Azure Cloud Scanner

Configure and execute Azure cloud infrastructure scanning using Service Principal or Managed Identity

Security Best Practice: We recommend using a Service Principal with a custom RBAC role that grants only the minimum required read-only permissions.

Service Principal Setup

Create an Azure AD Service Principal with read-only access to scan your Azure resources

Create Custom RBAC Role

Create a custom role with read-only permissions using Azure CLI or Portal

Open Azure RBAC

Create Service Principal

Create an App Registration and Service Principal using the Azure CLI script below

Assign Role to Service Principal

Assign the custom RBAC role to the Service Principal at subscription level

Configure Credentials Below

Enter the Tenant ID, Client ID, and Client Secret in the form below

Azure Tenant ID

Your Azure AD tenant ID (found in Azure Active Directory → Properties)

Subscription ID

Your Azure subscription ID to scan

Application (Client) ID

The Application ID from your App Registration

Client Secret

The client secret generated for your App Registration

Enable Azure Scanning

Custom RBAC Role Definition (Step 1)

Use Azure CLI or Portal to create this custom role. Replace YOUR_SUBSCRIPTION_ID with your actual subscription ID.

Service Principal Creation Script (Step 2)

Run these Azure CLI commands to create the Service Principal

Required Azure RBAC Permissions

The custom role should include these permissions for comprehensive infrastructure scanning