1. Expel Help Center
  2. Connect Your Technology
  3. L-P Integrations
  4. Microsoft

Microsoft Azure Setup for Workbench

This onboarding guide takes you through steps to set up Azure with Workbench.

Wizard vs. Manual Onboarding

You can use our Azure Wizard, which uses Azure templates, to programmatically connect your Azure instance. 

You can easily deploy RBAC subscription roles in Azure, allowing you to decide whether Expel should monitor 1 or more subscriptions. Expel can also connect to existing log storage accounts, or create new ones on your behalf.

Note
Creating and maintaining additional storage logs can result in additional fees from Microsoft Azure. If you enable storage logging, it's applied to all storage accounts deployed in your subscription. 

Prerequisites

  1. You must be able to log into Microsoft Entra as a user assigned the Global Administrator or User Administrator role.

  2. Install Microsoft 365 to monitor Azure Monitor Activity Log.

    Microsoft allows using the Microsoft 365 Management Activity API to retrieve information about various user, admin, system, and policy actions and events from Microsoft 365 AND Microsoft Entra ID activity logs. For example, this is how Expel pulls Azure sign-in logs. If you want us to monitor this type of data for your environment, enable audit logging and onboard Microsoft 365 into Workbench.

  3. Ensure you have provided Expel access to the required RBAC permissions and roles listed in the Reference section.

  4. Enabling Azure Defender is strongly recommended by Expel to monitor Azure infrastructure. Azure Defender can be enabled on a per-resource basis or for resource groups. The following Azure Defender services are currently monitored by Expel:

    • Azure Storage
    • Azure KeyVault
    • Azure Resource Manager
    • Azure App Service
    • Azure SQL Service
    • Azure Cosmos DB Service

Quick Links

About connecting your device

Expel uses API integrations to connect directly to the Microsoft Azure platform. We support authentication through an Microsoft Entra ID app. To collect data, Workbench communicates directly with APIs, including the Microsoft Security Graph API to poll alerts from Microsoft Sentinel. Workbench also queries Azure Log Analytics to enrich Sentinel alerts with the Azure Log Analytics context that originally generated that alert.

About console permissions in your devices

As you connect your devices to Workbench, you provide Workbench access to those devices through permissions in the devices. These permissions vary from one device technology to another, but we typically need at least Read access to your devices to pull in any logs from those devices into Workbench. For more information, see Why Expel Asks for Console Access.

Step 1: Enable Console and Cross-Tenant Access for Expel

Note
If your organization has already created a new Expel account for console access and enabled cross-tenant access for another Microsoft integration, you may skip to Step 2. The same "<Your Organization GUID>@soc.expel.io" account provides access across all Microsoft services.

Enable Console Access for a New Account

Expel requires console access to allow analysts to perform investigation and triage. Without this additional level of information, details cannot be verified by our analysts and an investigation cannot be initiated. For more information, see Why Expel Asks for Console Access.

  1. Log in to the Microsoft Entra Admin Center as a user assigned the Global Administrator or User Administrator role.
  2. Navigate to Entra ID > Users > All Users.
  3. Select User > Invite external user.
  4. On the Basics tab, include the following:
    • Email - enter  "<Your Organization GUID>@soc.expel.io". For example, a123bc45-aa12-123b@soc.expel.io
    • Display Name - enter "Expel SOC".
  5. On the Assignments tab, configure the following:
    • Select Add role.
    • Search for and select Global Reader. Note: This role provides read-only access across most Microsoft 365 and Azure management consoles.
  6. Select Review + invite and then Invite.

The user account will be added to your directory as a guest, and an invitation will be sent to the
email provided.

Enable Cross-Tenant Access

In this step you will add Expel as an external organization and configure inbound trust.

  1. Still in the Microsoft Entra Admin Center, navigate to Entra ID > External Identities > Cross-tenant access settings.
  2. Select the Organizational settings tab.
  3. Select Add organization.
  4. On the Add organization pane, enter Expel’s tenant ID: 1cde81fd-b430-4035-b24d-709921922876
  5. Select Expel from the search results, and then select Add.
  6. In the Organizational settings list, locate the Expel row and select Inbound access.
  7. On the "Inbound access settings - Expel" page, select the Trust settings tab, and configure the following:
    • Select Customize settings.
    • Enable Trust multifactor authentication from Microsoft Entra tenants.
    • Enable Trust compliant devices.
    • Enable Trust Microsoft Entra hybrid joined devices.
    • Under Automatic redemption, enable Automatically redeem invitations with the tenant Expel.
  8. Select Save.

Step 2: Enable Azure Application access

To integrate the technology with Expel, we need to create secure credentials to the API. You have 2 options for enabling API access:

  • Option 1: Enable the Expel Azure Integration Enterprise Application within Azure.
  • Option 2: Create a custom Microsoft Entra ID Application.

Enabling the Enterprise Application is the recommended approach. However, because the Enterprise Application supports access for multiple Microsoft integrations (Microsoft Sentinel, Azure Log Analytics, and so on), it may be that the permissions granted to the Enterprise Application are more than the minimum required for the Azure integration specifically.

