This section details creating and configuring an Enterprise Application for AzureHound within Azure, including permissions, roles, and authentication.
Create the AzureHound Enterprise app
- Log into the Azure portal as a Global Admin or a Privileged Role Admin.
- From the Azure portal menu, search for or select Microsoft Entra ID
- In the left menu, select App registrations
- Click New registration
- In the Name field, give the application an identifying name in your organization. Make sure the supported account type is set to the “Accounts in this organizational directory only (Single tenant)” option. A URI is not required. Then click “Register”
- In the Overview menu, copy the Application (client) ID and Directory (tenant) ID to be used later in AzureHound Enterprise Local Configuration
- Continue the next section: “Grant Microsoft Graph Permissions”
Grant Microsoft Graph Permissions
- In the AzureHound application, select API Permissions
- Select Add a permission
- Click on Microsoft Graph
- Select Application permissions
- Search for the permission: “Directory.Read.All”, and check the box next to it
- In the bottom of the window, select Add permissions
- Click on “Grant admin consent for <your_tenant_name>”.
- Click “Yes” on the confirmation dialog.
- After being redirected to API Permissions again, select Grant admin consent for <your_tenant_name>
- Continue to the next section: "Grant “Directory Reader” role on the Azure tenant"
Grant “Directory Reader” role on the Azure tenant
- Click on the hamburger menu button, then select Microsoft Entra ID to return to the tenant view.
- Select Roles and administrators
- Search for the role “Directory Readers” and click the role name or description
Note: Clicking the checkbox sometimes prevents clicking on the role itself.
- In the "Directory readers" role, select Add assignments
- Click “No member selected” to open the search window.
- Search for the previously created service principal with either its name, application ID, or object ID. Select it by clicking on it
- Click Select
- Validate that your principal is displayed and click Next
- Ensure that the Assignment type is “Active” and the “Permanently assigned” box is checked. Provide a justification and click “Assign”.
- Confirm the service principal is a Directory Reader by refreshing this view.
- Continue to the next section to provide Directory Reader permissions on your subscriptions.
Grant “Reader” role on all subscriptions
Note: If you do not have any management groups, you may either create your Tenant Root Group following the prompts in the middle of the screen to ensure future visibility if another administrator begins use of subscriptions, or you may skip this section altogether. If you skip this section, you will see a warning in the logs for each collection indicating the lack of ability to collect this data accordingly.
- Search for and select the “Management groups” item in the top search bar
- Select Tenant Root Group
- Select Access control (IAM)
- Select Role assignments
- Click Add, then Add role assignment
- Find the “Reader” role and select it
- Click “Members”.
- Click Select members
- Search for and click on your previously created service principal.
- Validate the principal selected, then click Select
- Click the tab Review + Assign
- Click Review + Assign at the bottom of the page
- Confirm the role is present by refreshing this view. You may need to alter the filter to see this role.
- Continue to the next section: "Add certificate to Azure for Authentication"
Add certificate to Azure for Authentication
This section requires you have authentication material.
We highly recommend using certificate-based authentication. If you do not already have a certificate created, follow the article AzureHound Enterprise Local Configuration and then return back here.
- Log into the Azure portal as a Global Admin or a Privileged Role Admin.
- Search for or click on Microsoft Entra ID
- On the left, click “App registrations”.
- Search for and click on the Application you created previously.
- Click on Certificates & secrets
- Click on “Certificates”.
- Click “Upload certificate”.
- Locate the "cert.pem" file created during AzureHound setup (either on your own, or utilizing the instructions at AzureHound Enterprise Local Configuration)
- Click the folder icon and locate the "cert.pem" file. Add a description if desired.
- In the bottom of the window, select Add
- Continue to Run and Upgrade AzureHound (Windows, Docker, or Kubernetes)
Updated