Getting Started with the Microsoft Azure On-Demand Assessment

The On-Demand Assessment - Microsoft Azure is a cloud service that analyzes and provides identity and access management (IAM) guidance for Azure Active Directory and related components. The analysis generates a list of recommendations to address with remediation guidance and best practices to improve the health and security of Azure resources. In addition, the assessment identifies features that can be enabled to expand Azure Active Directory capabilities. Assessments are available through the Services Hub to help optimize the availability, security, and performance of Microsoft technology investments. These assessments use Microsoft Azure Log Analytics, which is designed to simplify IT and security management across the environment.

This assessment is designed to provide specific actionable guidance grouped in focus areas to mitigate risks to Microsoft Azure and the organization.

The Microsoft Azure Assessment focuses on several key pillars of Azure Active Directory, including:

  • Identity and Access Management
  • Governance
  • Operations
  • Authentication
  • Security

Running the Microsoft Azure Assessment

Prerequisites

To take full advantage of the On-Demand Assessments available through Services Hub, it's required to:

  1. Have linked an active Azure Subscription to Services Hub and added the Microsoft Azure assessment. For more information please see: Getting Started with On-Demand Assessments or watch the how to link video.

  2. Install the Microsoft Monitoring Agent and choose the appropriate agent setup option on a supported Windows Server machine. You can also watch the video guide on how to install the agent or how to configure the gateway.

  3. An assessment scheduled task account (domain or local user) with the following rights:

    • Administrative acess to the data collection machine
    • Log on as a batch job privileges on the data collection machine
  4. An Azure AD account for the setup of the Azure AD registered application with the following properties:

    • Global Administrator
    • Non-federated
  5. An Azure AD account for assessment execution (can be a separate account than above) with the following properties:

    • Global Reader role
    • Non-federated
    • MFA disabled
  6. Review the Pre-Requisites document for the Azure Assessment . This document explains the detailed technical documentation of the Azure Assessment and the server preparation needed to run the assessment. It also documents the different types of data collected by the assessment.

Note

On average, it takes two hours to initially configure your environment to run an On-Demand Assessment. After you run an assessment you can review the data in Azure Log Analytics. This will provide you with a prioritized list of recommendations, categorized across six focus areas. This allows you and your team to quickly understand risk levels, the health of your environments, act to decrease risk, and improve your overall IT health.

Setup the Microsoft Azure Assessment on the data collection machine - Watch Video Guide

Note

You will only be able to successfully setup the assessment once you have linked your Azure Subscription to Services Hub and added the Azure Assessment from Health -> Assessments in Services Hub.

  1. On the data collection machine create the following folder: C:\OMS\Azure (or any other folder as you may please)
  2. Open regular Powershell (not ISE) in Administrator mode and run the cmdlet below to create the registered app in the Azure AD tenant being assessed:
	New-MicrosoftAssessmentsApplication

Note

If the command New-MicrosoftAssessmentsApplication is not available, the module is not yet found. It can take some time after installing the agent before it to show up.

  1. Provide the required Azure AD account credentials that satisfy the requirements mentioned in this article earlier. Click accept on the admin consent prompt for the read permissions this application requires for the assessment.

Note

Please refer to Permissions for Microsoft Azure AD Assessment Application for consent details.

  1. Open regular Powershell (not ISE) in Administrator mode and run the cmdlet below to define the Azure AD credentials that'll be used by the scheduled task:
	$AzureGlobalReader = Get-Credential
  1. Provide the required Azure AD account credentials that satisfy the requirements mentioned in this article earlier.

Note

Please refer to Updating an Azure assessment for updating an existing credential.

  1. Run the Add-AzureAssessmentTask command using the parameters below, replacing <Directory> and <AccountName> with an assessment working directory and assessment scheduled task account name:
	Add-AzureAssessmentTask -AADUsername $AzureGlobalReader.Username -AADPassword $AzureGlobalReader.password -WorkingDirectory <Directory> -ScheduledTaskUsername <accountname>

Note

If the command Add-AzureAssessmentTask is not available, the module is not yet found. It can take some time after installing the agent before it to show up.

  1. The script will continue with the necessary configuration and create a scheduled task that will trigger the data collection.

  2. Data collection is triggered by the scheduled task named AzureAssessment within an hour of running the previous script and then every 7 days. The task can be modified to run on a different date/time or even forced to run immediately from the task scheduler library -> Microsoft -> Operations Management Suite -> AOI*** -> Assessments -> AzureAssessment

  3. During collection and analysis, data is temporarily stored under the Working Directory folder that was configured during setup.

  4. After a few hours, your assessment results will be available on your Log Analytics and Services Hub. You can navigate to see the results by going into Services Hub -> Health -> Assessments and then clicking on "View all recommendations" in the active assessment.

  5. If you wish to get a Microsoft Accredited Engineer to go over the issues about your Azure Environment with you, you can contact your Microsoft Representative and ask them about the Remote or Onsite PFE led delivery.

    Contract Remote Engineer Onsite Engineer
    Premier Azure AD Remote Datasheet Azure AD Onsite Datasheet
    Unified Azure AD Remote Datasheet Azure AD Onsite Datasheet

Updating an existing Microsoft Azure assessment

Azure AD service account credentials

By default, an Azure AD user account password expires in 90 days. The Microsoft Azure assessment service account credential is stored in Windows Credential Manager and can be updated with the following syntax:

$azureglobalreader = get-credential
$User = $AzureGlobalReader.UserName
$Pass = $azureglobalreader.getnetworkcredential().password
invoke-expression -command "cmdkey /generic:Microsoft Assessment:Azure AD /user:$User /pass:$Pass"
$Cred = get-storedcredential -Target "Microsoft Assessment:Azure AD"

For general feedback on the Resource Center or content, please submit your response to UserVoice. For specific requests and content updates regarding the Services Hub, contact our Support Team to submit a case.