> ## Documentation Index > Fetch the complete documentation index at: https://docs.rad.security/llms.txt > Use this file to discover all available pages before exploring further. # Azure > Connect your Microsoft Azure subscription to RAD Security for comprehensive cloud security monitoring. ## Overview Connect your Azure subscription(s) to RAD Security to scan cloud resources for misconfigurations and security issues. You can use our official Terraform module (recommended) or configure the integration manually via the Azure Portal. ## Connection setup We publish a Terraform module in the Terraform Registry that provisions all of the resources needed to connect your Azure account to RAD Security. 1. Sign in to RAD Security 2. Go to `Data Sources` 3. Click on `Add provider` 4. Follow the guide for Azure Take the `access_key_id` and `secret_key` values from the RAD Security provider and replace them in the snippet below. Then, configure the `azurerm` and `azuread` providers. ```hcl theme={null} terraform { required_providers { rad-security = { source = "rad-security/rad-security" version = "..." } azurerm = { source = "hashicorp/azurerm" version = ">=3.0.0" } azuread = { source = "hashicorp/azuread" version = ">= 1.0" } } } provider "azuread" {} provider "azurerm" {} provider "rad-security" { access_key_id = "..." secret_key = "..." rad_security_api_url = "https://api.rad.security" } module "rad-security-connect" { source = "rad-security/rad-security-connect/azurerm" version = "..." } ``` ### Existing Service Principal The module is not needed if an existing Service Principal is used. The Service Principal needs to have the necessary permissions required to be able to function properly within RAD. These permissions RAD uses can be found within the role definition within the module. This can change over time as new versions of the module get released over time. A new `rad-security_azure_register` resource needs to be created for each Azure Subscription you wish to connect with RAD. More information can be found within the Provider docs here. ### Multiple Azure Subscriptions Multiple Azure subscriptions can be added with the `azure_subscriptions` input variable in the `rad-security-connect` module. The input variable is a list of strings. The strings passed to the list need to be in the form `/subscriptions/00000000-0000-0000-0000-000000000000`. If you cannot use our Terraform module, you can connect your Azure subscription(s) entirely through the Azure Portal. No infrastructure-as-code or automation tools are required. #### What you will do 1. Create an Azure application (service principal) for RAD Security 2. Create a custom Azure RBAC role with read-only permissions 3. Assign that role to the RAD Security application 4. Complete the connection in the RAD Security UI #### Prerequisites * Azure **Owner** or **User Access Administrator** permissions on each subscription * Ability to create **App Registrations** and **Custom RBAC Roles** * List of Azure **Subscription IDs** you want RAD to connect ### Step 1: Create an Azure Application for RAD Security This application is how RAD securely reads data from your Azure environment. 1. Sign in to the **Azure Portal** 2. Go to **Microsoft Entra ID** 3. Click **+ Add** → **App registration** 4. Fill in: * **Name**: `RAD-Security-Connect` * **Supported account types**: *Single tenant* 5. Click **Register** Capture these values (you will need them later): * **Application (client) ID** * **Directory (tenant) ID** ### Step 2: Create a Client Secret 1. In the app you just created, click on **Add a certificate or secret** 2. Click on **New client secret** 3. Add: * **Description**: `RAD Security` * **Expiration**: per your security policy 4. Click **Add** 5. **Immediately copy and save the secret VALUE and Secret ID** The client secret value cannot be retrieved later. Save it immediately. ### Step 3: Create the Custom RBAC Role This role grants RAD Security read-only access required for visibility. 1. Go to **Subscriptions** 2. Select **any one** of the subscriptions you plan to connect 3. Go to **Access control (IAM)** 4. Select the **Roles** tab 5. Click **+ Add** → **Custom role** * **Custom role name**: `RAD Security Connect` * **Description**: `Allow RAD Security read access to Azure resources` * **Baseline permissions**: **Start from scratch** 6. Click **Next** 7. Go to the **JSON** tab and click **Edit** 8. Replace the `actions` array so that the JSON looks as follows (replace `` with your subscription ID): ```json theme={null} { "properties": { "roleName": "RAD Security Connect", "description": "Allow RAD Security read access to Azure resources", "assignableScopes": [ "/subscriptions/" ], "permissions": [ { "actions": [ "Microsoft.AlertsManagement/alerts/read", "Microsoft.ApiManagement/service/backends/read", "Microsoft.ApiManagement/service/read", "Microsoft.AppConfiguration/configurationStores/read", "Microsoft.AppPlatform/Spring/read", "Microsoft.Authorization/locks/read", "Microsoft.Authorization/policyAssignments/read", "Microsoft.Authorization/policyDefinitions/read", "Microsoft.Authorization/policySetDefinitions/read", "Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleDefinitions/read", "Microsoft.Automation/automationAccounts/read", "Microsoft.Automation/automationAccounts/variables/read", "Microsoft.Batch/batchAccounts/read", "Microsoft.Cache/redis/read", "Microsoft.Cdn/profiles/read", "Microsoft.CognitiveServices/accounts/read", "Microsoft.Compute/availabilitySets/read", "Microsoft.Compute/diskAccesses/read", "Microsoft.Compute/diskEncryptionSets/read", "Microsoft.Compute/disks/read", "Microsoft.Compute/images/read", "Microsoft.Compute/locations/vmSizes/read", "Microsoft.Compute/restorePointCollections/read", "Microsoft.Compute/skus/read", "Microsoft.Compute/snapshots/read", "Microsoft.Compute/sshPublicKeys/read", "Microsoft.Compute/virtualMachines/extensions/read", "Microsoft.Compute/virtualMachines/read", "Microsoft.Compute/virtualMachineScaleSets/extensions/read", "Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read", "Microsoft.Compute/virtualMachineScaleSets/read", "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read", "Microsoft.Consumption/budgets/read", "Microsoft.Consumption/usageDetails/read", "Microsoft.ContainerInstance/containerGroups/read", "Microsoft.ContainerRegistry/registries/read", "Microsoft.ContainerService/locations/orchestrators/read", "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action", "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action", "Microsoft.ContainerService/managedClusters/read", "Microsoft.ContainerService/managedClusters/upgradeProfiles/read", "Microsoft.CostManagement/exports/read", "Microsoft.CostManagement/forecast/action", "Microsoft.CostManagement/query/action", "Microsoft.DataBoxEdge/dataBoxEdgeDevices/read", "Microsoft.Databricks/workspaces/read", "Microsoft.DataFactory/factories/datasets/read", "Microsoft.DataFactory/factories/pipelines/read", "Microsoft.DataFactory/factories/read", "Microsoft.DataLakeAnalytics/accounts/read", "Microsoft.DataLakeStore/accounts/read", "Microsoft.DataProtection/backupVaults/backupJobs/read", "Microsoft.DataProtection/backupVaults/read", "Microsoft.DBforMariaDB/servers/read", "Microsoft.DBforMySQL/flexibleServers/read", "Microsoft.DBforMySQL/servers/read", "Microsoft.DBforPostgreSQL/flexibleServers/read", "Microsoft.DBforPostgreSQL/servers/read", "Microsoft.Devices/IotHubs/read", "Microsoft.Devices/provisioningServices/read", "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/read", "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read", "Microsoft.DocumentDB/databaseAccounts/read", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read", "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read", "Microsoft.EventGrid/domains/read", "Microsoft.EventGrid/topics/read", "Microsoft.EventHub/namespaces/read", "Microsoft.HDInsight/clusters/read", "Microsoft.HealthcareApis/services/read", "Microsoft.HybridCompute/machines/read", "Microsoft.Insights/activityLogAlerts/read", "Microsoft.Insights/autoscalesettings/read", "Microsoft.Insights/components/read", "Microsoft.Insights/diagnosticSettings/read", "Microsoft.Insights/eventtypes/values/read", "Microsoft.Insights/logprofiles/read", "Microsoft.Insights/metricDefinitions/read", "Microsoft.Insights/metrics/read", "Microsoft.KeyVault/deletedVaults/read", "Microsoft.KeyVault/locations/deletedManagedHSMs/read", "Microsoft.KeyVault/managedHSMs/read", "Microsoft.KeyVault/vaults/keys/read", "Microsoft.KeyVault/vaults/read", "Microsoft.KeyVault/vaults/secrets/read", "Microsoft.Kubernetes/connectedClusters/read", "Microsoft.Kusto/clusters/read", "Microsoft.Logic/workflows/read", "Microsoft.MachineLearningServices/workspaces/read", "Microsoft.Maintenance/maintenanceConfigurations/read", "Microsoft.ManagedServices/registrationAssignments/read", "Microsoft.ManagedServices/registrationDefinitions/read", "Microsoft.Management/managementGroups/read", "Microsoft.Network/applicationGateways/read", "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/read", "Microsoft.Network/applicationSecurityGroups/read", "Microsoft.Network/azurefirewalls/read", "Microsoft.Network/bastionHosts/read", "Microsoft.Network/customIpPrefixes/read", "Microsoft.Network/dnsZones/read", "Microsoft.Network/expressRouteCircuits/read", "Microsoft.Network/firewallPolicies/read", "Microsoft.Network/frontDoors/read", "Microsoft.Network/ipAllocations/read", "Microsoft.Network/ipGroups/read", "Microsoft.Network/loadBalancers/backendAddressPools/read", "Microsoft.Network/loadBalancers/inboundNatRules/read", "Microsoft.Network/loadBalancers/loadBalancingRules/read", "Microsoft.Network/loadBalancers/outboundRules/read", "Microsoft.Network/loadBalancers/probes/read", "Microsoft.Network/loadBalancers/read", "Microsoft.Network/natGateways/read", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