Organizations (Azure)

Integrating an Azure Management Group with InsightCloudSec

InsightCloudSec supports the ability to add multiple Azure cloud accounts by taking advantage of the Azure Management Groups functionality. You can read a bit more about that capability here. Note this page and the functionality detailed here refer to the provider-specific organizations capability available under "Clouds --> Organizations".

This functionality should not be confused with the InsightCloudSec-specific Organizations capability that allows for multi-tenant functionality available under "System Administration --> Organizations".

For instructions on adding a single cloud account (Azure or any provider) refer to our Cloud Account Setup documentation. Otherwise, if you have any questions or issues, reach out to us through the Customer Support Portal.


Before getting started with adding an Azure Management Group as an organization in InsightCloudSec, you will need to have the following:

  • A functioning InsightCloudSec platform
  • Domain Admin permissions within InsightCloudSec
  • Administrative access to the Azure console
  • Existing familiarity/configuration for Azure Management Groups


Azure Access Level and Role Requirements

This process requires Global Admin-level access to subscriptions and management groups as well as at least Contributor-level access to the management group you wish to integrate with InsightCloudSec.

Creating an App Registration

1. Login to your Azure portal with admin credentials.

2. Locate and select "App Registrations" (using the Search bar at the top).

3. Click "New Registration".

Azure Portal - New App RegistrationAzure Portal - New App Registration

Azure Portal - New App Registration

4. Complete the new App registration details as follows:

  • Provide a "Name" that denotes this app is used for InsightCloudSec, e.g., "InsightCloudSec Docs Test". By creating a specific InsightCloudSec app, you are then able to monitor all actions taken by InsightCloudSec. This facilitates troubleshooting, helping you understand what InsightCloudSec is doing versus what other apps are doing.
  • Select the supported account type.
  • Enter an optional "Redirect URI", note that this field:
    • May be required later for authentication.
    • Must follow specified URL format, e.g., "https://<name_of_site>".

5. Select "Register" to create the app registration.

Azure Portal - Register an applicationAzure Portal - Register an application

Azure Portal - Register an application

6. After successful registration, a preview panel provides an overview of your newly-created app. This screen includes the "Application ID" and the "Tenant ID".

  • Copy both of these IDs to a safe location; you will need to use these values later.
Azure Portal - App Preview (details for Application and Tenant ID)Azure Portal - App Preview (details for Application and Tenant ID)

Azure Portal - App Preview (details for Application and Tenant ID)

7. Locate the "Certificates & Secrets" option in the left-hand navigation menu and open this page.

8. From the "Certificates & Secrets" page, select "New client secret".

Azure Portal - New Client SecretAzure Portal - New Client Secret

Azure Portal - New Client Secret

9. Provide the new Client Secret with a "Description", select the "expiration period" as desired, and click "Add".

10. For the new client secret that you just created, you will need to copy and save the "Value" (use the copy icon to the right of the value string).


Important Note - Copy the Secret Value

This is the only opportunity you will have to copy this newly created value. When you navigate away from the page this data will no longer display. Copy this information and keep it in a safe place.

Azure Portal - Copy Secret ValueAzure Portal - Copy Secret Value

Azure Portal - Copy Secret Value

11. From the application's Overview page, select "API permissions" from the Manage menu on the left-hand side.

  • Select "Add a permission".
  • Select "Microsoft Graph".
Azure Portal - API PermissionsAzure Portal - API Permissions

Azure Portal - API Permissions

12. Locate and select the API permission "Directory.Read.All" under the "Directory" heading. Click "Add permissions".

Azure Portal - Updating API PermissionsAzure Portal - Updating API Permissions

Azure Portal - Updating API Permissions

13. Grant Admin Consent to this Microsoft Graph API permission.


Grant Admin Consent

If you are not an admin, you'll need an admin to grant permissions by clicking on the "Grant admin consent ..." button and then confirming consent, shown in the screenshot below.

Azure Portal - Grant PermissionsAzure Portal - Grant Permissions

Azure Portal - Grant Permissions

Configuring Required Roles

You will need to create two roles to complete the configuration for Azure Organizations:

  • The InsightCloudSec Reader Role, which provides access to the Azure Management Groups capabilities
  • The Additional Custom Role, which enables InsightCloudSec to harvest your Azure cloud account information

If you want to complete these steps in Powershell refer to the detailed instructions on this page.

Otherwise, to complete the creation of these roles we recommend using the Azure Cloud Shell & CLI.

1. From the Azure Portal locate and launch Cloud Shell.

2. After launching select "Bash"

Azure Portal - Launch Cloud ShellAzure Portal - Launch Cloud Shell

Azure Portal - Launch Cloud Shell

3. Pick your desired subscription and click "Create storage". From the newly-opened CLI you will:

  • Create two new files (.txt) for the required roles
    • Save and name these so you locate/identify them later.
  • Update the two new files with the appropriate details
  • Create the roles

4. Using your preferred editor (we used VIM in our example) create a new file (Standard/Reader Role) and paste in the InsightCloudSec Standard "Reader" User Role.


Assignable Scopes

Before saving the file, ensure you update the "AssignableScopes" (at the bottom of the role file) to reflect the proper scope and your Tenant ID, e.g., "/providers/Microsoft.Management/managementGroups/<Tenant ID>". See the example below.

