ℹ️ Note: Our Azure integration (available on Cloud, Pro, Enterprise, and Vanguard plans) synchronizes DNS A records only. External-facing IPs and hostnames are supported automatically, while App Service endpoints and internal-only VMs must be added manually.

There are three places from which you can add the Azure inte

1a. From the Targets page, click '+Add target' > Cloud environments > Microsoft Azure:

⬇️

1b. From the Integrations page. Click + Add, under Azure:

1c. The Discovery page by clicking the yellow + Add asset button > Microsoft Azure:

Setup Instructions

To integrate Azure with Intruder Portal, we need to do the following:

Create an app registration
Grant the app registration the following Graph API permissions:
- Directory.Read.All
- UserAuthenticationMethod.Read.All
- Policy.Read.All
Assign the Reader role to the app registration on the Tenant Root Management Group
Create a client secret for the app registration
Get the Directory (tenant) ID, Application ID and Client secret and use them in Intruder Portal to add the Azure integration

If you prefer a video walkthrough, check out the video below:

Step 1 - Creating an App Registration

There are three different options available for configuring the App Registration - please find links to each of these below:

Option A (in the Azure Web Portal)
Option B (using Azure CLI)
Option C (using PowerShell)

Option A (in the Azure Web Portal)

Log in to the Azure Portal (portal.azure.com)
Search for App Registrations in the top search bar.
Click + New registration
Provide a name for your app (e.g., Intruder Connector), leave the defaut values present, and click Register.
In the top toolbar, search for IntruderConnector (or the name you used for the app registration)
Navigate to Manage → API permissions
Select Add a permission → Microsoft Graph → Application permissions.

Please ensure that you select 'Application Permissions' as this is the type we need for the Integration to work!
Enable the following permissions:
- Directory.Read.All
- UserAuthenticationMethod.Read.All
- Policy.Read.All
Click Add permissions

Then select Grant admin consent for [Your Tenant], confirming the selection.
Ensure all permissions have a green check in the Status column.
In the top toolbar, search for Management Groups
Select your root management group (usually Tenant Root Group).

⚠️ If you see, "You are not authorized to view this Management Group," when trying to click "Tenant Root Group," try navigating to Tenant properties and toggling "Access management for Azure resources" to "Yes":
👇
👇
Click Access control (IAM) → Role assignments
Choose Add → Add role assignment
Select the Reader role:

Click on the Members tab, and then Select members.

In the Select Members panel, search for the name of the app registration that you created earlier, then click on it and click Select
Click Review + assign (twice) to complete
Return to App registrations and open your app.

Note the Application (client) ID and Directory (tenant) ID from this page - you will need to copy these across to the Intruder portal
Navigate to Manage → Certificates & secrets → Client secrets
1. Click + New client secret, provide a name and expiry, and click Add
Note the Value of the secret - this is the final data point you will need to copy across to the Intruder portal.

Move to Step 2: Integrate Azure with Intruder

Option B (using Azure CLI)

Create the app registration using a name of your choosing ("IntruderConnector" in this example):
```
az ad app create --display-name "IntruderConnector"
```
This will output a JSON response. In the response, locate and copy the value of the appId field:
```
"appId": "<Application id here>"
```

Save the appId, and add the API permissions for the app:

az ad app permission add --id $AZURE_APP_ID --api 00000003-0000-0000-c000-000000000000 --api-permissions "7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role" az ad app permission add --id $AZURE_APP_ID --api 00000003-0000-0000-c000-000000000000 --api-permissions "38d9df27-64da-44fd-b7c5-a6fbac20248f=Role" az ad app permission add --id $AZURE_APP_ID --api 00000003-0000-0000-c000-000000000000 --api-permissions "246dd0d5-5bd0-4def-940b-0421030a5b68=Role"

Grant admin consent to activate the API permissions.
Note: this requires Global Administrator access:
```
az ad app permission admin-consent --id $AZURE_APP_ID
```
Next, get the service principal ID of the app registration:
```
az ad sp show --id $AZURE_APP_ID --query id
```

Get the Root Management Group ID:

az account management-group list --query "[?displayName=='Tenant Root Group'].id"

If you do not use the default name for the root management group, substitute the name above in place of Tenant Root Group.
Next, assign the Reader role to the root management group:
```
az role assignment create --assignee $SERVICE_PRINCIPAL_ID --role "Reader" --scope $MANAGEMENT_GROUP_ID
```

Finally, create the client secret. In this example, we set the token to expire in 1 year:

az ad app credential reset --id $APP_ID --append --display-name "IntruderConnectorSecret" --end-date $(date -v+12m +%Y-%m-%d)

This will output a JSON with the fieldsappId, password and tenant. These are the credentials you will need to enter in the Portal in the fields Application ID, Client Secret and Directory ID respectively.

