Azure Services

About This Document

Epiphany Intelligence Platform requires a Microsoft Azure Active Directory (Azure AD) user account assigned to the role of Workstation & Server admin to collect and ingest information about Azure AD resources. This document describes the process for adding this user, assigning the role, and providing the credentials in the Epiphany portal.

Overview

Epiphany leverages Azure AD to establish permissions boundaries and actual privilege usage. Where other tools require agents, which are more invasive and risk causing system instability, Epiphany can use session and group enumeration data from Azure AD and other sources to provide qualitative risk.

Azure AD is Microsoft’s enterprise cloud-based identity and access management (IAM) solution. Azure AD is the backbone of the Office 365 system, and it can sync with on-premise Active Directory and provide authentication to other cloud-based systems via OAuth.

Azure AD leverages concepts similar to traditional on-premise Active Directory (AD) such as:

• Domain names (similar to tenant or organizational IDs in Azure AD).

• User names (similar to service principal names, or SPNs).

• Passwords (similar to application secrets).

Roles are associated to SPNs similar to the way privileges are associated to users, groups, and other objects in traditional on-premise AD. For Epiphany to gather data and perform analysis, an account with global reader privileges is required.

Version Compatibility

• Epiphany Collector version 1.0 or later.

Prerequisites

• Azure AD portal access with an account that has permissions to create application registrations.

What is Needed for Integration

• The tenant ID for the Azure AD domain being integrated (also referenced as the organization ID in multi-tenant implementations of Azure AD).

• An application ID with the role of global reader.

• The application secret for the aforementioned application ID.

Legal Notice