# Azure

Connecting Microsoft Azure gives SureCloud read access to your subscription configuration, resource compliance state, identity and access management policies, network controls, and platform-level audit logs. SureCloud uses a Service Principal with the Reader role to poll each service at regular intervals, surfacing configuration drift, access risks, and missing security controls without requiring any agents or changes to your workloads.

## What SureCloud monitors

|                                    |                                                                                                    |
| ---------------------------------- | -------------------------------------------------------------------------------------------------- |
| **Microsoft Entra ID**             | Users, groups, roles, MFA registration, Conditional Access policies, and service principals.       |
| **Microsoft Defender for Cloud**   | Secure Score, security recommendations, and alert status across subscriptions.                     |
| **Azure Blob Storage**             | Storage account configuration, public access settings, encryption state, and soft-delete policies. |
| **Azure Virtual Machines**         | VM inventory, OS disk encryption, extension status, and network security group associations.       |
| **Azure Key Vault**                | Key, secret, and certificate inventory; expiry tracking; access policy and RBAC configuration.     |
| **Azure SQL Database**             | TDE status, auditing configuration, firewall rules, and Advanced Threat Protection state.          |
| **Azure Monitor and Activity Log** | Platform audit events, resource operations, and diagnostic setting coverage.                       |
| **Azure Policy**                   | Policy assignment compliance results and non-compliant resource counts by initiative.              |
| **Azure Networking**               | Network security group rules, virtual network peering, and public IP inventory.                    |

## Authentication and setup

SureCloud connects to Azure using a Service Principal with a client secret, scoped to the Reader role on each subscription (or Management Group) you want to monitor. No write permissions are required.

{% stepper %}
{% step %}

#### Register an application in Microsoft Entra ID

In the [Azure Portal](https://portal.azure.com/), navigate to **Microsoft Entra ID → App registrations → New registration**.

* **Name**: `SureCloud CCM` (or a name that identifies the connection)
* **Supported account types**: Accounts in this organizational directory only
* Leave the redirect URI blank and click **Register**.

Note the **Application (client) ID** and **Directory (tenant) ID** — you will need both later.
{% endstep %}

{% step %}

#### Create a client secret

Inside the newly registered application, go to **Certificates & secrets → New client secret**.

* Set a description (e.g. `SureCloud CCM secret`) and an expiry of 12 months or 24 months.
* Click **Add** and immediately copy the **Value** — it is only shown once.

{% hint style="warning" %}
Set a calendar reminder to rotate this secret before it expires. An expired secret will stop SureCloud from collecting data. Update the rotated value at **SureCloud → Integrations → Microsoft Azure → Edit Connection**.
{% endhint %}
{% endstep %}

{% step %}

#### Assign the Reader role to the Service Principal

Navigate to the subscription (or Management Group) you want SureCloud to monitor:

1. Open **Subscriptions → \[Your Subscription] → Access control (IAM) → Add role assignment**.
2. Select the **Reader** built-in role.
3. In **Members**, choose **User, group, or service principal** and search for the app name you registered (`SureCloud CCM`).
4. Click **Review + assign**.

Repeat for each additional subscription, or assign Reader at the Management Group level to cover all child subscriptions at once.
{% endstep %}

{% step %}

#### Grant Microsoft Graph API permissions (for Entra ID monitoring)

Return to **App registrations → SureCloud CCM → API permissions → Add a permission → Microsoft Graph → Application permissions** and add:

| Permission                          | Purpose                                           |
| ----------------------------------- | ------------------------------------------------- |
| `Directory.Read.All`                | Read users, groups, roles, and service principals |
| `Policy.Read.All`                   | Read Conditional Access policies                  |
| `AuditLog.Read.All`                 | Read sign-in and audit logs                       |
| `UserAuthenticationMethod.Read.All` | Read MFA registration per user                    |

Click **Grant admin consent** for your tenant. A Global Administrator must approve this step.
{% endstep %}

{% step %}

#### Enter credentials in SureCloud

In SureCloud, navigate to **Integrations → Microsoft Azure → Connect** and provide:

* **Tenant ID**
* **Client (Application) ID**
* **Client Secret**
* **Subscription ID(s)** to monitor (or leave blank if Reader was assigned at Management Group level)

Click **Test Connection**. SureCloud will validate the credentials and role assignments before saving.
{% endstep %}
{% endstepper %}

## Multi-subscription setup

{% tabs %}
{% tab title="Per-subscription Reader role" %}
Assign the **Reader** role to the SureCloud Service Principal on each subscription individually via **Subscriptions → \[Name] → Access control (IAM)**. This approach gives you granular control over which subscriptions SureCloud can see.

