Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.rad.security/llms.txt

Use this file to discover all available pages before exploring further.

RAD Security – Azure Cloud Connect (Azure Portal Only)

This guide walks you through connecting your Azure subscription(s) to RAD Security using only the Azure Portal. No infrastructure-as-code or automation tools are required.

What you will do

  1. Create an Azure application (service principal) for RAD Security
  2. Create a custom Azure RBAC role with read-only permissions
  3. Assign that role to the RAD Security application
  4. Complete the connection in the RAD Security UI

Prerequisites

  • Azure Owner or User Access Administrator permissions on each subscription
  • Ability to create App Registrations and Custom RBAC Roles
  • List of Azure Subscription IDs you want RAD to connect

Step 1: Create an Azure Application for RAD Security

This application is how RAD securely reads data from your Azure environment.
  1. Sign in to the Azure Portal
  2. Go to Microsoft Entra ID
  3. Click + AddApp registration
  4. Fill in:
    • Name: RAD-Security-Connect
    • Supported account types: Single tenant
  5. Click Register

Capture these values (you will need them later):

  • Application (client) ID
  • Directory (tenant) ID

Step 2: Create a Client Secret

  1. In the app you just created, click on Add a certificate or secret
  2. Click on New client secret
  3. Add:
    • Description: RAD Security
    • Expiration: per your security policy
  4. Click Add
  5. Immediately copy and save the secret VALUE and Secret ID (This cannot be retrieved later)

Step 3: Create the Custom RBAC Role

This role grants RAD Security read-only access required for visibility.

Create the role

  1. Go to Subscriptions
  2. Select any one of the subscriptions you plan to connect
  3. Go to Access control (IAM)
  4. Select the Roles tab
  5. Click + AddCustom role
  • Custom role name: RAD Security Connect
  • Description: Allow RAD Security read access to Azure resources
  • Baseline permissions: Start from scratch
  1. Click Next

Permissions

  1. Go to the JSON tab
  2. Click Edit
  3. Add actions so that JSON looks as follows:
{
  "properties": {
    "roleName": "RAD Security Connect",
    "description": "Allow RAD Security read access to Azure resources",
    "assignableScopes": [
      "/subscriptions/<subscription-id>"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.ContainerService/managedClusters/upgradeProfiles/read",
          "Microsoft.ContainerService/managedClusters/read",
          "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
          "Microsoft.Sql/instancePools/read",
          "Microsoft.Sql/instancePools/operations/read",
          "Microsoft.Sql/servers/databases/read",
          "Microsoft.Sql/managedInstances/encryptionProtector/read",
          "Microsoft.Sql/managedInstances/read",
          "Microsoft.Sql/servers/databases/read",
          "Microsoft.Sql/servers/encryptionProtector/read",
          "Microsoft.Sql/servers/firewallRules/read",
          "Microsoft.Sql/servers/securityAlertPolicies/read",
          "Microsoft.Sql/servers/virtualNetworkRules/read",
          "Microsoft.Sql/servers/read",
          "Microsoft.Sql/managedInstances/databases/transparentDataEncryption/read",
          "Microsoft.Sql/managedInstances/databases/transparentDataEncryption/read",
          "Microsoft.Sql/servers/databases/transparentDataEncryption/read",
          "Microsoft.Storage/storageAccounts/read",
          "Microsoft.Storage/storageAccounts/blobServices/read",
          "Microsoft.Storage/storageAccounts/blobServices/containers/read",
          "Microsoft.Storage/storageAccounts/fileServices/shares/read",
          "Microsoft.Storage/storageAccounts/queueServices/read",
          "Microsoft.Storage/storageAccounts/queueServices/queues/read",
          "Microsoft.Storage/storageAccounts/tableServices/read",
          "Microsoft.Compute/images/read",
          "Microsoft.Compute/restorePointCollections/read",
          "Microsoft.Compute/skus/read",
          "Microsoft.Compute/snapshots/read",
          "Microsoft.Compute/sshPublicKeys/read",
          "Microsoft.Compute/virtualMachines/extensions/read",
          "Microsoft.Compute/virtualMachineScaleSets/read",
          "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
          "Microsoft.Compute/virtualMachineScaleSets/extensions/read",
          "Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read",
          "Microsoft.Compute/virtualMachines/read",
          "Microsoft.Network/VirtualNetworkgateways/read",
          "Microsoft.Network/virtualWans/read",
          "Microsoft.Network/privateEndpoints/read",
          "Microsoft.Network/routeTables/read",
          "Microsoft.Network/customIpPrefixes/read",
          "Microsoft.Network/networkVirtualAppliances/read",
          "Microsoft.Network/networkWatchers/read",
          "Microsoft.Network/networkWatchers/flowLogs/read",
          "Microsoft.Network/azurefirewalls/read",
          "Microsoft.Network/virtualRouters/read",
          "Microsoft.Network/bastionHosts/read",
          "Microsoft.Network/serviceEndpointPolicies/read",
          "Microsoft.Network/virtualNetworks/read",
          "Microsoft.Network/virtualNetworks/subnets/read",
          "Microsoft.Network/publicIPAddresses/read",
          "Microsoft.Network/applicationSecurityGroups/read",
          "Microsoft.Network/virtualNetworkTaps/read",
          "Microsoft.Network/vpnServerConfigurations/read",
          "Microsoft.Network/ipGroups/read",
          "Microsoft.Network/networkSecurityGroups/read",
          "Microsoft.Network/virtualHubs/read",
          "Microsoft.Network/firewallPolicies/read",
          "Microsoft.Network/networkInterfaces/read",
          "Microsoft.network/virtualnetworkgateways/connections/read",
          "Microsoft.Network/applicationGateways/read",
          "Microsoft.Network/routeFilters/read",
          "Microsoft.Network/routeFilters/routeFilterRules/read",
          "Microsoft.Network/vpnGateways/read",
          "Microsoft.Network/ipAllocations/read",
          "Microsoft.Network/networkInterfaces/read",
          "Microsoft.Network/loadBalancers/read",
          "Microsoft.Network/virtualNetworks/read",
          "Microsoft.Network/publicIPPrefixes/read",
          "Microsoft.Network/networkProfiles/read",
          "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/read"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
  }
}
  • Leave NotActions, DataActions, and NotDataActions empty.
  1. Click on Review + create
  2. Click on Create

Step 4: Assign the Role to the RAD Security Application

Repeat the steps below for each subscription you want to connect.
  1. Go to Subscriptions
  2. Select the subscription
  3. Go to Access control (IAM)
  4. Click + AddAdd role assignment
  5. Role: RAD Security Connect
  6. Assign access to: User, group, or service principal
  7. Click Select members
  8. Select the RAD-Security-Connect application
  9. Click Review + assign
  10. Click Review + assign again

Step 5: Send Connection Details to RAD Security

What the customer needs to send

Once all Azure steps are complete, please securely send the following information to your RAD Security contact or RAD support:
  • Tenant ID
  • Client ID (Application ID)
  • Client Secret
  • Subscription ID(s) connected
  • Confirmation that:
    • The custom role is created
    • The role is assigned to the RAD application on each subscription

What RAD will do

RAD Security will:
  • Validate permissions
  • Complete the backend registration
  • Confirm when the Azure account is successfully connected and ingesting data

Validation Checklist

Before finishing, confirm:
  • The RAD-Security-Connect app exists in Entra ID
  • The RAD Security Connect role exists
  • The role is assigned to the app on each subscription
  • The Azure account shows as connected in RAD Security