The second option is available if and when the absolute minimum permissions are required. In either case, the table below lists the items to be obtained during this step:

Item Purpose
Directory (tenant) ID This is the unique identifier for your Microsoft Entra ID instance. Expel needs this information to route our API requests to the right place. It is required in all cases.
Application (client) ID (Option 2 only) This is the unique identifier for the application you create that grants Expel the access it needs to your Azure instance. It is required if you are manually onboarding.
Application (client) Secret (Option 2 only) This is the API secret that allows Expel to authenticate as the created application to your Azure instance. It is required if you are manually onboarding.

Option 1: Enable Azure Enterprise Application

  1. As an Administrator, navigate to the Expel Admin Consent Page.
  2. Review and accept requested permissions.

  3. The Expel Azure Integration app appears under Enterprise Applications. Review properties and make sure that all permissions are properly granted. These permissions are:

    Permission Function
    User.Read Users to sign in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
    SecurityEvents.Read.All The app to read your organization’s security events without a signed-in user.
    User.ReadWrite.All The app to read and update user profiles without a signed-in user.

    Note: Write permissions are optional and only required if you plan to enable Expel's auto remediation capabilities for disabling and resetting user credentials.
    User.ReadAll The app to read user profiles without a signed-in user.
    Data.Read This application to access Log Analytics data.

Option 2: Create custom Microsoft Entra ID application

  1. As an Azure administrator, log in to the Azure Portal.
  2. Navigate to App registrations and select +New registration.

  3. On the Register an application page, configure the settings as follows:

    • Name enter "Expel Azure Integration" or your own custom name.
    • Supported account types - select Accounts in this organizational directory only.
  4. Select Register to create the new application.

  5. Review the Overview page for your new app. If you do not see the Overview page, navigate to App Registrations > All applications > Expel Azure Integration (or your custom name).

    • Make note of the Application (client) ID and the Directory (tenant) ID in a safe place for use in later steps.

  6. Scroll down and select View API permissions. Select + Add a permission. Add these permissions:

    Permission Function
    User.Read Allows users to sign in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
    SecurityEvents.Read.All Allows the app to read your organization’s security events without a signed-in user.
    User.ReadWrite.All Allows the app to read and update user profiles without a signed-in user.

    Note: Write permissions are optional and only required if you plan to enable Expel's auto remediation capabilities for disabling and resetting user credentials.
    User.Read.All Allows the app to read user profiles without a signed-in user.
    Directory.Read.All Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.
  7. After you assign the permissions, click Grant admin consent and Yes.

  8. Navigate to Expel Cloud Service > Certificates & secrets to create an API key (aka client secret). To create a new key, select + New client secret.

    • Add a description for the secret (for example: ExpelAPI) and select 730 days (24 months) for expiration. 

      Note
      730 days is the maximum configurable expiration time and you will need to refresh this client secret every two years to allow Expel to maintain access to your environment.
      azure-add-client-secret.png

     

    • Select Add.
    • Confirm the new secret (API Key) exists in the Client secrets list. Copy the value and save it for later. For security reasons, you will only be able to access this value once. It will be obfuscated once you navigate away from this page.

Step 3: Enable roles within Azure subscriptions

Some event sources within Azure require Role-Based Access (RBAC) roles to be granted to the Microsoft Entra ID Application within each Azure subscription. One of these RBAC roles granted to our Microsoft Entra ID Application should also be granted to the Expel user created in Step 1 to allow Expel to investigate further into any alerts.

This section walks through granting the Azure Log Analytics Reader role to both the Microsoft Entra ID Application from Step 2 and the Expel user from Step 1

  1. Navigate to Subscriptions in the main Azure service menu by searching "Subscriptions".
  2. Select the subscription(s) Workbench will monitor. This step is a requirement or Workbench cannot poll any logs. Repeat the steps below for each subscription.

  3. Add the below roles by clicking Access Control (IAM) > +Add > Add role assignment, assigning access to Microsoft Entra ID user, group or application, and selecting the Expel Azure Integration enterprise app or custom Microsoft Entra ID app that you created earlier.  

    • Log Analytics Reader: Required role to ingest logs.
  4. Repeat the above step and assign Log Analytic Reader role to Microsoft Entra ID <Your Organization GUID>@soc.expel.io.

Step 4: Enable Azure resource logs

The ExpelAzure Integration monitors alerts and logs across a variety of Azure resources. Some of these alerts and logs are accessible by default, but some must be enabled for Workbench to monitor that particular resource.

The following Azure resources require user configuration to be monitored. Note that not all Azure deployments use these resources and enabling logging within the resources only widens the Expel default monitoring capabilities for Azure.

Create a resource log storage account

The Expel integration collects resource logs from an Azure Storage Account. This section outlines how to create that storage account and provide access to Expel.

  1. Create a V2 Storage account.

  2. Add the below role by clicking Access Control (IAM) > +Add > Add role assignment, assigning access to Microsoft Entra ID user, group or application, and selecting the Expel Azure Integration enterprise app or custom Microsoft Entra ID app that was created earlier.