Best suited for organisations with a small number of subscriptions or where subscription-level RBAC governance is strict.
{% endtab %}

{% tab title="Management Group Reader role" %}
Assign **Reader** at a Management Group that encompasses all target subscriptions. The role assignment is inherited by all child subscriptions automatically.

Best suited for organisations with many subscriptions under a single Management Group, or where centralised RBAC governance is in place. Ensure the SureCloud Service Principal is visible at the Management Group scope.
{% endtab %}
{% endtabs %}

## Polling frequency

| Data type                                    | Collection interval |
| -------------------------------------------- | ------------------- |
| Microsoft Entra ID users and MFA status      | 24 hours            |
| Conditional Access policies                  | 24 hours            |
| Resource configuration and compliance        | 24 hours            |
| Microsoft Defender for Cloud recommendations | 24 hours            |
| Azure Activity Log events                    | 1 hour              |
| Azure Policy compliance results              | 24 hours            |
| Key Vault key and certificate expiry         | 24 hours            |

## Troubleshooting

<details>

<summary>Test Connection fails with "Insufficient privileges"</summary>

The Service Principal does not have the Reader role on the target subscription, or the Microsoft Graph API permissions have not been granted admin consent.

1. In **Azure Portal → App registrations → SureCloud CCM → API permissions**, confirm that all required Graph permissions show a green **Granted** status. If not, click **Grant admin consent** (requires Global Administrator).
2. In **Subscriptions → \[Name] → Access control (IAM) → Role assignments**, confirm the `SureCloud CCM` service principal appears with the **Reader** role.
3. Allow up to 5 minutes for role assignment propagation, then retry **Test Connection** in SureCloud.

</details>

<details>

<summary>Client secret error — authentication failed</summary>

The client secret has expired or was not copied correctly.

1. In **Azure Portal → App registrations → SureCloud CCM → Certificates & secrets**, check the **Expires** column. If the secret has expired, create a new one.
2. Copy the new secret **Value** immediately after creation.
3. In SureCloud, go to **Integrations → Microsoft Azure → Edit Connection** and paste the new secret, then click **Save and Test**.

</details>

<details>

<summary>Entra ID user data is missing or incomplete</summary>

The `Directory.Read.All` or `UserAuthenticationMethod.Read.All` permissions may not have received admin consent, or the Service Principal was granted only delegated (not application) permissions.

1. In **App registrations → SureCloud CCM → API permissions**, confirm all permissions are listed under **Application permissions** (not Delegated).
2. Confirm the status column shows **Granted for \[Tenant]** for every permission.
3. If any permission shows **Not granted**, click **Grant admin consent**.

</details>

<details>

<summary>Activity Log data stops appearing</summary>

Azure Activity Logs are retained for 90 days by default. If SureCloud has not collected logs for more than 90 days (for example, after a connection interruption), older events will not be recoverable.

To extend retention, configure a Diagnostic Setting on the subscription to export Activity Logs to a Log Analytics workspace or Storage Account. SureCloud can then collect from those sources via the Azure Monitor integration. Contact SureCloud support to configure a Log Analytics workspace connection.

</details>

<details>

<summary>Specific subscriptions are not appearing in SureCloud</summary>

The Reader role was assigned on only some subscriptions, or the Subscription IDs entered in SureCloud do not match the actual subscription GUIDs.

1. In SureCloud, go to **Integrations → Microsoft Azure → Edit Connection** and verify the Subscription ID list.
2. In **Azure Portal → Subscriptions**, copy the exact **Subscription ID** (GUID format) for each subscription you intend to monitor.
3. If using Management Group scope, confirm the Service Principal's role assignment is visible at **Management Groups → \[Name] → Access control (IAM)**.

</details>

## Service pages

* [Microsoft Entra ID](/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/azure/microsoft-entra-id.md)
* [Microsoft Defender for Cloud](/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/azure/microsoft-defender-for-cloud.md)
* [Azure Blob Storage](/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/azure/azure-blob-storage.md)
* [Azure Virtual Machines](/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/azure/azure-virtual-machines.md)
* [Azure Key Vault](/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/azure/azure-key-vault.md)
* [Azure SQL Database](/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/azure/azure-sql-database.md)
* [Azure Monitor and Activity Log](/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/azure/azure-monitor-and-activity-log.md)
* [Azure Policy](/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/azure/azure-policy.md)
* [Azure Networking](/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/azure/azure-networking.md)

<a href="https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal" class="button secondary">Azure Service Principal docs</a> <a href="https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#reader" class="button secondary">Azure Reader role reference</a>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/azure.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.