How to Onboard Microsoft Azure Subscription/Management Group

CloudDefense.AI Azure Subscription/Management Group Onboarding Process

This guide provides the simple steps required to connect your Azure subscription to the platform.

Prerequisites

To run the automated onboarding script, the Azure account you use for az login must have permissions to:

• Create new Azure AD applications (Service Principal).

• Create a Custom Role definition.

• Assign that new Custom Role at the subscription level.

Platform Access and Permissions

The onboarding process grants the platform read-only access to your subscription.

The script automatically creates a Service Principal (Application) and assigns it a Custom Role with permissions to read security-relevant resources, including:

• All Resources: Read access to inventory in the subscription (*/read).

• Key Vaults: These permissions allow read-only visibility into Azure Key Vault operations and configurations — including checking vault name availability, viewing deleted vaults, retrieving vault details and regional metadata, and listing supported management operations — without granting access to stored secrets, keys, or certificates.

• Storage Accounts: This permission enables to view and retrieve only access keys associated with an Azure Storage Account.

• App Services: Permissions to list configuration settings and connection strings.

User Who will be proceeding with addition of app registration and allocation of role to app must have below permission attached.

 Microsoft Entra ID level Access : 

Subscription level Access (Role attached to User) : 

- Owner

Log in to Cloud Security portal using the link received in email from us to complete the registration process and login. 

Once you successfully logged in for the first time. You will be able to see the "Environment" page only under Global Tenant Setting (please refer to the screenshot below). 

CloudDefense.AI Azure Single Subscription Onboarding Process

STEP 1. Select Onboarding Type 

• Ensure Single subscription is selected (or choose Management group if applicable).

• Click NEXT.

STEP 2. Verify Subscription ID 

• Enter the Subscription ID for the Azure account you wish to onboard.

• Click Verify.

STEP 3: Provide Basic Information

• Enter a memorable Account Name (e.g., Azure Onboarding).

• (Optional) Add any organizational Labels.

• Click NEXT.

STEP 4: Define Business Unit

• Select whether to Choose Business Unit from a dropdown or Create new Business Unit.

• Enter the New Business Unit Name (e.g., azure-accounts).

• Click NEXT.

STEP 5: Generate and Execute Bash Script

• Review the Subscription ID displayed and click Generate Script.

• Action required in Azure Cloud Shell or local environment:

  • You will need to run the generated script. Before executing the script, ensure you are logged into Azure with az login using an account that has permission to create resources in the target subscription.

  • Execute the script (e.g., ./cd_cnapp_onboarding.sh).

  • The script will create the necessary Azure AD application, assign permissions, and output the required credentials in your terminal.

STEP 6: Enter Credentials

• From the script output in your terminal, copy the four credential values:

  • AZURE_CLIENT_ID

  • AZURE_CLIENT_SECRET

  • AZURE_SUBSCRIPTION_ID

  • AZURE_TENANT_ID

• Paste these values into the corresponding fields on the platform.

 For CSPM and CIEM Module – Following are the permissions required by the created applications along with the custom role. 

1) Graph permissions to be attached to the App

2) Custom built role with below role definition will get attached to the app for subscription 

{
    "properties": {
        "roleName": "ReadOnlyCustomRole",
        "description": "A custom role to view all resources, but does not allow you to make any changes in the infrastructure.",
        "assignableScopes": [
            "/subscriptions/{subscriptionId}"
        ],
        "permissions": [
            {
                "actions": [
                    "*/read",
                     "Microsoft.KeyVault/checkNameAvailability/read",
                     "Microsoft.KeyVault/deletedVaults/read",
                     "Microsoft.KeyVault/locations/*/read",
                     "Microsoft.KeyVault/vaults/*/read",
                     "Microsoft.KeyVault/operations/read",
                     "Microsoft.Web/sites/config/list/action",
                     "Microsoft.Storage/storageAccounts/listKeys/action",
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

CloudDefense.AI Azure Multi Onboarding Process

 STEP 1:

Login to CloudDefense portal using your credentials.

From the Sidebar, navigate to Admin -> Environments.

Now Click on Add New Environment and then choose Microsoft Azure provider as below.

STEP 2:

Select Management Group option if you wish to onboard your Azure management group.

STEP 3:

Now select your Organization from the drop down menu and click next.

STEP 4:

Enter your Azure Management Group ID in the given input box.

In order to find your management group ID, do the following:

• Login and Open your Azure shell

• In the Azure Shell, run the following command to retrieve the list of management group IDs.
  az account management-group entities list --query "[?type=='Microsoft.Management/managementGroups' && inheritedPermissions!='noaccess' && permissions!='noaccess'].{Name:displayName, Id:id}" --output table

• After running the command, you'll see a list of management groups. Locate the ID of the group you wish to onboard, then copy and paste it into the input box.

• Now, click on Next.

STEP 5:

Based on the above management ID, we first verify its validity and create personalised commands for the customer to execute in this step.

• Create Role: Copy and paste the custom command shown on the right side of the portal into your Azure Shell to generate a custom role. This is just a sample representative code. Do not copy the below command. We generate custom commands which will be available on the right side of your screen in this step.
  

• az role definition create --role-definition '{"Name":"CDAIReadOnlyCustomRole","IsCustom":true,"Description":"A custom role to view all resources within a management group, but does not allow to make any changes in the infrastructure.","Actions":["*/read","Microsoft.KeyVault/checkNameAvailability/read","Microsoft.KeyVault/deletedVaults/read","Microsoft.KeyVault/locations/*/read","Microsoft.KeyVault/vaults/*/read","Microsoft.KeyVault/operations/read", "Microsoft.Web/sites/config/list/action", "Microsoft.Storage/storageAccounts/listKeys/action",],"NotActions":[],"AssignableScopes":["/providers/Microsoft.Management/managementGroups/{management_group_id}"]}'

Permissions assigned to this role: Application.Read.All, AuditLog.Read.All, Directory.Read.All, Domain.Read.All, Group.Read.All, IdentityProvider.Read.All, Policy.Read.All, User.Read.All, Reports.Read.All

• Create Service Principal: Copy and paste the custom command on the right side of the portal into your Azure Shell to generate a Service Principle.
  az ad sp create-for-rbac --role "CDAIReadOnlyCustomRole" --scopes /providers/Microsoft.Management/managementGroups/{management_group_id} --name "CDAI Service Principal"

• Copy appId value from above command result & paste in Client ID input box

• Copy password value from above command result & paste in Client Secret input box

• Copy tenant value from above command result & paste in Tenant ID input box

Now, click next.

STEP 6:

We now create custom commands for you to run similarly as above.

• Command that grants the required API permissions

• Command to Grant admin consent

• Lastly, the command to get the IDs of all the subscriptions under the selected management group. 

The last command will output a list of the subscription IDs. Copy and paste them into the given input box on the left.

Now, just click on Connect Subscriptions and the Management Group onboarding is completed!