Skip to main content

Microsoft Azure integration

Connect Intruder to Microsoft Azure to synchronise your targets

Updated this week

Our Azure integration supports external-facing IPs and hostnames from DNS zones.
Azure app service endpoints (including web apps) would need to be added manually (as would internal-only VMs).

There are two places you can add your Microsoft Azure account in the portal:

From the Targets page by clicking the yellow + Add Targets button then clicking Cloud Account Sync:

Or, from the Integrations page by clicking on the green + Add button under Azure:

Setup Step 1 - Gathering IDs and Secrets

To integrate your Azure environment with Intruder, we need to do the following:

  • Create an app registration

  • Grant the app registration the following Graph API permissions:

    • Directory.Read.All

    • UserAuthenticationMethod.Read.All

    • Policy.Read.All

  • Assign the Reader role in the app registration on the Tenant Root Management Group

  • Create a client secret for the app registration

  • Get the Directory (tenant) ID, Application ID and Client secret and use them in Intruder Portal to add the Azure integration

  1. We require four access keys to connect your Azure account to Intruder:


    You need to get them from various sections of the Azure portal, so it's probably best to open a text document that you can copy them into. It should all be straightforward if you follow the steps below, so hang in there!

    1. Application (client) ID

      • Click on the 'Intruder' application that we just created

      • Click 'Overview' and take a note of the
        Application (client) ID.
        (You'll need this for the 'Application ID' field in the Intruder portal.)

    2. Directory (tenant) ID

      You can also get the Directory (tenant) ID from this screen so let's note that one down too.
      (You'll need this for the 'Directory ID' field in the Intruder portal.)

    3. Application secret key (in Azure you're looking for the secret 'VALUE')

      • Now scroll down and click on Certificates & secrets in the left navigation panel

      • Click on the New client secret button:

      • Enter a description (e.g. 'Intruder')

      • Set an expiry date (i.e. how long you want the secret to be valid for).
        (⚠️ Please note that Intruder will no longer be able to access your Azure account when the secret expires.)

      • Now click Add and note down the secret VALUE. (Not the Secret ID).
        (You'll need this for the 'Application secret key' field in the Intruder portal.)

        ⚠️ Please note that you won't be able to see that 'Application secret key' again after you've left this screen, so make sure you copy and paste it now!

    4. Subscription ID

      • Search for Subscriptions using the search functionality and click to see the 'Subscriptions' menu.

      • Select your subscription from the list of Azure Subscriptions displayed. The following screenshots show the 'Intruder' subscription but yours will likely be specific to your organisation

      • Take note of your Azure Subscription ID:
        (You'll need this for the 'Subscription ID' field in the Intruder portal)


Setup Step 2 (using Azure CLI)

  1. ​Create the app registration using a name of your choosing ("IntruderConnector" in this example):

    az ad app create --display-name "IntruderConnector"

  2. This will output a JSON response. In the response, locate and copy the value of the appId field:

    "appId": "<Application id here>"

  3. Save the appId, and add the API permissions for the app:

    az ad app permission add --id $AZURE_APP_ID --api 00000003-0000-0000-c000-000000000000 --api-permissions "7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role" az ad app permission add --id $AZURE_APP_ID --api 00000003-0000-0000-c000-000000000000 --api-permissions "38d9df27-64da-44fd-b7c5-a6fbac20248f=Role" az ad app permission add --id $AZURE_APP_ID --api 00000003-0000-0000-c000-000000000000 --api-permissions "246dd0d5-5bd0-4def-940b-0421030a5b68=Role"​

  4. ​Grant admin consent to activate the API permissions.
    Note: this requires Global Administrator access:

    az ad app permission admin-consent --id $AZURE_APP_ID​

  5. Next, get the service principal ID of the app registration:

    az ad sp show --id $AZURE_APP_ID --query id

  6. ​Get the Root Management Group ID:

    az account management-group list --query "[?displayName=='Tenant Root Group'].id"

  7. If you do not use the default name for the root management group, substitute the name above in place of Tenant Root Group.

    Next, assign the Reader role to the root management group:

    az role assignment create --assignee $SERVICE_PRINCIPAL_ID --role "Reader" --scope $MANAGEMENT_GROUP_ID​

  8. Finally, create the client secret. In this example, we set the token to expire in 1 year:

    az ad app credential reset --id $APP_ID --append --display-name "IntruderConnectorSecret" --end-date $(date -v+12m +%Y-%m-%d)​

  9. This will output a JSON with the fieldsappId, password and tenant. These are the credentials you will need to enter in the Portal in the fields Application ID, Client Secret and Directory ID respectively.

Setup Step 2 (using the Azure Web Portal)

  1. Log in to the Azure management portal > search for App registrations using the search functionality > click App registrations:

  2. Click on the 'New registration' button:

  3. Enter a name (we recommend 'Intruder' or something similar) then click Register:


Create a role

  1. Within your subscription detail page, select 'Access control (IAM)' from the left menu

    1. Click Add

    2. Then click Add role assignment.

  2. A new window will appear.

    1. Type Reader into the search box

    2. Click on the Reader item in the dropdown. (We require read-only access in order to fetch your public IP addresses and DNS hostnames.)

    • Click 'Next'

  3. Ensure the Assign access to property is set to User, group, or service principal:

  4. Click 'Select members', and in the pop up window, search for the application we created earlier (e.g. 'Intruder', or whatever you chose to name it).

  5. Choose that application from the list, and click 'Select':


Setup Step 3 - Entering the details in Intruder

  1. Log into the Intruder portal > Targets page > Cloud accounts > Add account > Microsoft Azure:

  2. Enter the Application ID, Directory ID, Application secret key and Subscription ID > click 'Add account':

The next thing you'll see is this modal 👇, for automated management of your cloud targets.

If that's not of interest and you'd like to manage them manually, skip the boxes and simply press Confirm setup.

Intruder scans comply with Microsoft's Penetration Testing Rules of Engagement.

Note: Azure integration is only available for customers on our Cloud, Pro, Enterprise, and Vanguard plans.

Related Articles
AWS 'account' integration
GCP (Google Cloud Platform) integration
Microsoft Teams integration
Azure: Common integration issues/errors
🎥 Video: How to add your Azure account to Intruder
Did this answer your question?