/networkProfiles/read", "Microsoft.Network/networkSecurityGroups/read", "Microsoft.Network/networkVirtualAppliances/read", "Microsoft.Network/networkWatchers/flowLogs/read", "Microsoft.Network/networkWatchers/read", "Microsoft.Network/privateDnsZones/read", "Microsoft.Network/privateEndpoints/read", "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/publicIPPrefixes/read", "Microsoft.Network/routeFilters/read", "Microsoft.Network/routeFilters/routeFilterRules/read", "Microsoft.Network/routeTables/read", "Microsoft.Network/serviceEndpointPolicies/read", "Microsoft.Network/virtualHubs/read", "Microsoft.Network/connections/read", "Microsoft.Network/virtualNetworkGateways/read", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworkTaps/read", "Microsoft.Network/virtualRouters/read", "Microsoft.Network/virtualWans/read", "Microsoft.Network/vpnGateways/read", "Microsoft.Network/vpnServerConfigurations/read", "Microsoft.OperationalInsights/workspaces/read", "Microsoft.RecoveryServices/vaults/backupJobs/read", "Microsoft.RecoveryServices/vaults/backupPolicies/read", "Microsoft.RecoveryServices/vaults/read", "Microsoft.Resources/deployments/read", "Microsoft.Resources/links/read", "Microsoft.Resources/providers/read", "Microsoft.Resources/subscriptions/locations/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/subscriptions/resources/read", "Microsoft.Resources/tenants/read", "Microsoft.Search/searchServices/read", "Microsoft.Security/alerts/read", "Microsoft.Security/assessments/read", "Microsoft.Security/automations/read", "Microsoft.Security/locations/jitNetworkAccessPolicies/read", "Microsoft.Security/pricings/read", "Microsoft.Security/securityContacts/read", "Microsoft.Security/settings/read", "Microsoft.Security/assessments/subAssessments/read", "Microsoft.ServiceBus/namespaces/read", "Microsoft.ServiceFabric/clusters/read", "Microsoft.SignalRService/signalR/read", "Microsoft.Sql/instancePools/operations/read", "Microsoft.Sql/instancePools/read", "Microsoft.Sql/managedInstances/databases/read", "Microsoft.Sql/managedInstances/databases/transparentDataEncryption/read", "Microsoft.Sql/managedInstances/encryptionProtector/read", "Microsoft.Sql/managedInstances/read", "Microsoft.Sql/servers/databases/read", "Microsoft.Sql/servers/databases/transparentDataEncryption/read", "Microsoft.Sql/servers/elasticPools/read", "Microsoft.Sql/servers/encryptionProtector/read", "Microsoft.Sql/servers/firewallRules/read", "Microsoft.Sql/servers/read", "Microsoft.Sql/servers/securityAlertPolicies/read", "Microsoft.Sql/servers/virtualNetworkRules/read", "Microsoft.SqlVirtualMachine/sqlVirtualMachines/read", "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/blobServices/read", "Microsoft.Storage/storageAccounts/fileServices/shares/read", "Microsoft.Storage/storageAccounts/queueServices/queues/read", "Microsoft.Storage/storageAccounts/queueServices/read", "Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/tableServices/read", "Microsoft.StorageCache/caches/read", "Microsoft.StorageSync/storageSyncServices/read", "Microsoft.StreamAnalytics/streamingjobs/read", "Microsoft.Synapse/workspaces/read", "Microsoft.Web/hostingEnvironments/read", "Microsoft.Web/serverfarms/read", "Microsoft.Web/sites/config/read", "Microsoft.Web/sites/functions/read", "Microsoft.Web/sites/read", "Microsoft.Web/sites/slots/read" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } } ``` Leave **NotActions**, **DataActions**, and **NotDataActions** empty. 9. Click **Review + create**, then click **Create** The canonical list of permissions lives in the [`role.tf`](https://github.com/rad-security/terraform-azurerm-rad-security-connect/blob/main/role.tf) file of the Terraform module. Check that file for the most up-to-date set. ### Step 4: Assign the Role to the RAD Security Application Repeat the steps below **for each subscription** you want to connect. 1. Go to **Subscriptions** 2. Select the subscription 3. Go to **Access control (IAM)** 4. Click **+ Add** → **Add role assignment** 5. **Role**: `RAD Security Connect` 6. **Assign access to**: *User, group, or service principal* 7. Click **Select members** 8. Select the **RAD-Security-Connect** application 9. Click **Review + assign** 10. Click **Review + assign** again ### Step 5: Enter Connection Details in RAD Security Once all Azure steps are complete, open the RAD Security app and navigate to **Integrations** → **Azure** → **Azure Cloud**. Submit the form with: * **Tenant ID** * **Client ID (Application ID)** * **Client Secret** * **Subscription ID(s)** connected RAD Security will validate permissions and confirm when the Azure account is successfully connected and ingesting data. #### Validation Checklist Before finishing, confirm: * The **RAD-Security-Connect** app exists in **Entra ID** * The **RAD Security Connect** role exists * The role is assigned to the app on **each subscription** * The Azure account shows as **connected** in RAD Security