Overview

Intruder's integration with Azure enables automated cloud security scans to identify vulnerabilities and misconfigurations within your Azure environment.

This guide provides step-by-step instructions to configure the integration using Azure app registrations and management groups, ensuring Intruder has the necessary permissions.

Setting Up Cloud Security Scans on Your Azure Account

Multiple Azure Tenants?

Each Azure tenant requires separate integration. Repeat the steps below for each of your tenants.

To integrate Azure with Intruder Portal, we need to do the following:

Create an app registration
Grant the app registration the following Graph API permissions:
- Directory.Read.All
- UserAuthenticationMethod.Read.All
- Policy.Read.All
Assign the Reader role to the app registration on the Tenant Root Management Group
Create a client secret for the app registration
Get the Directory (tenant) ID, Application ID and Client secret and use them in Intruder Portal to add the Azure integration

For a quick overview of the setup process, take a look at our VP of Product, Andy, running through the process here:

If you'd prefer written instructions, we have those below, too.

Step 1 - Creating an App Registration

Option A (in the Azure Web Portal)

Log in to the Azure Portal (portal.azure.com)
Search for App Registrations in the top search bar.
Click + New registration
Provide a name for your app (e.g., Intruder Connector), leave the defaut values present, and click Register.
In the top toolbar, search for IntruderConnector (or the name you used for the app registration)
Navigate to Manage → API permissions
Select Add a permission → Microsoft Graph → Application permissions.
Enable the following permissions:
- Directory.Read.All
- UserAuthenticationMethod.Read.All
- Policy.Read.All
Click Add permissions

Then select Grant admin consent for [Your Tenant], confirming the selection.
Ensure all permissions have a green check in the Status column.
In the top toolbar, search for Management Groups
Select your root management group (usually Tenant Root Group).
Click Access control (IAM) → Role assignments
Choose Add → Add role assignment
Select the Reader role:

Click on the Members tab, and then Select members.

In the Select Members panel, search for the name of the app registration that you created earlier, then click on it and click Select
Click Review + assign (twice) to complete
Return to App registrations and open your app.

Note the Application (client) ID and Directory (tenant) ID from this page - you will need to copy these across to the Intruder portal
Navigate to Manage → Certificates & secrets → Client secrets
1. Click + New client secret, provide a name and expiry, and click Add
Note the Value of the secret - this is the final data point you will need to copy across to the Intruder portal.

Move to Step 2: Integrate Azure with Intruder

Option B (using Azure CLI)

Create the app registration using a name of your choosing ("IntruderConnector" in this example):
```
az ad app create --display-name "IntruderConnector"
```
This will output a JSON response. In the response, locate and copy the value of the appId field:
```
"appId": "<Application id here>"
```

Save the appId, and add the API permissions for the app:

az ad app permission add --id $AZURE_APP_ID --api 00000003-0000-0000-c000-000000000000 --api-permissions "7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role" az ad app permission add --id $AZURE_APP_ID --api 00000003-0000-0000-c000-000000000000 --api-permissions "38d9df27-64da-44fd-b7c5-a6fbac20248f=Role" az ad app permission add --id $AZURE_APP_ID --api 00000003-0000-0000-c000-000000000000 --api-permissions "246dd0d5-5bd0-4def-940b-0421030a5b68=Role"

Grant admin consent to activate the API permissions.
Note: this requires Global Administrator access:
```
az ad app permission admin-consent --id $AZURE_APP_ID
```
Next, get the service principal ID of the app registration:
```
az ad sp show --id $AZURE_APP_ID --query id
```

Get the Root Management Group ID:

az account management-group list --query "[?displayName=='Tenant Root Group'].id"

If you do not use the default name for the root management group, substitute the name above in place of Tenant Root Group.
Next, assign the Reader role to the root management group:
```
az role assignment create --assignee $SERVICE_PRINCIPAL_ID --role "Reader" --scope $MANAGEMENT_GROUP_ID
```

Finally, create the client secret. In this example, we set the token to expire in 1 year:

az ad app credential reset --id $APP_ID --append --display-name "IntruderConnectorSecret" --end-date $(date -v+12m +%Y-%m-%d)

This will output a JSON with the fieldsappId, password and tenant. These are the credentials you will need to enter in the Portal in the fields Application ID, Client Secret and Directory ID respectively.

