Configuring Microsoft Azure

Integrating an Azure Account with InsightCloudSec


Critical Azure Vulnerability

To help support our customers with their OMIGOD investigation and remediation efforts, InsightCloudSec now captures the Azure OMS extension version. As of September 18th, 2021, Microsoft released version 1.13.40 of the software agent which patches the vulnerability (CVE-2021-38647). The Insight Compute Instance Running Vulnerable Version of OMS will identify Azure Virtual Machines running a version of the OMS extension that is vulnerable to OMIGOD.

If you have questions or concerns reach out to us through the Customer Support Portal.

Microsoft Azure is one of the world’s leading public cloud providers, offering a variety of cloud services. InsightCloudSec supports Microsoft Azure, Microsoft Azure Government (also termed GovCloud), and Microsoft Azure China. These three differ primarily in supported services and regions.

Follow the instructions included on this page for set up and make sure to create the prerequisite roles.


Azure AD Graph API Message

You may encounter a message on the Azure Portal that reads similar to:

"This application is using Azure AD Graph API, which is on a deprecation path. Starting June 30th, 2020 we will no longer add any new features to Azure AD Graph API. We strongly recommend that you upgrade your application to use Microsoft Graph API instead of Azure AD Graph API to access Azure Active Directory resources..."

Take note that Microsoft will continue to support the existing Azure AD Graph APIs until June 30th 2022. We are actively working on ensuring support for the new API while maintaining support for all existing functionality. If you have questions or concerns reach out to us through the Customer Support Portal.


Before you get started with this setup, ensure that you have the following:

  • A Microsoft Azure account with the appropriate admin permissions
  • A InsightCloudSec account with Domain Admin permissions
  • The appropriate Azure roles. You will need to verify that the prerequisite roles exist or that you have permissions to create/modify the required roles. Click here for details on Azure custom roles.

Microsoft Azure Supported Services and Regions

The major differences between Azure, Azure Government, and Azure China are supported services and regions, refer to the list of supported services for each one below.

Microsoft Azure Public Cloud

Listed below are the supported services (and their components) and regions for Microsoft Azure public cloud.

App Registration
App Services
App Service plans
Application gateways
Azure Active Directory (Group, Service Principal, User)
Azure Blob Storage
Azure Cache for Redis
Azure Cosmos DB
Azure Database for PostgreSQL/MySQL/MariaDB
Azure Databricks
Azure Defender
Azure Files
Azure Synapse Analytics
Batch (Accounts, Pools)
Container instances
Container registries (Container Image)
Compute/Network Usage Limit
Data factories
Data Lake Storage Gen1
Diagnostic settings
DNS zones
Event Hubs
ExpressRoute circuits
Firewall (Rule, Rule Collection)
Front Doors
Function App
HDInsight clusters
IP Groups
Key vaults (Key, Secret)
Kubernetes services
Load balancers
Log Analytics workspaces
Logic apps
Management groups
NAT gateways
Network interfaces
Network security groups (Flow Logs, Security Rules)
Public IP addresses
Resource groups
Role Definition
Route tables (Route)
Service Bus (Queue)
Shared Image Gallery (Image Definition, Image Version)
Dedicated SQL pools
SQL Servers
SSL Certificate
Storage accounts
Virtual machine (Dedicated Host, Image)
Virtual machine scale sets
Virtual networks (Private Endpoint, Service Endpoint, Service Endpoint Policy Subnet

Microsoft Azure Government Cloud

Listed below are the supported services and regions for Microsoft Azure Government cloud.

Virtual Machines
Azure Functions
Web Apps
Container Registry
Azure Database for MySQL
Azure Database for PostgreSQL
Azure SQL Database
Azure Cache For Redis
Azure Active Directory
Virtual Network
Managed Disks
Enhanced tag visibility
Log Analytics Workspace

Microsoft Azure China

Microsoft Azure China supports the same services as Microsoft Azure Public cloud. Supported regions for Microsoft Azure China are listed below.


Adding an Azure Account

You can add an Azure account into InsightCloudSec using the following steps.

Azure Setup

1. Determined whether you are using regular Azure or Azure Government. Login to the Azure Dashboard (

2. Add a New Application Registration.

  • Select "Azure Active Directory" from the navigation menu on the far left.
  • Select "App registrations" under Azure Active Directory's Manage menu.
  • Select "New registration".
New App RegistrationNew App Registration

New App Registration

3. Describe the New App Registration

  • Enter a "Name" to denote that this app is used for InsightCloudSec, e.g., "InsightCloudSec Azure Test". By creating a specific InsightCloudSec app, you are then able to monitor all actions taken by InsightCloudSec. This facilitates troubleshooting, helping you understand what InsightCloudSec is doing versus what other apps are doing.
  • Select the supported account type.
  • Enter a "Redirect URI". This value is optional, but:
    • May be required later for authentication.
    • If entered, must follow specified URL format, e.g., "https://<name_of_site>"

4. Select "Register" to create the app registration.

Application ConfigurationApplication Configuration

Application Configuration


In the Following Steps, You Will Need to Save...

  • The Application (client) ID
  • The Directory (tenant) ID
  • The Key value
  • The Subscription ID

You will copy each of these values outside of your browser, using whatever application you prefer to take notes, e.g., Notes, Google docs, etc.

5. Once you have registered your app, a preview panel opens. This panel shows an overview of your newly created app and displays both the Application ID and the Tenant ID. Copy both of these IDs to a safe location; you will need to use these values later.

