that you copied from at 9, and upload the certificate that you have created (this certificate must match the certificate that you have uploaded to the registered Azure App).h) Turn on your selected options under the Office 365 Services Selectioni) Select the agent that you are going to be using to audit the O365 withj) Configure auditing as per your requirementk) Configure Option Excluded Operations as per your requirementl) Click on "Finish"12. Configuration should be created successfully. You should start to see Azure/ O365 events show up in the overview tab within a few minutes.