Move to Step 2: Integrate Azure with Intruder

Option C (using PowerShell)

The script below will set up the application and all the required permissions. The example app in the script will be created with the name IntruderConnector and a client secret with 12-month expiration. Adjust the values as needed.

First, ensure you have the PowerShell modules for Azure and Microsoft Graph installed:

Install-Module -Name Az -AllowClobber -Scope CurrentUser

Install-Module -Name Microsoft.Graph -AllowClobber -Scope CurrentUser

Then, run the following script:

# 1. Create an app registration
$app = New-AzADApplication -DisplayName "IntruderConnector"
$appId = $app.AppId
$tenantId = (Get-AzContext).Tenant.Id

# 2. Add Graph API permissions
$graphSp = Get-AzADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"

$permissions = @(
    "Directory.Read.All",
    "UserAuthenticationMethod.Read.All",
    "Policy.Read.All"
)

foreach ($permission in $permissions) {
    $role = $graphSp.AppRole | Where-Object { $_.Value -eq $permission }
    Add-AzADAppPermission -ObjectId $app.id -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId $role.Id -Type Role
}


# 3. Add Reader role assignment to tenant root management group
$mgId = (Get-AzManagementGroup -GroupName $tenantId).Id
$sp = New-AzADServicePrincipal -ApplicationId $appId
New-AzRoleAssignment -ObjectId $sp.Id -RoleDefinitionName "Reader" -Scope $mgId

# 4. Create a client secret with 12-month expiration
$endDate = (Get-Date).AddMonths(12)
$secret = New-AzADAppCredential -ObjectId $app.Id -EndDate $endDate

Write-Host "Application ID: $appId"
Write-Host "Directory (Tenant) ID: $tenantId"
Write-Host "Client Secret: $($secret.SecretText)"

This will output the Application ID, Directory ID and Client Secret which you will need to enter in Intruder Portal when adding the Azure integration.
Before adding the integration, you will need to grant administrator consent for the Microsoft Graph API permissions required by the app registration.

This cannot be done via PowerShell, but if you have Azure CLI installed with Global Administrator privileges, you can use the following command:
```
az ad app permission admin-consent --id $appId
```
Substitute the $appId with the application ID from Step 3.

Alternatively, you can grant administrator consent via the Azure Portal:

Log in to the Azure Portal (portal.azure.com)
In the top toolbar, search for IntruderConnector (or the name you used for the app registration)
Select Grant admin consent for [Your Tenant], confirming the selection.

Done! You can now log in to Intruder Portal and proceed to Step 2: Integrate Azure with Intruder

Step 2: Integrate Azure with Intruder

Log in to your Intruder portal (portal.intruder.io)
Navigate to Targets → Add target

Cloud asset sync → Microsoft Azure
Enter the previously noted:
- Application ID
- Directory ID
- Client Secret
Click Add asset and confirm the setup.

You will be redirected to view your newly added Azure integration. The overview page lists all your subscriptions, and you can manage settings for syncing and scanning them directly from there, or click into each subscription to view its resources and settings.

You're done! 🎉

The overview page lists all your subscriptions, and you can manage settings for syncing and scanning them directly from there, or click into each subscription to view its resources and settings.

What if I already have one or more existing Azure integrations?

Your existing integrations in the same Azure directory will be automatically connected to your new integration. They will be listed in the Subscriptions list and keep their existing assets and configuration.
You will no longer need separate credentials for each integration.
- We will sync your integration and all its subscriptions using the newly created credentials.
- If your integrations previously used a different application ID or client secret, you can safely delete them if they were not used for any other purpose.

Managing and Monitoring Scans

Scans run automatically once per day.
Results are accessible on the Scans page.
If missing permissions or invalid credentials are detected during scans, you’ll see error messages in your Intruder portal. Adjust your permissions accordingly.