> ## Documentation Index > Fetch the complete documentation index at: https://docs.rad.security/llms.txt > Use this file to discover all available pages before exploring further. # Using the Portal > Connect your Azure subscription(s) to RAD Security using the Azure Portal # RAD Security – Azure Cloud Connect (Azure Portal Only) This guide walks you through connecting your Azure subscription(s) to **RAD Security** using only the Azure Portal. No infrastructure-as-code or automation tools are required. *** ## What you will do 1. Create an Azure application (service principal) for RAD Security 2. Create a custom Azure RBAC role with read-only permissions 3. Assign that role to the RAD Security application 4. Complete the connection in the RAD Security UI *** ## Prerequisites * Azure **Owner** or **User Access Administrator** permissions on each subscription * Ability to create **App Registrations** and **Custom RBAC Roles** * List of Azure **Subscription IDs** you want RAD to connect *** ## Step 1: Create an Azure Application for RAD Security This application is how RAD securely reads data from your Azure environment. 1. Sign in to the Azure Portal 2. Go to **Microsoft Entra ID** 3. Click + **Add** → **App registration** 4. Fill in: * **Name**: `RAD-Security-Connect` * **Supported account types**: *Single tenant* 5. Click **Register** ### Capture these values (you will need them later): * **Application (client) ID** * **Directory (tenant) ID** *** ## Step 2: Create a Client Secret 1. In the app you just created, click on **Add a certificate or secret** 2. Click on **New client secret** 3. Add: * **Description**: `RAD Security` * **Expiration**: per your security policy 4. Click **Add** 5. **Immediately copy and save the secret VALUE and Secret ID** (This cannot be retrieved later) *** ## Step 3: Create the Custom RBAC Role This role grants RAD Security read-only access required for visibility. ### Create the role 1. Go to **Subscriptions** 2. Select **any one** of the subscriptions you plan to connect 3. Go to **Access control (IAM)** 4. Select the **Roles** tab 5. Click **+ Add** → **Custom role** * *Custom role name*: `RAD Security Connect` * **Description**: `Allow RAD Security read access to Azure resources` * **Baseline permissions**: **Start from scratch** 6. Click **Next** ### Permissions 1. Go to the **JSON** tab 2. Click **Edit** 3. Add **actions** so that JSON looks as follows: ```json theme={null} { "properties": { "roleName": "RAD Security Connect", "description": "Allow RAD Security read access to Azure resources", "assignableScopes": [ "/subscriptions/" ], "permissions": [ { "actions": [ "Microsoft.ContainerService/managedClusters/upgradeProfiles/read", "Microsoft.ContainerService/managedClusters/read", "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action", "Microsoft.Sql/instancePools/read", "Microsoft.Sql/instancePools/operations/read", "Microsoft.Sql/servers/databases/read", "Microsoft.Sql/managedInstances/encryptionProtector/read", "Microsoft.Sql/managedInstances/read", "Microsoft.Sql/servers/databases/read", "Microsoft.Sql/servers/encryptionProtector/read", "Microsoft.Sql/servers/firewallRules/read", "Microsoft.Sql/servers/securityAlertPolicies/read", "Microsoft.Sql/servers/virtualNetworkRules/read", "Microsoft.Sql/servers/read", "Microsoft.Sql/managedInstances/databases/transparentDataEncryption/read", "Microsoft.Sql/managedInstances/databases/transparentDataEncryption/read", "Microsoft.Sql/servers/databases/transparentDataEncryption/read", "Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/blobServices/read", "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/fileServices/shares/read", "Microsoft.Storage/storageAccounts/queueServices/read", "Microsoft.Storage/storageAccounts/queueServices/queues/read", "Microsoft.Storage/storageAccounts/tableServices/read", "Microsoft.Compute/images/read", "Microsoft.Compute/restorePointCollections/read", "Microsoft.Compute/skus/read", "Microsoft.Compute/snapshots/read", "Microsoft.Compute/sshPublicKeys/read", "Microsoft.Compute/virtualMachines/extensions/read", "Microsoft.Compute/virtualMachineScaleSets/read", "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read", "Microsoft.Compute/virtualMachineScaleSets/extensions/read", "Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read", "Microsoft.Compute/virtualMachines/read", "Microsoft.Network/VirtualNetworkgateways/read", "Microsoft.Network/virtualWans/read", "Microsoft.Network/privateEndpoints/read", "Microsoft.Network/routeTables/read", "Microsoft.Network/customIpPrefixes/read", "Microsoft.Network/networkVirtualAppliances/read", "Microsoft.Network/networkWatchers/read", "Microsoft.Network/networkWatchers/flowLogs/read", "Microsoft.Network/azurefirewalls/read", "Microsoft.Network/virtualRouters/read", "Microsoft.Network/bastionHosts/read", "Microsoft.Network/serviceEndpointPolicies/read", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/applicationSecurityGroups/read", "Microsoft.Network/virtualNetworkTaps/read", "Microsoft.Network/vpnServerConfigurations/read", "Microsoft.Network/ipGroups/read", "Microsoft.Network/networkSecurityGroups/read", "Microsoft.Network/virtualHubs/read", "Microsoft.Network/firewallPolicies/read", "Microsoft.Network/networkInterfaces/read", "Microsoft.network/virtualnetworkgateways/connections/read", "Microsoft.Network/applicationGateways/read", "Microsoft.Network/routeFilters/read", "Microsoft.Network/routeFilters/routeFilterRules/read", "Microsoft.Network/vpnGateways/read", "Microsoft.Network/ipAllocations/read", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/loadBalancers/read", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/publicIPPrefixes/read", "Microsoft.Network/networkProfiles/read", "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/read" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } } ``` * Leave **NotActions**, **DataActions**, and **NotDataActions** empty. 4. Click on **Review + create** 5. Click on **Create** *** ## Step 4: Assign the Role to the RAD Security Application Repeat the steps below **for each subscription** you want to connect. 1. Go to **Subscriptions** 2. Select the subscription 3. Go to **Access control (IAM)** 4. Click **+ Add** → **Add role assignment** 5. **Role**: `RAD Security Connect` 6. **Assign access to**: *User, group, or service principal* 7. Click **Select members** 8. Select the **RAD-Security-Connect** application 9. Click **Review + assign** 10. Click **Review + assign** again *** ## Step 5: Send Connection Details to RAD Security ### What the customer needs to send Once all Azure steps are complete, please securely send the following information to your RAD Security contact or RAD support: * **Tenant ID** * **Client ID (Application ID)** * **Client Secret** * **Subscription ID(s)** connected * Confirmation that: * The **custom role** is created * The role is **assigned to the RAD application** on each subscription ### What RAD will do RAD Security will: * Validate permissions * Complete the backend registration * Confirm when the Azure account is successfully connected and ingesting data *** ## Validation Checklist Before finishing, confirm: * The RAD-Security-Connect app exists in **Entra ID** * The **RAD Security Connect** role exists * The role is assigned to the app on **each subscription** * The Azure account shows as **connected** in RAD Security