Move to Step 2: Integrate Azure with Intruder

Option C (using PowerShell)

The script below will set up the application and all the required permissions. The example app in the script will be created with the name IntruderConnector and a client secret with 12-month expiration. Adjust the values as needed.

First, ensure you have the PowerShell modules for Azure and Microsoft Graph installed:

Install-Module -Name Az -AllowClobber -Scope CurrentUser

Install-Module -Name Microsoft.Graph -AllowClobber -Scope CurrentUser

Then, run the following script:

# 1. Create an app registration
$app = New-AzADApplication -DisplayName "IntruderConnector"
$appId = $app.AppId
$tenantId = (Get-AzContext).Tenant.Id

# 2. Add Graph API permissions
$graphSp = Get-AzADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"

$permissions = @(
    "Directory.Read.All",
    "UserAuthenticationMethod.Read.All",
    "Policy.Read.All"
)

foreach ($permission in $permissions) {
    $role = $graphSp.AppRole | Where-Object { $_.Value -eq $permission }
    Add-AzADAppPermission -ObjectId $app.id -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId $role.Id -Type Role
}


# 3. Add Reader role assignment to tenant root management group
$mgId = (Get-AzManagementGroup -GroupName $tenantId).Id
$sp = New-AzADServicePrincipal -ApplicationId $appId
New-AzRoleAssignment -ObjectId $sp.Id -RoleDefinitionName "Reader" -Scope $mgId

# 4. Create a client secret with 12-month expiration
$endDate = (Get-Date).AddMonths(12)
$secret = New-AzADAppCredential -ObjectId $app.Id -EndDate $endDate

Write-Host "Application ID: $appId"
Write-Host "Directory (Tenant) ID: $tenantId"
Write-Host "Client Secret: $($secret.SecretText)"

This will output the Application ID, Directory ID and Client Secret which you will need to enter in Intruder Portal when adding the Azure integration.
Before adding the integration, you will need to grant administrator consent for the Microsoft Graph API permissions required by the app registration.

This cannot be done via PowerShell, but if you have Azure CLI installed with Global Administrator privileges, you can use the following command:
```
az ad app permission admin-consent --id $appId
```
Substitute the $appId with the application ID from Step 3.

Alternatively, you can grant administrator consent via the Azure Portal:

Log in to the Azure Portal (portal.azure.com)
In the top toolbar, search for IntruderConnector (or the name you used for the app registration)
Select Grant admin consent for [Your Tenant], confirming the selection.

Done! You can now log in to the Intruder Portal and proceed to Step 2: Integrate Azure with Intruder

Setup Step 2 - Integrate Azure with Intruder

Log in to your Intruder portal (portal.intruder.io)
Navigate to Targets → Add target

Cloud asset sync → Microsoft Azure
Enter the previously noted:
- Application ID
- Directory ID
- Client Secret
Click Add asset and confirm the setup.

You will be redirected to view your newly added Azure integration. The overview page lists all your subscriptions, and you can manage settings for syncing and scanning them directly from there, or click into each subscription to view its resources and settings.

You're done! 🎉

The overview page lists all your subscriptions, and you can manage settings for syncing and scanning them directly from there, or click into each subscription to view its resources and settings.

You will also note that the validity period for your secret key is shown at the top of the page. You will be prompted to update this once it expires, but please ensure that this is kept up-to-date for continuous coverage:

Intruder scans comply with Microsoft's Penetration Testing Rules of Engagement.

AWS 'account' integration

Microsoft Teams integration

Azure: Common integration issues/errors

🎥 Video: How to add your Azure account to Intruder

Cloud Security Scans on Microsoft Azure

Microsoft Azure Integration