How to Onboard Microsoft Azure Account

Modified on Mon, 5 Feb at 11:14 PM

Log in to Cloud Security portal using the link received in email from us to complete the registration process and login. 

Once you successfully logged in for the first time. You will be able to see the "Environment" page only under Global Tenant Setting (please refer to the screenshot below). 

You will be able to see all of the pages once you add an Azure account. 


Now, Click the Microsoft Azure account Icon in the above screenshot to start the onboarding process.

Input the necessary credentials for

  1. Microsoft Azure account Client id
  2. Client secret key
  3. Subscription ID
  4. Tenant ID,

then verify. Then click next to input other information.

Once you click on “Verify Keys” you will have the option to add Account and Organization details, 
following which the account is connected, the scan will get automatically started.


- User Who will be proceeding with addition of app registration and allocation of role to app must have below permission attached.

 Microsoft Entra ID level Access : 

Subscription level Access (Role attached to User) : 

- Owner

- Co-Administrator


Step 1: Create an App Registration

Go to Azure Active Directory > App registrations > New registration




 For CSPM and CIEM Module – Please follow below steps to have Cloud Security Posture and Infrastructure Access Management working


Step 2: Give API permissions to App Registration

1.Search for all the above permissions listed below and add it to the created app.

  • Application.Read.All

  • AuditLog.Read.All

  • Directory.Read.All

  • Domain.Read.All

  • Group.Read.All

  • IdentityProvider.Read.All

  • Policy.Read.All

  • User.Read.All

  • Reports.Read.All

2.Grant admin consent for the default directory.



Step 3: Attach a custom built Role with Below role definition to the app for Subscription

Go to Subscription > Access control (IAM) > Add > Add role assignment then add custom built role and assign the role to app. Please make sure to replace the value of {subscriptionId} in assignable scopes of custom role.


    "properties": {

        "roleName": "ReadOnlyCustomRole",

        "description": "A custom role to view all resources, but does not allow you to make any changes in the infrastructure.",

        "assignableScopes": [



        "permissions": [


                "actions": [








                "notActions": [],

                "dataActions": [],

                "notDataActions": []






Step 4: Create a client secret for the App

Go to App registration select your app and click on Certificates & secrets > New client secret



Step 5: Copy Required Credentials

1.Copy Client ID and Tenant ID

Go to Azure Active Directory > App registrations. Then click on the application.



2.Copy Client Secret

Go to Azure Active Directory > App registrations > Certificates & secrets. Then copy the Client Secret.


3. Copy the Subscription ID

Go to Subscriptions. Copy the Subscription ID.


For CWPP Module - Attach below mentioned roles to the same app registration.


- Virtual Machine Contributor

- Disk Snapshot Contributor

- Network Contributor


For Threat Detection Module - Attach below mentioned roles to the same app registration. 

Storage blob data reader

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article