AzureHound Enterprise System Requirements and Deployment Process

This article applies to BHE

The AzureHound Enterprise service is a critical element in your deployment that collects and uploads data about your Azure environment to your BloodHound Enterprise tenant for processing and analysis.

AzureHound Enterprise is generally deployed as a service on a single Windows system per Azure tenant.  You need to create (at least) a single AzureHound server for all the tenants in scope and one Azure Enterprise Application service instance for each tenant.

Running multiple AzureHound collector instances on a single server requires the collectors to be installed as Scheduled Tasks instead of Windows Services. Installation instructions for such a configuration can be found at: Setting up multiple AzureHound collectors on the same server with scheduled tasks.


While it is possible to run both AzureHound and SharpHound on the same machine, the hardware recommendations for each application persist.  The Recommendations below are for a small production environment and should be considered a baseline that may need to be increased depending on size and complexity of your Azure environment.


Deployment Process Overview

To deploy a new AzureHound collector service:

  1. Configure Azure: AzureHound Enterprise Azure Configuration
  2. Create your AzureHound configuration: AzureHound Enterprise Local Configuration
  3. Deploy and maintain AzureHound: Run and Upgrade AzureHound (Windows, Docker, or Kubernetes)


Server Requirements


  Minimum Recommended Large Enterprise
Processor Cores 2 physical cores 4 physical cores 6 physical cores
Memory 4GB RAM 16GB RAM 32GB RAM
Hard disk space 1GB for logging 5GB for logging 20GB for logging



AzureHound Enterprise supports several deployment options:

  • Windows Server 2019+
  • .NET 4.5.2+


  • Docker


  • Kubernetes


  • TLS on 443/TCP to your BloodHound Enterprise tenant URL (provided by your account team)
  • TLS on 443/TCP to your Azure tenant. Azure Cloud domains are:

Service Principal Requirements

The AzureHound Enterprise service will run as an Azure Application backed by a Service Principal with the following permissions:

Note: Both Directory Reader and Directory.Read.All are required; they may read as identical in the Microsoft Documentation above, but they are not. There is some overlap, but each has distinct permissions that AzureHound leverages to ensure attack path collection coverage.