Friday, 13 January 2023

nessus M365 scan

Get the customer to give you MS account global admin on their tenant

Nessus doc's don't quite match up to MS interface as MS interface is changing all the time:

https://docs.tenable.com/integrations/Microsoft/Azure/Content/ConfigureAzureComplianceAudit.htm?Highlight=microsoft%20365


Log into portal.azure.com (azure.microsoft.com)

Setup on OTP portal and update boost

Log into the customer tenant

Copy tenant ID from Home -> MS entra ID > overview into a notepad


Click on active directory (entra ID triangle icon)

Manage > App registrations on the left

Click the + New App registration button

Client credentials -> Add a certificate or secret

+ New client secret

Give name

Set expire 

Copy value and secret ID *** IMPORTANT it will disappear and you will have to start again

ID looks like 7777701d-xxxx-yyyy-zzzz-6b6a1c969999 (don't think you need this but record anyway)

secret value is the secret key which we will need later (record everything so you have it)

Get the app ID from the app registrations and search Nessus


put them in a safe notepad with tenant ID (will need later)


To find the app reg again

Click app registrations, all applications and search your app reg name "Nessus"


Home -> Entra ID -> customer -> Roles and  admins -> all roles -> 

Search Global Reader *** wasn't there for some license levels***

Right click and go to description page (or 3 dots on end) 

Go to Assignments on the left

+ Add assignments 

Add to NessusScan app reg


Create new app

Get app ids + keys 

Create a new client secret

You need to save the secret when it appears as it only displays once


Microsoft Graph *** old ***

Home -> Microsoft Entra ID > App Registrations > Your Application > API Permissions

Permissions -> applications -> read all (reader role)

Expand all and tick Read.All


In Nessus scan app > API Permissions

Add permission > Microsoft Graph > Application permissions

select all read ones

click add permissions 

Then grand admin consent


  • Azure Service Management — user_impersonation
  • Microsoft Graph — Calendars.Read
  • Microsoft Graph — DeviceManagementApps.Read.All
  • Microsoft Graph — DeviceManagementConfiguration.Read.All
  • Microsoft Graph — Directory.Read.All
  • Microsoft Graph — Policy.Read.All
  • Microsoft Graph — Reports.Read.All
  • Microsoft Graph — User.Read.All

Scanning Microsoft Intune:

  • Microsoft Graph — DeviceManagementApps.Read.All
  • Microsoft Graph — DeviceManagementManagedDevices.Read.All



Config in Nessus

https://docs.tenable.com/integrations/Microsoft/Azure/Content/ConfigureAzureComplianceAudit.htm?Highlight=microsoft%20365


Add scan -> compliance > choose template "audit cloud infrastructure" (or copy from previous scan)

credentials (key method, fill in tenant, app ID, secret)
MS 
Fill in
  • select key
  • Tenant ID (entra ID tenant ID, get from home overview in azure portal)
  • app id (app registrations page for the nessus app you created App ID)
  • Client secret (recorded when you setup nessus app secret value long string with no - sperators)

CIS Microsoft add:
L1 
L2 

To export do report button in top right
tick html
select compliance 
generate report

No comments:

Post a Comment