Docs
HomeGitHubSign Up
Start typing to search…

Onboard Azure Subscription

Overview & Objectives

Purpose:

This document outlines the process for onboarding a single Azure subscription into the ARMO Platform. After onboarding, ARMO will have visibility into the account’s resources, enable governance/compliance policies, and monitor for risks

Prerequisites

ItemRequirement
ARMO PlatformYou have an admin or Manager access to the ARMO Platform
Azure Global AdministratorYou have administrative or IAM privileges in the Azure subscription you intend to onboard.
OwnerOwner role in the target subscription(s).

High level onboarding flow

The Azure onboarding process in ARMO establishes secure, read-only access so ARMO can continuously analyze your cloud configuration, compliance posture, and activity logs.

  1. Get your Azure Subscription ID
  2. Create an Azure App Registration
  3. Grant Microsoft Graph API permissions
  4. Generate a Client Secret
  5. Create a Custom Azure Role for CSPM
  6. Assign roles to the application
  7. Connect subscription

[ARMO Platform]


[Start Onboarding Wizard]


[Azure Portal]
├── Register ARMO App ├── Create Secret
├── Create custom role └── Assign Roles to the application │

[Return to ARMO → Enter Credentials]


[Validation + Discovery]


[Continuous Scanning & Compliance Insights]

Detailed Step-by-Step Onboarding

1. Get the subscription id

  • Go to Azure portal and search for Subscriptions.
  • Locate and copy your Subscription ID.

2. Go to ARMO Platform

  • Go to Settings --> Accounts

  • Click on the Microsoft Azure card and click Next


  • Enter the Microsoft subscription id
  • Enter a display name

3. Register ARMO as an Azure Application

  1. Navigate to Azure Portal → App registrations.

  2. Click + New registration.

  3. Enter the name: cspm-security-application

  4. Select the supported account type:

    • Accounts in this organizational directory only – for a single tenant setup.

  5. Click Register.

  6. Copy the following values

    1. Application (client) ID and paste it in the ARMO connection wizard
    2. Directory (tenant) ID and paste it in the ARMO connection wizard



4. Grant Microsoft Graph API Permissions

  1. Navigate to Azure Portal → App registrations.
  2. Open cspm-security-application
  3. Click API permissions
  4. Click + Add a permission
  5. Select Microsoft Graph
  6. Select Application permissions
  7. Search and add:
    1. Directory.Read.All
    2. Policy.Read.All
    3. UserAuthenticationMethod.Read.All
  8. Click Add permissions
  9. Click Grant admin consent

5. Add a New Secret

  1. Open the newly created application and go to Certificates & secrets.

  2. Under Client secrets, click + New client secret.

  3. Add a description (e.g: cspm-security-application) and set expiration to 730 days (24 months).

  4. Click Add.

  5. Copy the Secret Value and paste it in the ARMO connection wizard

📘

Client secret values cannot be viewed, except for immediately after creation. Be sure to save the secret when created before leaving the page.


6. Create an Azure Custom Role

This role grants ARMO secure read-only access to required Azure services.

  1. In the Azure Portal, go to Subscriptions.
  2. Select your subscription
  3. In the subscription menu, select Access control (IAM).
  4. Click + AddAdd custom role
  5. Enter Role name: CSPM Access
  6. Select Start from scratch → Next
  7. Click Add permissions
    1. Search and add: Microsoft.Web/sites/host/listkeys/action
    2. Click Add permissions again and add: Microsoft.Web/sites/config/list/Action
  8. Click Review + Create
  9. Click Create

7. Assign Roles to the Application

  1. In the Azure Portal, go to Subscriptions.

  2. Select your subscription

  3. In the subscription menu, select Access control (IAM).

  4. Click + Add → Add role assignment.

  5. Assign the custom CSPM role

    1. Role: CSPM Access
    2. Assign access to: Default
    3. Members: Search and select the application "cspm-security-application"
    4. Click Review + assign

  6. Repeat the same process for:

    1. Reader
    2. Security Reader

  7. Your application should now have three roles:

    • CSPM Access
    • Reader
    • Security Reader

  8. Click Connect account

After Onboarding

Once your Azure environment is connected:

  • ARMO automatically discovers Azure resources and begins scanning for compliance and configuration issues.
  • Connected subscriptions appear under Settings → Accounts → Azure(tab) in the ARMO Platform.
  • Compliance results typically appear within 60 minutes in the Compliance section (Cloud tab)

Updated 4 days ago