Skip to main content

Azure

Connect your Microsoft Azure infrastructure to Ciphrix using a Service Principal for automated compliance monitoring.

Capabilities

The Azure integration provides the following capabilities:

✅ Compliance Checks

Automatically verify security configurations and compliance controls across your Azure infrastructure.

🔄 Import Asset (Coming Soon)

Automatically import and track Azure resources as assets in your Ciphrix inventory.

How to Connect Azure

Prerequisites

Before connecting Azure, ensure you have:

  • Azure account with administrative access
  • Permissions to create Service Principals in Azure Active Directory (Entra ID)
  • Access to Azure Portal
  • Global Administrator or Application Administrator role

Connection Instructions

Step 1: Create a Service Principal in Azure

  1. Log in to Azure Portal

  2. Navigate to Azure Active Directory (Entra ID)

    • In the Azure Portal search bar, type "Azure Active Directory" or "Entra ID"
    • Click on Azure Active Directory

  3. Create App Registration

    • In the left sidebar, click App registrations
    • Click + New registration
    • Enter the following details:
      • Name: ciphrix-integration (or your preferred name)
      • Supported account types: Select "Accounts in this organizational directory only"
      • Redirect URI: Leave blank
    • Click Register

  4. Note Application (Client) ID and Tenant ID

    • After registration, you'll see the app's Overview page
    • Copy and save the following values:
      • Application (client) ID: This is your Client ID
      • Directory (tenant) ID: This is your Tenant ID
    • Keep these values safe, you'll need them later

Step 2: Create Client Secret

  1. Navigate to Certificates & secrets

    • In your app registration, click Certificates & secrets in the left sidebar
    • Click on the Client secrets tab

  2. Create New Client Secret

    • Click + New client secret
    • Add a description (e.g., "Ciphrix Integration Secret")
    • Select expiration period:
      • 6 months, 12 months, 24 months, or Custom
      • ⚠️ Recommended: Choose 24 months or longer to avoid frequent rotation
    • Click Add

  3. Save Client Secret Value

    • Copy the secret Value immediately - this is your Client Secret
    • ⚠️ Important: This is the only time you can view the secret value. Store it securely.
    • If you navigate away, you'll need to create a new secret

Step 3: Assign Reader and SecurityReader Roles

  1. Navigate to Subscriptions

    • In the Azure Portal search bar, type "Subscriptions"
    • Click on Subscriptions
    • Click on the subscription you want to monitor

  2. Copy Subscription ID

    • On the subscription overview page, copy the Subscription ID
    • Save this value for later

  3. Access Control (IAM)

    • In the left sidebar of your subscription, click Access control (IAM)
    • Click + Add > Add role assignment

  4. Assign Reader Role

    • In the Role tab, search for and select Reader
    • Click Next
    • In the Members tab, click + Select members
    • In the search box, type the name of your app registration (e.g., ciphrix-integration)
    • Click on the service principal to select it
    • Click Select
    • Click Next
    • Click Review + assign
    • Wait for the assignment to complete

  5. Assign SecurityReader Role

    • Click + Add > Add role assignment again
    • In the Role tab, search for and select SecurityReader (or Security Reader)
    • Click Next
    • In the Members tab, click + Select members
    • In the search box, type the name of your app registration (e.g., ciphrix-integration)
    • Click on the service principal to select it
    • Click Select
    • Click Next
    • Click Review + assign
    • Wait for the assignment to complete
Recommended Roles

Ciphrix recommends using the built-in Azure managed Reader and SecurityReader roles for comprehensive compliance monitoring. See the Roles and Policies Applied section below for more details and alternative options.

Step 4: Add Azure Integration in Ciphrix

You have two options to create the Azure connection in Ciphrix:

  1. Navigate to Integration Library

    • Log in to ciphrix.app
    • Go to Integrations in the sidebar
    • Go to the Integration Library tab
    • Click on the Cloud Infrastructure category

  2. Connect Azure

    • Click the Connect button on the Azure integration tile

  3. Fill Integration Form

    • Connection Name: Enter a name for this connection (e.g., "Production Azure Subscription")
    • Connection Identifier: Paste the Subscription ID from Step 3
    • Credential Name: Enter the Service Principal name (e.g., "ciphrix-integration")
    • Tenant ID: Paste the Directory (tenant) ID from Step 1
    • Client ID: Paste the Application (client) ID from Step 1
    • Subscription ID: Paste the Subscription ID again
    • Client Secret: Paste the Client Secret value from Step 2
    • Region: Select the Azure regions you want to monitor
    • Select Items: Select the Azure capabilities in Ciphrix you want to enable. Compliance checks are enabled by default

  4. Create Connection

    • Click Create Connection
    • Wait for the connection to be validated
Option B: From Create Connection

  1. Navigate to Create Connection

    • Log in to ciphrix.app
    • Go to Integrations in the sidebar
    • Click Create Connection

