Appearance
Add an Azure Adapter
Connect an Azure subscription to AttackLens for automatic resource discovery. This guide walks through creating an App Registration in Microsoft Entra ID, assigning the required permissions, and configuring the adapter in AttackLens.
INFO
Requires Admin role or higher.
Prerequisites
Before you begin, ensure you have:
- Azure portal access with permissions to create App Registrations and assign roles.
- The Subscription ID of the Azure subscription you want to discover.
- Access to AttackLens with an Admin account.
Step 1: Create an App Registration in Azure
AttackLens authenticates to Azure using a service principal (App Registration). You need four values: Tenant ID, Client ID, Client Secret, and Subscription ID.
- Sign in to the Azure Portal.
- Navigate to Microsoft Entra ID > App registrations.
- Click New registration.
- Enter a name (e.g.,
AttackLens Discovery). - Under Supported account types, select Accounts in this organizational directory only.
- Leave the Redirect URI blank.
- Click Register.
After creation, note down:
- Application (client) ID: displayed on the Overview page.
- Directory (tenant) ID: displayed on the Overview page.
Create a Client Secret
- In the App Registration, go to Certificates & secrets.
- Click New client secret.
- Enter a description (e.g.,
AttackLens) and select an expiry period. - Click Add.
- Copy the secret value immediately: it will not be shown again.
WARNING
Store the client secret securely. If you lose it, you will need to create a new one and update the adapter in AttackLens.
Step 2: Assign Permissions
AttackLens requires read-only access to discover resources. Assign the following roles at the subscription level.
Required Azure RBAC Role
| Role | Scope | Purpose |
|---|---|---|
| Reader | Subscription | Read access to all Azure resources and their configurations |
To assign the role:
- Navigate to the target Subscription in the Azure Portal.
- Go to Access control (IAM) > Role assignments.
- Click Add > Add role assignment.
- Search for Reader and select it.
- On the Members tab, select User, group, or service principal.
- Search for the App Registration name you created (e.g.,
AttackLens Discovery). - Click Review + assign.
Required Microsoft Graph Permissions
To discover Entra ID resources (users, groups, service principals, role assignments), the App Registration needs Microsoft Graph API permissions:
| Permission | Type | Purpose |
|---|---|---|
Directory.Read.All | Application | Read directory data (users, groups, service principals) |
RoleManagement.Read.Directory | Application | Read role definitions and assignments |
To assign Graph permissions:
- In the App Registration, go to API permissions.
- Click Add a permission > Microsoft Graph > Application permissions.
- Search for and add
Directory.Read.AllandRoleManagement.Read.Directory. - Click Grant admin consent for [your tenant].
TIP
If you do not grant Graph permissions, AttackLens will still discover Azure infrastructure resources (VMs, networks, storage, etc.) but will not be able to discover Entra ID objects like users, groups, and role assignments.
Optional: Sensor Deployment Capability
If you want AttackLens to deploy sensors to Azure VMs via Run Commands, add:
| Role | Scope | Purpose |
|---|---|---|
| Virtual Machine Contributor | Subscription | Execute Run Commands on VMs for sensor deployment |
This is optional. If not granted, the adapter will still discover resources but will not be able to deploy sensors remotely.
Step 3: Configure the Adapter in AttackLens
- In AttackLens, navigate to Discovery > Adapters.
- Click Add Adapter.
- Select Azure as the provider.
- Enter a descriptive Name (e.g.,
Production Azure Subscription). - Fill in the Azure credentials:
| Field | Value | Example |
|---|---|---|
| Tenant ID | Your Entra ID tenant ID | a1b2c3d4-e5f6-7890-abcd-ef1234567890 |
| Client ID | The App Registration client ID | f1e2d3c4-b5a6-7890-abcd-ef1234567890 |
| Client Secret | The secret you created | abC~dEfGhIjKlMnOpQrStUvWxYz012345 |
| Subscription ID | The Azure subscription ID | 12345678-abcd-ef12-3456-7890abcdef12 |
Optionally set the Scope to narrow discovery to a specific resource group (e.g.,
/subscriptions/{id}/resourceGroups/{name}). Leave blank to discover the entire subscription.Optionally select specific Regions to limit discovery. Leave empty to discover resources across all regions.
Step 4: Test the Connection
- Click Test Connection.
- AttackLens will attempt to authenticate with the provided credentials and verify read access.
- The test result shows:
- Whether the connection is valid.
- Which permissions were detected (e.g., Reader role, Graph permissions).
- Whether sensor deployment capability is available.
WARNING
If the test fails, verify that:
- The Tenant ID, Client ID, and Client Secret are correct.
- The client secret has not expired.
- The Reader role is assigned at the subscription level (not a resource group).
- Admin consent was granted for Graph permissions.
Step 5: Save and Run Discovery
- Click Save to create the adapter.
- The first discovery run begins automatically after the adapter is saved.
- You will be redirected to the adapter detail page where you can monitor the sync progress.
Discovery typically takes 2-5 minutes depending on the number of resources in the subscription.
Discovered Azure Resource Types
AttackLens discovers 80+ Azure resource types across 13 service categories:
| Category | Examples |
|---|---|
| Compute | Virtual Machines, VM Scale Sets, Batch Accounts, Disks, Desktop Virtualization |
| Containers | AKS Clusters, Container Registries, Container Instances |
| Network | Virtual Networks, Subnets, NSGs, Firewalls, Load Balancers, Application Gateways, VPN Gateways, DNS Zones, Public IPs, Route Tables, Bastion Hosts |
| Storage | Storage Accounts, Blob Containers, File Shares |
| Data | SQL Databases, PostgreSQL, MySQL, Cosmos DB, Redis Cache, Data Factory, Data Lake |
| Security & Identity | Key Vaults, Entra ID Users, Groups, Service Principals, Role Assignments, Role Definitions, Conditional Access Policies |
| Monitoring | Log Analytics Workspaces, Alerts, Automation Accounts, Policy Assignments |
| Messaging | Service Bus, Event Hubs, Event Grid, Notification Hubs |
| Serverless | Functions, Logic Apps, IoT Hubs |
| AI/ML | Cognitive Services, Bot Services, Machine Learning Workspaces |
| Delivery | CDN Profiles, Static Sites |
| Backup | Backup Vaults |
Next Steps
- View discovery snapshots to inspect the discovered resources.
- Manage adapters to edit, deactivate, or delete the adapter.
- Trigger a manual discovery if you make infrastructure changes.