Overview
Connect your Azure subscription(s) to RAD Security to scan cloud resources for misconfigurations and security issues. You can use our official Terraform module (recommended) or configure the integration manually via the Azure Portal.Connection setup
- Terraform (Recommended)
- Manual Setup
We publish a Terraform module in the Terraform Registry that provisions all of the resources needed to connect your Azure account to RAD Security.
- Sign in to RAD Security
- Go to
Data Sources - Click on
Add provider - Follow the guide for Azure
access_key_id and secret_key values from the RAD Security provider and replace them in the snippet below. Then, configure the azurerm and azuread providers.terraform {
required_providers {
rad-security = {
source = "rad-security/rad-security"
version = "..."
}
azurerm = {
source = "hashicorp/azurerm"
version = ">=3.0.0"
}
azuread = {
source = "hashicorp/azuread"
version = ">= 1.0"
}
}
}
provider "azuread" {}
provider "azurerm" {}
provider "rad-security" {
access_key_id = "..."
secret_key = "..."
rad_security_api_url = "https://api.rad.security"
}
module "rad-security-connect" {
source = "rad-security/rad-security-connect/azurerm"
version = "..."
}
Existing Service Principal
The module is not needed if an existing Service Principal is used. The Service Principal needs to have the necessary permissions required to be able to function properly within RAD. These permissions RAD uses can be found within the role definition within the module. This can change over time as new versions of the module get released over time. A newrad-security_azure_register resource needs to be created for each Azure Subscription you wish to connect with RAD.More information can be found within the Provider docs here.Multiple Azure Subscriptions
Multiple Azure subscriptions can be added with theazure_subscriptions input variable in the rad-security-connect module. The input variable is a list of strings. The strings passed to the list need to be in the form /subscriptions/00000000-0000-0000-0000-000000000000.If you cannot use our Terraform module, you can connect your Azure subscription(s) entirely through the Azure Portal. No infrastructure-as-code or automation tools are required.Leave NotActions, DataActions, and NotDataActions empty.
What you will do
- Create an Azure application (service principal) for RAD Security
- Create a custom Azure RBAC role with read-only permissions
- Assign that role to the RAD Security application
- Complete the connection in the RAD Security UI
Prerequisites
- Azure Owner or User Access Administrator permissions on each subscription
- Ability to create App Registrations and Custom RBAC Roles
- List of Azure Subscription IDs you want RAD to connect
Step 1: Create an Azure Application for RAD Security
This application is how RAD securely reads data from your Azure environment.- Sign in to the Azure Portal
- Go to Microsoft Entra ID
- Click + Add → App registration
- Fill in:
- Name:
RAD-Security-Connect - Supported account types: Single tenant
- Name:
- Click Register
- Application (client) ID
- Directory (tenant) ID
Step 2: Create a Client Secret
- In the app you just created, click on Add a certificate or secret
- Click on New client secret
- Add:
- Description:
RAD Security - Expiration: per your security policy
- Description:
- Click Add
- Immediately copy and save the secret VALUE and Secret ID
The client secret value cannot be retrieved later. Save it immediately.
Step 3: Create the Custom RBAC Role
This role grants RAD Security read-only access required for visibility.- Go to Subscriptions
- Select any one of the subscriptions you plan to connect
- Go to Access control (IAM)
- Select the Roles tab
- Click + Add → Custom role
- Custom role name:
RAD Security Connect - Description:
Allow RAD Security read access to Azure resources - Baseline permissions: Start from scratch
- Custom role name:
- Click Next
- Go to the JSON tab and click Edit
- Replace the
actionsarray so that the JSON looks as follows (replace<subscription-id>with your subscription ID):
{
"properties": {
"roleName": "RAD Security Connect",
"description": "Allow RAD Security read access to Azure resources",
"assignableScopes": [
"/subscriptions/<subscription-id>"
],
"permissions": [
{
"actions": [
"Microsoft.AlertsManagement/alerts/read",
"Microsoft.ApiManagement/service/backends/read",
"Microsoft.ApiManagement/service/read",
"Microsoft.AppConfiguration/configurationStores/read",
"Microsoft.AppPlatform/Spring/read",