    • Storage Blob Data Reader: Required role to ingest logs.
  3. Click Save.
  4. Storage accounts can have Network Access Control Lists (ACLs) set that limit which IP addresses can access those accounts. Expel has egress IP addresses that can be allowed. All requests to storage accounts come from one of these IP addresses. We’ve designed this so it can scale significantly without us having to add new IP addresses to the list.
  5. Azure also provides a way to allow for logs to be read from these types of accounts without having to enable access or change existing Network ACLs. Navigate to Networking from the menu and click Firewalls and virtual networks.
  6. If Allow access from is set to Selected networks, select the Allow read access to storage logging from any network to allow access to logs.

    Note
    The access to these logs is still managed through RBAC roles.

Enable Azure storage logs

Azure Storage logs gives Workbench context around Azure user activity to help us to determine whether that activity is malicious. If you’re unsure of whether to enable logging for storage accounts, work with your engagement manager to help determine what approach is best for you.

  1. Navigate to the Storage Account view within the Azure portal. The following steps must be done for each Storage Account.
  2. Select Diagnostic settings menu.
  3. For each storage type: Blob, File, Queue, and Table, click Add diagnostic setting.
  4. For the log category, select StorageRead, StorageWrite, StorageDelete, and archive to the storage account created in previous steps.
  5. Click Save.
  6. Repeat these steps each storage account that Expel must monitor.

Enable Azure storage logs: classic

If you are using Classic deployment, use the following steps to enable Classic storage account logging.

  1. Navigate to the Storage Account view within the Azure portal. The following steps must be done for each Classic Storage Account:
  2. Select Diagnostics settings (classic) menu.
  3. Turn Status to On if not already set. Ensure each operation is selected under Logging section for each tab: Blob, File, Queue, and Table properties.
  4. Select Save.

  5. Assign the Expel Enterprise Application or Custom Microsoft Entra ID Application to the Storage Blob Data Reader role for each Classic Storage Account that is going to be monitored. Access Control (IAM) > +Add > Add role assignment. See beginning of Step 4 for details.

    For the Storage Blob Data Reader role for each Classic Storage Account that is going to be monitored: Access Control (IAM) > +Add > Add role assignment, see beginning of Step 4 for details.

Step 5: Configure Azure in Workbench

Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.

Note
Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. In a new browser tab, log into https://workbench.expel.io/settings/security-devices?setupIntegration=azure.
  2. Complete all fields using the credentials and information you collected in Option 1 or Option 2
    • SIEM - select Expel Cloud Service.
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName <technology>”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Directory (tenant) ID - enter your Directory/Tenant ID.
    • Application (client) ID (Option 2 only) - enter the Application (Client) ID that you saved in Option 2.

    • Application (client) Secret (Option 2 only) - enter the Client Secret that you saved in Option 2.

      Screenshot 2025-07-15 at 2.26.59 PM.png
  3. Select Save.

You can see if the device is healthy on the Security Devices page. It may take a few minutes to see the device listed as healthy.

To check if alerts are coming through, navigate to the Alerts Analysis page. Scroll to the device you want to check and click View alerts. Switch to grid view, then check the list for device alerts. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Reference

Azure RBAC permissions and roles

Expel Workbench needs access to the following roles and operations in Azure:

Microsoft Azure Integration Application Permissions

This permission... does this...
SecurityEvents.Read.All Ingests VendorAlerts from a direct poller.
User.Read Creates an application.

These RBAC operations are needed to read Azure Monitor Activity Log:

This operation... does this...
Action - Microsoft.Insights/eventtypes/values/read List activity log events (management events) in a subscription. This permission applies to both programmatic and portal access to the activity log.

These RBAC operations are needed to read Storage Logs using Microsoft Entra ID Auth:

This operation... does this...
Action - Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account.
Action - Microsoft.Storage/storageAccounts/blobServices/containers/read Returns list of containers.
DataAction - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Returns a blob or a list of blobs.

These RBAC operations are needed to read Storage Logs using Shared Key Auth:

This operation... does this...
Action - Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account.
Action - Microsoft.Storage/storageAccounts/blobServices/containers/read Returns list of containers.
Action - Microsoft.Storage/storageAccounts/listKeys/action Returns the access keys for the specified storage account.

These RBAC operations are needed to query Azure Log Analytics

This operation... does this...
Action - Microsoft.OperationalInsights/workspaces/analytics/query/action Search using new engine.

These roles roll up under the following built-in RBAC roles:

This role... does this...
Global Reader Read everything that a Global Administrator can, but not update anything. Required role to ingest logs.
Log Analytics Reader View and search all monitoring data as well as view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. Required role to ingest logs.
Storage Blob Data Reader or Storage Account Contributor (only if using shared key auth)

Storage Blob Data Reader: read and list Azure Storage containers and blobs. Required role to ingest logs.

Storage Account Contributor: allows management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization. Required role to ingest logs.

Remediation capabilities

This permission... does this...
Disable user account Allows the app to enable and disable users' accounts, on behalf of the signed-in user.

Related articles