AzureHound Enterprise Azure Configuration

This article applies to BHE

This section details creating and configuring an Enterprise Application for AzureHound within Azure, including permissions, roles, and authentication.


Create the AzureHound Enterprise app

  1. Log into the Azure portal as a Global Admin or a Privileged Role Admin.

  2. From the Azure portal menu, search for or select Microsoft Entra ID
    Screenshot 2023-09-29 at 10.34.04 AM.png

  3. In the left menu, select App registrations
    mceclip1.png

  4. Click New registration
    mceclip2.png

  5. In the Name field, give the application an identifying name in your organization. Make sure the supported account type is set to the “Accounts in this organizational directory only (Single tenant)” option. A URI is not required. Then click “Register”
    mceclip3.png

  6. In the Overview menu, copy the Application (client) ID and Directory (tenant) ID to be used later in AzureHound Enterprise Local Configuration
    mceclip5.png

  7. Continue the next section: “Grant Microsoft Graph Permissions”


Grant Microsoft Graph Permissions

  1. In the AzureHound application, select API Permissions
    mceclip6.png

  2. Select Add a permission
    mceclip7.png

  3. Click on Microsoft Graph
    mceclip8.png

  4. Select Application permissions
    mceclip9.png

  5. Search for the permission: “Directory.Read.All”, and check the box next to it
    mceclip10.png

  6. In the bottom of the window, select Add permissions
    mceclip11.png

  7. Click on “Grant admin consent for <your_tenant_name>”.
    mceclip12.png

  8. Click “Yes” on the confirmation dialog.
    mceclip13.png

  9. After being redirected to API Permissions again, select Grant admin consent for <your_tenant_name>
    mceclip14.png

  10. Continue to the next section: "Grant “Directory Reader” role on the Azure tenant"


Grant “Directory Reader” role on the Azure tenant

  1. Click on the hamburger menu button, then select Microsoft Entra ID to return to the tenant view.
    Screenshot 2023-09-29 at 10.45.44 AM.png

  2. Select Roles and administrators
    mceclip16.png

  3. Search for the role “Directory Readers” and click the role name or description
    Note: Clicking the checkbox sometimes prevents clicking on the role itself.
    mceclip17.png

  4. In the "Directory readers" role, select Add assignments
    mceclip18.png

  5. Click “No member selected” to open the search window.
    mceclip19.png

  6. Search for the previously created service principal with either its name, application ID, or object ID. Select it by clicking on it
    mceclip20.png

  7. Click Select
    mceclip21.png

  8. Validate that your principal is displayed and click Next
    mceclip22.png

  9. Ensure that the Assignment type is “Active” and the “Permanently assigned” box is checked. Provide a justification and click “Assign”.
    mceclip23.png

  10. Confirm the service principal is a Directory Reader by refreshing this view.

  11. Continue to the next section to provide Directory Reader permissions on your subscriptions.


Grant “Reader” role on all subscriptions

Note: If you do not have any management groups, you may either create your Tenant Root Group following the prompts in the middle of the screen to ensure future visibility if another administrator begins use of subscriptions, or you may skip this section altogether. If you skip this section, you will see a warning in the logs for each collection indicating the lack of ability to collect this data accordingly.

  1. Search for and select the “Management groups” item in the top search bar
    mceclip24.png

  2. Select Tenant Root Group
    mceclip25.png

  3. Select Access control (IAM)
    mceclip26.png

  4. Select Role assignments
    mceclip27.png

  5. Click Add, then Add role assignment
    mceclip28.png

  6. Find the “Reader” role and select it
    mceclip29.png

  7. Click “Members”.
    mceclip30.png

  8. Click Select members
    mceclip31.png

  9. Search for and click on your previously created service principal.
    mceclip32.png

  10. Validate the principal selected, then click Select
    mceclip33.png

  11. Click the tab Review + Assign
    mceclip34.png

  12. Click Review + Assign at the bottom of the page
    mceclip35.png

  13. Confirm the role is present by refreshing this view. You may need to alter the filter to see this role.

  14. Continue to the next section: "Add certificate to Azure for Authentication"


Add certificate to Azure for Authentication

This section requires you have authentication material.

We highly recommend using certificate-based authentication. If you do not already have a certificate created, follow the article AzureHound Enterprise Local Configuration and then return back here.

  1. Log into the Azure portal as a Global Admin or a Privileged Role Admin.

  2. Search for or click on Microsoft Entra ID
    Screenshot 2023-09-29 at 10.34.04 AM.png

  3. On the left, click “App registrations”.
    mceclip1.png

  4. Search for and click on the Application you created previously.

  5. Click on Certificates & secrets
    mceclip36.png

  6. Click on “Certificates”.
    mceclip38.png

  7. Click “Upload certificate”.
    mceclip40.png

  8. Locate the "cert.pem" file created during AzureHound setup (either on your own, or utilizing the instructions at AzureHound Enterprise Local Configuration)

  9. Click the folder icon and locate the "cert.pem" file. Add a description if desired.
    mceclip39.png

  10. In the bottom of the window, select Add

  11. Continue to Run and Upgrade AzureHound (Windows, Docker, or Kubernetes)

Updated