"Microsoft.Authorization/locks/read",
"Microsoft.Authorization/policyAssignments/read",
"Microsoft.Authorization/policyDefinitions/read",
"Microsoft.Authorization/policySetDefinitions/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.Automation/automationAccounts/read",
"Microsoft.Automation/automationAccounts/variables/read",
"Microsoft.Batch/batchAccounts/read",
"Microsoft.Cache/redis/read",
"Microsoft.Cdn/profiles/read",
"Microsoft.CognitiveServices/accounts/read",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Compute/diskAccesses/read",
"Microsoft.Compute/diskEncryptionSets/read",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/images/read",
"Microsoft.Compute/locations/vmSizes/read",
"Microsoft.Compute/restorePointCollections/read",
"Microsoft.Compute/skus/read",
"Microsoft.Compute/snapshots/read",
"Microsoft.Compute/sshPublicKeys/read",
"Microsoft.Compute/virtualMachines/extensions/read",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachineScaleSets/extensions/read",
"Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Consumption/budgets/read",
"Microsoft.Consumption/usageDetails/read",
"Microsoft.ContainerInstance/containerGroups/read",
"Microsoft.ContainerRegistry/registries/read",
"Microsoft.ContainerService/locations/orchestrators/read",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/upgradeProfiles/read",
"Microsoft.CostManagement/exports/read",
"Microsoft.CostManagement/forecast/action",
"Microsoft.CostManagement/query/action",
"Microsoft.DataBoxEdge/dataBoxEdgeDevices/read",
"Microsoft.Databricks/workspaces/read",
"Microsoft.DataFactory/factories/datasets/read",
"Microsoft.DataFactory/factories/pipelines/read",
"Microsoft.DataFactory/factories/read",
"Microsoft.DataLakeAnalytics/accounts/read",
"Microsoft.DataLakeStore/accounts/read",
"Microsoft.DataProtection/backupVaults/backupJobs/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DBforMariaDB/servers/read",
"Microsoft.DBforMySQL/flexibleServers/read",
"Microsoft.DBforMySQL/servers/read",
"Microsoft.DBforPostgreSQL/flexibleServers/read",
"Microsoft.DBforPostgreSQL/servers/read",
"Microsoft.Devices/IotHubs/read",
"Microsoft.Devices/provisioningServices/read",
"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/read",
"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read",
"Microsoft.DocumentDB/databaseAccounts/read",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read",
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read",
"Microsoft.EventGrid/domains/read",
"Microsoft.EventGrid/topics/read",
"Microsoft.EventHub/namespaces/read",
"Microsoft.HDInsight/clusters/read",
"Microsoft.HealthcareApis/services/read",
"Microsoft.HybridCompute/machines/read",
"Microsoft.Insights/activityLogAlerts/read",
"Microsoft.Insights/autoscalesettings/read",
"Microsoft.Insights/components/read",
"Microsoft.Insights/diagnosticSettings/read",
"Microsoft.Insights/eventtypes/values/read",
"Microsoft.Insights/logprofiles/read",
"Microsoft.Insights/metricDefinitions/read",
"Microsoft.Insights/metrics/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/deletedManagedHSMs/read",
"Microsoft.KeyVault/managedHSMs/read",
"Microsoft.KeyVault/vaults/keys/read",
"Microsoft.KeyVault/vaults/read",
"Microsoft.KeyVault/vaults/secrets/read",
"Microsoft.Kubernetes/connectedClusters/read",
"Microsoft.Kusto/clusters/read",
"Microsoft.Logic/workflows/read",
"Microsoft.MachineLearningServices/workspaces/read",
"Microsoft.Maintenance/maintenanceConfigurations/read",
"Microsoft.ManagedServices/registrationAssignments/read",
"Microsoft.ManagedServices/registrationDefinitions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Network/applicationGateways/read",
"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/read",
"Microsoft.Network/applicationSecurityGroups/read",
"Microsoft.Network/azurefirewalls/read",
"Microsoft.Network/bastionHosts/read",
"Microsoft.Network/customIpPrefixes/read",
"Microsoft.Network/dnsZones/read",
"Microsoft.Network/expressRouteCircuits/read",
"Microsoft.Network/firewallPolicies/read",
"Microsoft.Network/frontDoors/read",
"Microsoft.Network/ipAllocations/read",
"Microsoft.Network/ipGroups/read",
"Microsoft.Network/loadBalancers/backendAddressPools/read",
"Microsoft.Network/loadBalancers/inboundNatRules/read",
"Microsoft.Network/loadBalancers/loadBalancingRules/read",
"Microsoft.Network/loadBalancers/outboundRules/read",
