v.1.0.1 – August 2020
SenservaPro lets organizations review user configuration data from their Azure Active Directory Accounts to help with the principle of least privileged access and maintain compliance.
Senserva installs into a subscription within a client’s Azure tenant. Utilizing Azure Lighthouse, SenservaPro is a Managed Application. Senserva installs a Resource Group as well as an App Service into the subscription of the client’s account.
This documentation will provide information on how to login and how to use SenservaPro once the installation process is complete. If there is any questions on this document, please reach out to firstname.lastname@example.org with any questions.
Senserva Installation Process
Welcome to SenservaPro!
When the installation is complete, the user can access the web app via a direct link that is created and emailed during the process, or by clicking ‘browse’ in the App Service in the Azure blade.
Once the web app page loads, the user would click ‘login’ and use their Azure Active Directory username and password. Upon a successful login, it would bring the user to a Microsoft Azure Powershell feature to create a refresh token to be stored in the Azure Key Vault.
The user would use the randomly generated code on the login screen and enter that code when prompted to after clicking, ‘Login to Enable Powershell Features’.
Successfully entering the Powershell code, the user would then again have to choose their account to login to completing the process with the user would be logged into SenservaPro.
The process of using the Powershell login to create the refresh token would only need to be performed once, unless the user opted to clear their refresh token by clicking on the ‘Clear Refresh Token’ button located on the side menu of the web app.
Users Review is the first scan that a user would perform after launching the Senserva web application. This scan will do the rank order of all accounts in the Azure Active Directory tenant based on roles and licenses against various security risks. To start the scan, the user must click the “Scan” Icon.
Once results are being returned in the Users Review scan, or after the scan is complete, each of the columns are fully searchable and sortable. At any point during the scan, the user can also review how many users have been scanned out of the total number of users in the tenant. The duration of the scan is also shown to track progress.
When additional information is available, the user can click on the arrow to create a pop-up window that will provide the data details behind the risk found, PIM Roles assigned to an account, and Licenses assigned to an account.
Once a User Review scan is complete, SenservaPro uses the completed scan to perform the Enhanced Compliance scan. If a User Review scan has not been completed, it would prompt the user to first perform the User Review scan before scanning for Enhanced Compliance. Once the user is ready to scan, the user must click the ‘Scan’ button.
After the scan is completed, results will be displayed for Microsoft Azure CIS compliance controls and Microsoft Identity Secure Score (based on current tenant’s version and Microsoft licensing. Refer to License Review section of this document for more information).
Azure Active Directory requires Premium P2 for full security. The License Review section of SenservaPro shows the state of the user and what is available to them at that level. SenservaPro’s ability to return data for our scanning is in line with Microsoft Azure Active Directory security features. Having a free or basic license will have limited results in what Senserva can return. It is recommended and required by SenservaPro to have a Premium P2 license for full scanning capabilities.
The Screenshot below highlights our other buttons that can be used to act within SenservaPro. The user has the ability to expand or collapse the left-hand menu, log out, as well as visit our Digital River MyCommerce website to purchase the SenservaPro- Full version through a secure 3rd party processor.