    "Name": "InsightCloudSec Standard User",
    "AssignableScopes": [

5. Using your preferred editor create a new file (Org Reader Role) and paste in the reader role (supplied below).

  • You will need to update this file to reflect your Tenant ID under "AssignableScopes" (in this example file - Line 16):
    "Name": "InsightCloudSec Orgs Reader",
    "Id": null,
    "IsCustom": true,
    "Description": "Provides access to read Management Groups structure.",
    "Actions": [
    "DataActions": [],
    "NotActions": [],
    "NotDataActions": [],
    "AssignableScopes": [

6. Now that you've defined both roles in .txt files, you will need to create both roles using the following command az role definition create --role-definition <role_definition>

  • You will need to run this command twice, updating the <role_definition> field with whatever file names you created in the previous steps.

Adding Azure Organizations

Setup in Azure

Complete the steps below in the Azure Console. These steps assume that you’ve set up the proper Azure ID permissions (e.g., if you want to harvest users).


Azure Access Level and Role Requirements

As mentioned previously, this process requires Global Admin-level access to subscriptions and management groups as well as at least Contributor-level access to the management group you wish to integrate with InsightCloudSec.

1. From the Azure Portal, navigate to Management Groups, click on the “details” link next to the target “Tenant/Root Group”.

2. On the updated navigation within your target group, select “Access Control (IAM)”.

3. From the Access Control (IAM) page click “Add” and then select the role and the service principal (App Registration) you want to configure.

  • Note: You will need to complete this step for each role, they have to be added individually.

Setup in InsightCloudSec

These steps assume that you have completed the required configuration steps within the Azure Portal for your Azure Management Groups.

1. Navigate to “Cloud → Clouds” and click the "Organizations" tab.

2. From the "Organizations" tab, click “Add Organization”.

3. From the "Cloud Type" drop-down menu select “Microsoft Azure”.

Add Azure OrganizationsAdd Azure Organizations

Add Azure Organizations

4. Provide a nickname for the Organization. This creates a system Badge containing the nickname that can be searched or referenced throughout InsightCloudSec.

5. Fill out the Azure form with the following information:

  • Tenant ID
  • Application ID
  • Client Secret
  • Subscriptions to Skip - Enter details for subscriptions (ID’s or Names) to be skipped (e.g., you have a group of development subscriptions you are not interested in tracking).
  • “Limit import scope” (checkbox) - Select this box and provide Management Group ID(s) to only include the given group(s) and anything underneath it.
  • "Auto-remove disabled subscriptions" (checkbox) - Select this box to automatically remove suspended Azure subscriptions from InsightCloudSec. As soon as this checkbox is enabled, a background process will begin running and remove the subscriptions automatically as they are found.

6. Click “Add” to complete the addition of your organization.

Note: Once your organization has been added, you will be able to view details under “Clouds → Organizations”, which will populate as the accounts are connected, or under “Clouds” as individual cloud accounts.


Below are some general questions related to adding Azure cloud accounts using this feature. If you have a question that is not included here or another issue you need our assistance with, reach out to us through the Customer Support Portal.

How do organizations handle Azure subscriptions that have the same name? Do we have the ability to still leverage nicknames to uniquely identify those when using organizations?

  • Right now, in InsightCloudSec the names will be overwritten with the name of the subscription coming from Azure.

Will migrating to organizations impact anything from the user experience side? Will users still follow the same process as they do today to get data specific to their cloud accounts?

  • The InsightCloudSec user experience should be the same.

Is there any reporting available for new cloud accounts added/changed/removed as part of organizations?

  • Not today

What happens to an account when it's onboarded via the organization but then the account is deleted? How long do we keep the account/data for, etc.

  • The account in the InsightCloudSec "Clouds" page is deleted immediately. Any resources attached to that cloud may take up to a day to be removed from the database.

Auto Badging

As an enhancement to support for provider-based organizations, InsightCloudSec includes auto badging capabilities. The purpose of auto badging is to create a 1:1 map of labels to Badges in InsightCloudSec. This allows Clouds to be scoped to a badge that maps to the account tag.

Auto badging takes place in two stages:

  • Periodically a process retrieves tags/labels from each subscription and compares them with ResourceTags associated with the corresponding cloud in the InsightCloudSec database.

    • If there are any changes detected, the ResourceTags in the database are overwritten with the values from the account/project. This means that Cloud Account tags should not be locally modified since any local changes will be overwritten the next time the process runs. Additionally any local changes that are made to Cloud Account tags are not pushed back up to the cloud provider.
  • Periodically a process retrieves all ResourceTags from the local database that are associated with the accounts managed by an organization. For each cloud the list of tags for that cloud is compared with the current list of Badges and for each Key/Value pair of tags:

    • Existing Badges with a Key prefix of system. are skipped.
    • If the corresponding Badge with the Key/Value pair for that cloud does not already exist, it is created.
    • If a tag Value changes, the Badge with the corresponding Key will be updated to that value.
    • If a Badge no longer has a tag with a corresponding Key, it will be deleted.
    • All Badges that have a corresponding tag will have their autogenerated column set to "true" even if they were previously set to "false".

Did this page help you?