"Microsoft.Network/loadBalancers/probes/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/natGateways/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkProfiles/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkVirtualAppliances/read",
"Microsoft.Network/networkWatchers/flowLogs/read",
"Microsoft.Network/networkWatchers/read",
"Microsoft.Network/privateDnsZones/read",
"Microsoft.Network/privateEndpoints/read",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/publicIPPrefixes/read",
"Microsoft.Network/routeFilters/read",
"Microsoft.Network/routeFilters/routeFilterRules/read",
"Microsoft.Network/routeTables/read",
"Microsoft.Network/serviceEndpointPolicies/read",
"Microsoft.Network/virtualHubs/read",
"Microsoft.Network/connections/read",
"Microsoft.Network/virtualNetworkGateways/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworkTaps/read",
"Microsoft.Network/virtualRouters/read",
"Microsoft.Network/virtualWans/read",
"Microsoft.Network/vpnGateways/read",
"Microsoft.Network/vpnServerConfigurations/read",
"Microsoft.OperationalInsights/workspaces/read",
"Microsoft.RecoveryServices/vaults/backupJobs/read",
"Microsoft.RecoveryServices/vaults/backupPolicies/read",
"Microsoft.RecoveryServices/vaults/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/links/read",
"Microsoft.Resources/providers/read",
"Microsoft.Resources/subscriptions/locations/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resources/read",
"Microsoft.Resources/tenants/read",
"Microsoft.Search/searchServices/read",
"Microsoft.Security/alerts/read",
"Microsoft.Security/assessments/read",
"Microsoft.Security/automations/read",
"Microsoft.Security/locations/jitNetworkAccessPolicies/read",
"Microsoft.Security/pricings/read",
"Microsoft.Security/securityContacts/read",
"Microsoft.Security/settings/read",
"Microsoft.Security/assessments/subAssessments/read",
"Microsoft.ServiceBus/namespaces/read",
"Microsoft.ServiceFabric/clusters/read",
"Microsoft.SignalRService/signalR/read",
"Microsoft.Sql/instancePools/operations/read",
"Microsoft.Sql/instancePools/read",
"Microsoft.Sql/managedInstances/databases/read",
"Microsoft.Sql/managedInstances/databases/transparentDataEncryption/read",
"Microsoft.Sql/managedInstances/encryptionProtector/read",
"Microsoft.Sql/managedInstances/read",
"Microsoft.Sql/servers/databases/read",
"Microsoft.Sql/servers/databases/transparentDataEncryption/read",
"Microsoft.Sql/servers/elasticPools/read",
"Microsoft.Sql/servers/encryptionProtector/read",
"Microsoft.Sql/servers/firewallRules/read",
"Microsoft.Sql/servers/read",
"Microsoft.Sql/servers/securityAlertPolicies/read",
"Microsoft.Sql/servers/virtualNetworkRules/read",
"Microsoft.SqlVirtualMachine/sqlVirtualMachines/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.Storage/storageAccounts/fileServices/shares/read",
"Microsoft.Storage/storageAccounts/queueServices/queues/read",
"Microsoft.Storage/storageAccounts/queueServices/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/tableServices/read",
"Microsoft.StorageCache/caches/read",
"Microsoft.StorageSync/storageSyncServices/read",
"Microsoft.StreamAnalytics/streamingjobs/read",
"Microsoft.Synapse/workspaces/read",
"Microsoft.Web/hostingEnvironments/read",
"Microsoft.Web/serverfarms/read",
"Microsoft.Web/sites/config/read",
"Microsoft.Web/sites/functions/read",
"Microsoft.Web/sites/read",
"Microsoft.Web/sites/slots/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
- Click Review + create, then click Create
The canonical list of permissions lives in the
role.tf file of the Terraform module. Check that file for the most up-to-date set.Step 4: Assign the Role to the RAD Security Application
Repeat the steps below for each subscription you want to connect.- Go to Subscriptions
- Select the subscription
- Go to Access control (IAM)
- Click + Add → Add role assignment
- Role:
RAD Security Connect - Assign access to: User, group, or service principal
- Click Select members
- Select the RAD-Security-Connect application
- Click Review + assign
- Click Review + assign again
Step 5: Enter Connection Details in RAD Security
Once all Azure steps are complete, open the RAD Security app and navigate to Integrations → Azure → Azure Cloud. Submit the form with:- Tenant ID
- Client ID (Application ID)
- Client Secret
- Subscription ID(s) connected
Validation Checklist
Before finishing, confirm:- The RAD-Security-Connect app exists in Entra ID
- The RAD Security Connect role exists
- The role is assigned to the app on each subscription
- The Azure account shows as connected in RAD Security