Application Overview - Tenant and Directory IDsApplication Overview - Tenant and Directory IDs

Application Overview - Tenant and Directory IDs

6. Create and Save a Key for this Application.

  • From the new application's Overview page, select "Certificates & secrets" from the Manage menu on the left-hand side.
  • Under Client secrets, click "New client secret".
  • Give your client secret a description.
  • Set an expiration period for your secret.
  • Click "Add". Your new client secret's values will be displayed on the Certificates & secrets page under Client secrets.
Add Client SecretAdd Client Secret

Add Client Secret

7. Copy the generated client secret key Value to your notes.


This is the only opportunity you have to copy this secret key Value.

Copy Secret ValueCopy Secret Value

Copy Secret Value


Azure Active Directory Graph/Windows Azure Active Directory APIs

In the next few steps, API permission will be added for Azure Active Directory. Just note that "Windows Azure Active Directory" API and "Azure Active Directory Graph" API are interchangeable and Microsoft switches between them during this process.

8. Set up Permissions for this App Registration.

  • From the application's Overview page, select "API permissions" from the Manage menu on the left-hand side.
  • Select "Add a permission".
  • Click on the "APIs my organization uses" tab.
  • Type in "Windows Azure Active Directory" and select this API. Alternatively, you can type in the Application (client) ID "00000002-0000-0000-c000-000000000000".
  • If this API doesn't show up in the "APIs my organization uses" tab, please go to step 10 below for a workaround method of allowing permission to this API.
Request API PermissionsRequest API Permissions

Request API Permissions

9. Select "Application Permissions".

  • Select the "Directory.Read.All" under the Directory heading.
  • Click "Add permissions".
Application PermissionsApplication Permissions

Application Permissions

10. If you were unable to add the Windows Azure Active Directory API permission above, please follow these steps:

  • In the App Registration, go into the "Manifest" tab on the left-hand side.
  • Copy the JSON below, and paste it into the field: "requiredResourceAccess". This field is near the bottom of the JSON.
  • This will give this App Registration the "Directory.Read.All" permission for the Windows Azure Active Directory API.
  • See the image below of how this Manifest JSON should look once you insert the JSON below. Make sure to save the Manifest JSON.
  • Go back to the API Permissions tab, and you should see that this API permission was added.
    "resourceAppId": "00000002-0000-0000-c000-000000000000",
    "resourceAccess": [
            "id": "5778995a-e1bf-45b8-affa-663a9f3f4d04",
            "type": "Role"
Update Manifest to Give API PermissionUpdate Manifest to Give API Permission

Update Manifest to Give API Permission


Grant Admin Consent

If you are not an admin, you'll need an admin to grant permissions by clicking on the "Grant admin consent ..." button and then confirming consent, shown in the screenshot below.

Grant Admin ConsentGrant Admin Consent

Grant Admin Consent

11. Assign a Role to this Subscription by navigating to the Subscriptions page.

  • Select "All Services" from the navigation menu, then select "Subscriptions".


12. Identify the subscription with which you wish to associate your application; copy the subscription ID to your notes.

Subscription IDSubscription ID

Subscription ID

13. Click the desired subscription's name, then select "Access control (IAM)". From the Access control (IAM) panel, click "Add --> Add role assignment."

Add Role AssignmentAdd Role Assignment

Add Role Assignment

14. Select the role you wish to assign.

  • Select the type of role, e.g., "Reader" in the example.
  • Leave the Assign access to field as the default value.
  • In the "Select" field, begin typing the name of the application you created earlier. Select that application once it appears, then click "Save".


Recommended Roles

InsightCloudSec recommends using the "Reader" role for read-only permissions to all resources. Note this role does not include the following additional permissions:



is used to provide read/write access to enable harvesting of file share data.


For the permissions above, the config/list/action permission provides visibility to determine if Web Apps are configured to require authentication and for to Serverless Functions to determine if the function is enabled/disabled. The caveat is that those permissions also provide access to any environment variables configured for WebApps, which may contain sensitive information.

For users that want to maintain "Reader" but include these permissions, we recommend using the "Reader Plus" Custom Role.

Access all of the roles and details on the Microsoft Azure - Custom Roles page.

To access read/write permissions, we recommend using the "Contributor" role. Contributor - Can create and manage all types of Azure resources but can’t grant access to others.

Select Application for Role AssignmentSelect Application for Role Assignment

Select Application for Role Assignment

InsightCloudSec Setup

1. From your InsightCloudSec platform open the Clouds page from the navigation menu on the left.

2. Select "Add Cloud" in the upper right.

Add CloudAdd Cloud

Add Cloud

3. Determine whether you are connecting a regular Azure account, an Azure China account, or an Azure Government account and make sure to select the correct type. Click "See More" to display the full list of supported Cloud Service Providers.

4. Select an "Authentication Type", then provide the requisite Account Details. Click "Add Cloud".

Azure Account DetailsAzure Account Details

Azure Account Details

5. Add any Badges you would like to this particular cloud account (also under Show Advanced). Badges provide a way to assign additional metadata about resources within the InsightCloudSec platform. They are key/value pairs which can be used for filtering and identifying resources from parent cloud account.

6. Confirm the addition of your Azure Cloud account.

Note: Your main cloud page should show your newly added Microsoft Azure cloud account.

  • InsightCloudSec will begin harvesting immediately and the data should start to surface after five minutes or so, depending on the size of your cloud account.

Did this page help you?