Docs
HomeGitHubSign Up

Onboard Azure Subscription (coming soon)

Suggest Edits

Overview & Objectives

Purpose:

This document describes how to onboard a single Azure subscription into ARMO Platform. After onboarding, ARMO will have visibility into the account’s resources, enable governance / compliance policies, and monitor for risks

Prerequisites

ItemRequirement
ARMO PlatformYou have an admin or Manager access to ARMO Platform
Azure Global AdministratorYou have administrative or IAM privileges in the Azure subscription you intend to onboard.
OwnerOwner role in the target subscription(s).

High level onboarding flow

The Azure onboarding process in ARMO establishes secure, read-only access so ARMO can continuously analyze your cloud configuration, compliance posture, and activity logs.

  1. Initiate Integration from the ARMO Platform
    1. Navigate to Settings → Accounts → Microsoft Azure.
    2. Choose A single subscription
  2. Create an Azure App Registration
    1. ARMO requires an Azure Active Directory (Entra ID) App Registration to authenticate securely.
    2. The registration defines ARMO as a trusted application with API access to Azure resources.
  3. Generate and Store Application Credentials
    1. Add a Client Secret under Certificates & Secrets.
    2. Copy the Client ID, Tenant ID, and Secret Value — these are required to authenticate ARMO’s connection.
  4. Assign the Reader Role to the Application
    1. In the target Azure Subscription, assign the ARMO application the Reader role under Access Control (IAM).
    2. This grants ARMO read-only access for discovery and compliance scanning.
  5. Provide Credentials to ARMO
    1. Return to the ARMO Platform and enter the following: Subscription ID, Directory ID, Application ID, Client Secret
  6. Verification and Discovery
    1. ARMO verifies connectivity and permissions.
    2. Once validated, ARMO begins discovering Azure resources (VMs, AKS clusters, storage accounts, etc.) across connected subscriptions.
  7. Continuous Scanning and Insights
    1. Within ~60 minutes, ARMO starts displaying:
    2. Compliance Findings (under Compliance → Cloud)

[ARMO Platform]


[Start Onboarding Wizard]


[Azure Portal]
├── Register ARMO App
├── Create Secret
└── Assign Reader Role


[Return to ARMO → Enter Credentials]


[Validation + Discovery]


[Continuous Scanning & Compliance Insights]

Detailed Step-by-Step Onboarding

1. Get the subscription id

  • Go to Azure portal and search for Subscriptions.
  • Locate and copy your Subscription ID.

2. Go to ARMO Platform

  • Click on Microsoft Azure card and click Next
  • Enter the Microsoft subscription id
  • Enter a display name



3. Register ARMO as an Azure Application

  1. Navigate to Azure Portal → App registrations.

  2. Click + New registration.

  3. Enter the name: Armo-security-application

  4. Select the supported account type:

    • Accounts in this organizational directory only – for a single tenant setup.
    • Accounts in any organizational directory (Any Microsoft Entra ID tenant) – for a multitenant setup.

  5. Click Register.

  6. Copy the following values

    1. Application (client) ID and paste in the ARMO connection wizard
    2. Directory (tenant) ID and paste in the ARMO connection wizard



4. Add a New Secret

  1. Open the newly created application and go to Certificates & secrets.

  2. Under Client secrets, click + New client secret.

  3. Add a description (for example, ArmoSecurity) and set expiration to 730 days (24 months).

  4. Click Add.

  5. Copy the Secret Value and paste it in the ARMO connection wizard

5. Grant the Azure Application Reader Role Permissions

  1. In the Azure Portal, go to Subscriptions.

  2. Select the subscription you want ARMO to scan.

  3. In the subscription menu, select Access control (IAM).

  4. Click + Add → Add role assignment.

  5. Choose the Reader role.

  6. Under the Members tab:

    • Select User, group, or service principal.
    • Click + Select members, then search for the ARMO application you registered and select it.

  7. Click Review + assign to finalize.

The ARMO Service Principal now has read-only access to your Azure subscription.

After Onboarding

Once your Azure environment is connected:

  • ARMO automatically discovers Azure resources and begins scanning for compliance and configuration issues.
  • Connected subscriptions appear under Settings → Accounts in the ARMO Platform.
  • Compliance and vulnerability results typically appear within 60 minutes.

Updated about 3 hours ago