  2. Select Azure

    • From the connection provider dropdown, select Microsoft Azure

  3. Fill Integration Form

    • Connection Name: Enter a name for this connection (e.g., "Production Azure Subscription")
    • Connection Identifier: Paste the Subscription ID from Step 3
    • Credential Name: Enter the Service Principal name (e.g., "ciphrix-integration")
    • Tenant ID: Paste the Directory (tenant) ID from Step 1
    • Client ID: Paste the Application (client) ID from Step 1
    • Subscription ID: Paste the Subscription ID again
    • Client Secret: Paste the Client Secret value from Step 2
    • Region: Select the Azure regions you want to monitor
    • Select Items: Select the Azure capabilities in Ciphrix you want to enable. Compliance checks are enabled by default

  4. Create Connection

    • Click Create or Save
    • Wait for the connection to be validated

Step 5: Verify Connection

  1. Check Connection Status

    • After creating the connection, you'll see the integration status
    • Status should show Connected or Active

  2. Initial Scan

    • Ciphrix will automatically begin scanning your Azure infrastructure
    • Ciphrix scans your environment once a week
    • You can contact support@ciphrix.com to know your next scan date
    • Compliance checks will run automatically

  3. View Results

    • Navigate to Monitoring
    • View compliance check results and findings

Roles and Policies Applied

Ciphrix provides flexible options for configuring the permissions of the Service Principal used to connect to your Azure environment. You can choose the approach that best fits your organization's security and compliance requirements.

Ciphrix recommends using the following built-in Azure managed roles:

Reader Role

  • Role: Reader
  • Type: Azure built-in managed role
  • Scope: Subscription level
  • Purpose: Provides read-only access to all resources in the subscription

SecurityReader Role

  • Role: SecurityReader (or Security Reader)
  • Type: Azure built-in managed role
  • Scope: Subscription level
  • Purpose: Provides read-only access to security-related configurations

Alternative Approach: Custom Policies

If your organization requires tighter control, you can create a custom Azure role with narrower permissions.

Creating a Custom Role

You can write a custom Azure role definition that provides read access only to the specific Azure services you want Ciphrix to scan. For example:

  • Include only: Virtual Machines, Storage Accounts, Key Vault, SQL Database
  • Exclude: All other services

To create a custom role:

  1. Use Azure Role-Based Access Control (RBAC) to define custom permissions
  2. Grant read-only actions for specific resource providers (e.g., Microsoft.Compute/virtualMachines/read)
  3. Assign the custom role to the Ciphrix Service Principal at the subscription level

Example custom role actions for selective scanning:

{
    "Name": "Ciphrix Custom Reader",
    "Description": "Custom read-only role for Ciphrix compliance scanning",
    "Actions": [
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.KeyVault/vaults/read",
        "Microsoft.Sql/servers/read",
        "Microsoft.Network/networkSecurityGroups/read"
    ],
    "NotActions": [],
    "AssignableScopes": ["/subscriptions/{subscription-id}"]
}

Restrictive Approach: Limited or No Access

In some cases, your organization may choose not to grant access to certain Azure services based on:

  • Internal security policies
  • Data sensitivity requirements
  • Regulatory restrictions
  • Operational constraints

This is completely acceptable. Here's what happens:

How Ciphrix Handles Access Restrictions

  1. Access Denied: When Ciphrix attempts to scan a service without the necessary permissions, the API call will fail with an "Access Denied" error.

  2. Check Failures: Compliance checks for that service will fail and appear as "Failed" in the Ciphrix dashboard with an "Access Denied" reason.

  3. Disabling Checks: You can disable specific compliance checks in Ciphrix for services you intentionally restrict access to.

  4. Business Justification: When disabling checks, Ciphrix allows you to provide a justification (e.g. business justification, operational, governance policy, etc)

  5. Audit Trail: All disabled checks and their justifications are captured and available for auditor review.

Services List

List of Azure services checked:

  • Active Directory
  • AI & ML (Machine Learning + OpenAI)
  • App Configuration
  • App Service
  • Application Gateway
  • Automation
  • Bastion
  • Blob Service
  • Container Apps
  • Container Registry
  • Cosmos DB
  • Defender
  • Event Grid
  • Event Hubs
  • Front Door
  • Kubernetes Service (AKS)
  • Load Balancer
  • Media Services
  • Monitor (Log Analytics)
  • MySQL Server
  • Network Security Groups
  • PostgreSQL Server
  • Redis Cache
  • Security Center
  • Service Bus
  • SQL Databases
  • SQL Server
  • Storage Accounts
  • Virtual Machine Scale Set
  • Virtual Machines

Troubleshooting

Connection Failed

Issue: Integration connected but showing permission errors

  • Verify the Client ID, Tenant ID, and Client Secret are correct
  • Ensure there are no extra spaces when copying credentials
  • Check that the Service Principal has Reader and SecurityReader roles assigned (or your custom role)
  • Verify the role assignments are at the correct subscription level
  • Ensure the client secret has not expired

No Data Appearing

Issue: Integration connected but no compliance data showing for more than 7 days

Authentication Errors

Issue: Authentication failed or unauthorized errors

  • Verify the Tenant ID is correct
  • Check that the Service Principal still exists in Azure AD
  • Ensure the app registration is not disabled
  • Verify the client secret has not expired
  • Check that the subscription ID is correct

Client Secret Expired

Issue: Integration was working but now fails

  • Check if the client secret has expired in Azure
  • Generate a new client secret in Azure Portal
  • Update the client secret in Ciphrix integration settings

Support

Need help with Azure integration?