Our Azure integration supports external-facing IPs and hostnames from DNS zones. Azure app service endpoints (including web apps) would need to be added manually (as would internal-only VMs).
There are two places you can add your Microsoft Azure account in the portal:
From the Targets page by clicking the yellow + Add Targets button then clicking Cloud Account Sync:
Or, from the Integrations page by clicking on the green + Add button under Azure:
Setup Step 1 - Creating an App Registration
To integrate Azure with Intruder Portal, we need to do the following:
Create an app registration
Grant the app registration the following Graph API permissions:
Directory.Read.AllUserAuthenticationMethod.Read.AllPolicy.Read.All
Assign the
Readerrole to the app registration on the Tenant Root Management GroupCreate a client secret for the app registration
Get the
Directory (tenant) ID,Application IDandClient secretand use them in Intruder Portal to add the Azure integration
Option A (in the Azure Web Portal)
Log in to the Azure Portal (
portal.azure.com)Search for App Registrations in the top search bar.
Click + New registration
Provide a name for your app (e.g., Intruder Connector), leave the defaut values present, and click Register.
In the top toolbar, search for
IntruderConnector(or the name you used for the app registration)
Navigate to
Manage→API permissions
Select Add a permission → Microsoft Graph → Application permissions.
Enable the following permissions:
Directory.Read.AllUserAuthenticationMethod.Read.AllPolicy.Read.All
Click Add permissions
Then select Grant admin consent for [Your Tenant], confirming the selection.
Ensure all permissions have a green check in the Status column.
In the top toolbar, search for Management Groups
Select your root management group (usually Tenant Root Group).
Click Access control (IAM) → Role assignments
Choose Add → Add role assignment
Select the Reader role:
Click on the Members tab, and then Select members.
In the Select Members panel, search for the name of the app registration that you created earlier, then click on it and click Select
Click Review + assign (twice) to complete
Return to App registrations and open your app.
Note the Application (client) ID and Directory (tenant) ID from this page - you will need to copy these across to the Intruder portal
Navigate to Manage → Certificates & secrets → Client secrets
Click + New client secret, provide a name and expiry, and click Add
Note the Value of the secret - this is the final data point you will need to copy across to the Intruder portal.
Option B (using Azure CLI)
Create the app registration using a name of your choosing ("
IntruderConnector" in this example):az ad app create --display-name "IntruderConnector"
This will output a JSON response. In the response, locate and copy the value of the
appIdfield:"appId": "<Application id here>"
Save the appId, and add the API permissions for the app:
az ad app permission add --id $AZURE_APP_ID --api 00000003-0000-0000-c000-000000000000 --api-permissions "7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role" az ad app permission add --id $AZURE_APP_ID --api 00000003-0000-0000-c000-000000000000 --api-permissions "38d9df27-64da-44fd-b7c5-a6fbac20248f=Role" az ad app permission add --id $AZURE_APP_ID --api 00000003-0000-0000-c000-000000000000 --api-permissions "246dd0d5-5bd0-4def-940b-0421030a5b68=Role"
Grant admin consent to activate the API permissions.
Note: this requires Global Administrator access:az ad app permission admin-consent --id $AZURE_APP_ID
Next, get the service principal ID of the app registration:
az ad sp show --id $AZURE_APP_ID --query id
Get the Root Management Group ID:
az account management-group list --query "[?displayName=='Tenant Root Group'].id"
If you do not use the default name for the root management group, substitute the name above in place of
Tenant Root Group.Next, assign the
Readerrole to the root management group:az role assignment create --assignee $SERVICE_PRINCIPAL_ID --role "Reader" --scope $MANAGEMENT_GROUP_ID
Finally, create the client secret. In this example, we set the token to expire in 1 year:
az ad app credential reset --id $APP_ID --append --display-name "IntruderConnectorSecret" --end-date $(date -v+12m +%Y-%m-%d)
This will output a JSON with the fields
appId,passwordandtenant. These are the credentials you will need to enter in the Portal in the fieldsApplication ID,Client SecretandDirectory IDrespectively.
Move to Step 2: Integrate Azure with Intruder
Option C (using PowerShell)
The script below will set up the application and all the required permissions. The example app in the script will be created with the name IntruderConnector and a client secret with 12-month expiration. Adjust the values as needed.
First, ensure you have the PowerShell modules for Azure and Microsoft Graph installed:
Install-Module -Name Az -AllowClobber -Scope CurrentUser
Install-Module -Name Microsoft.Graph -AllowClobber -Scope CurrentUserThen, run the following script:
# 1. Create an app registration
$app = New-AzADApplication -DisplayName "IntruderConnector"
$appId = $app.AppId
$tenantId = (Get-AzContext).Tenant.Id
# 2. Add Graph API permissions
$graphSp = Get-AzADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
$permissions = @(
"Directory.Read.All",
"UserAuthenticationMethod.Read.All",
"Policy.Read.All"
)
foreach ($permission in $permissions) {
$role = $graphSp.AppRole | Where-Object { $_.Value -eq $permission }
Add-AzADAppPermission -ObjectId $app.id -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId $role.Id -Type Role
}
# 3. Add Reader role assignment to tenant root management group
$mgId = (Get-AzManagementGroup -GroupName $tenantId).Id
$sp = New-AzADServicePrincipal -ApplicationId $appId
New-AzRoleAssignment -ObjectId $sp.Id -RoleDefinitionName "Reader" -Scope $mgId
# 4. Create a client secret with 12-month expiration
$endDate = (Get-Date).AddMonths(12)
$secret = New-AzADAppCredential -ObjectId $app.Id -EndDate $endDate
Write-Host "Application ID: $appId"
Write-Host "Directory (Tenant) ID: $tenantId"
Write-Host "Client Secret: $($secret.SecretText)"This will output the Application ID, Directory ID and Client Secret which you will need to enter in Intruder Portal when adding the Azure integration.
Before adding the integration, you will need to grant administrator consent for the Microsoft Graph API permissions required by the app registration.
This cannot be done via PowerShell, but if you have Azure CLI installed with Global Administrator privileges, you can use the following command:az ad app permission admin-consent --id $appId
Substitute the$appIdwith the application ID from Step 3.
Alternatively, you can grant administrator consent via the Azure Portal:
Log in to the Azure Portal (
portal.azure.com)In the top toolbar, search for
IntruderConnector(or the name you used for the app registration)
Select Grant admin consent for [Your Tenant], confirming the selection.
Done! You can now log in to the Intruder Portal and proceed to Step 2: Integrate Azure with Intruder
Setup Step 2 - Integrate Azure with Intruder
Log in to your Intruder portal (
portal.intruder.io)Navigate to Targets → Add target
Cloud asset sync → Microsoft Azure
Enter the previously noted:
Application ID
Directory ID
Client Secret
Click Add asset and confirm the setup.
You will be redirected to view your newly added Azure integration. The overview page lists all your subscriptions, and you can manage settings for syncing and scanning them directly from there, or click into each subscription to view its resources and settings.
You're done! 🎉
The overview page lists all your subscriptions, and you can manage settings for syncing and scanning them directly from there, or click into each subscription to view its resources and settings.
Intruder scans comply with Microsoft's Penetration Testing Rules of Engagement.
Note: Azure integration is only available for customers on our Cloud, Pro, Enterprise, and Vanguard plans.