Categories
Cyber Security

Office365 & Azure Scanning

Nessus is capable of scanning Office 365 tenants for compliance against a given known baseline. However, due to a lack of good documentation, setting up the credentials was tricky and resolving the below errors was even trickier.

Frustrations

Nessus is capable of scanning Office 365 and Azure tenancies against a given known baseline. However, due to a lack of good documentation, setting up the credentials was tricky and resolving the below errors was even trickier.

"{
  \"error\": {
    \"code\": \"Authorization_RequestDenied\",
    \"message\": \"Insufficient privileges to complete the operation.\",
    \"innerError\": {
      \"request-id\": \"7b4216bf-329b-42b7-9b03-bb441697d814\",
      \"date\": \"2019-11-25T10:41:46\"
    }
  }
}"

Fortunately, the people over at Astrix have found the solution and wrote a great guide. To preserve this guide and update it as necessary, I have included it below:

Step 1 – Create Azure user Account

At https://portal.office.com/adminportal/home#/users, create a simple user account for Nessus. No administrative roles are required.

Make a note of the username and password.

Step 2 – Create an Azure Registered App

At https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps, select New registration → enter a name such as Nessus → select Register.

In Overview, make a note of the Application (client) ID.

Step 3 – Generate the Azure App Client Secret

In Certificates & secrets, select New client secret → enter a name such as Nessus - <hostname> → select Add.

Make a note of the value.

Step 4 – Grant Azure App Admin Roles

Using a Microsoft web browser (yes, really), browse to either https://outlook.office365.com/ecp/hybrid or https://cmdletpswmodule.blob.core.windows.net/exopsmodule/Microsoft.Online.CSE.PSModule.Client.application then install the Exchange Online PowerShell Module.

Once the Exchange Online PowerShell Module is installed, open it and execute the following commands:

Connect-MsolService;

$displayName = "<Azure registered app name>";

$objectId = (Get-MsolServicePrincipal -SearchString $displayName).ObjectId;

$roleName_companyAdmin = "Company Administrator";

Add-MsolRoleMember -RoleName $roleName_companyAdmin -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId;

$roleName_userAdmin = "User Account Administrator";

Add-MsolRoleMember -RoleName $roleName_userAdmin -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId;

Step 5 – Configure the Scan

Create a Audit Cloud Infrastructure compliance scan and configure it with the Office 365 credentials that you generated in previous steps.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.