Create an AzureHound Configuration

This article applies to BHE


You will need your Tenant ID and Application ID from completing AzureHound Enterprise Azure Configuration prior to beginning this process.

  1. Log into your BloodHound Enterprise tenant.

  2. In the top right, click settings ⚙️ → Download Collectors


  3. Download AzureHound Enterprise by clicking the button DOWNLOAD AZUREHOUND vX.X.X (.ZIP)



  4. Extract the contents of the zip archive and locate the binary suitable for your system's architecture.

    • As an example, this guide will use the Windows 64-bit binary: "azurehound-windows-amd64"


  5. Run "azurehound.exe -h" to see all available options


  6. Run “azurehound.exe configure” and select the Azure region your organization's tenant is hosted in

    • Note: Most organizations are using the "cloud" region


  7. Type in your Azure tenant ID


  8. Type in the application ID you saved when creating the AzureHound application


  9. Choose your desired authentication mechanism
    • We highly recommend certificate-based authentication.


  10. If using Certificate authentication: hit Enter, or type ‘y’, to create a new certificate and key


    • Note: The certificate generated by AzureHound expires after one year.
    • Note: If using a certificate issued by another authority, AzureHound supports certificates with the following:
      • PEM encoded
      • RSA 256
      • PKCS#8 or PKCS#5

  11. If using Certificate authentication: if desired, provide a password for the secret key


  12. Hit Enter, or type 'y', to set up a connection to BloodHound Enterprise


  13. Type in the full URL of your BloodHound Enterprise tenant


  14. Create an AzureHound collector client by following Create a BloodHound Enterprise collector client. Continue to the next step when you have the Token ID and Token.

  15. Type in the client collector's Token ID from the previous step


  16. Type in the client collector's Token key from the collector client


  17. Decide if you want to use a proxy URL. Most organizations will not use this feature


  18. Hit Enter, or type ‘y’, to set up local logging


  19. Select the logging verbosity, as a start we recommend Default


  20. Type a log file name

    • You can also enter file name as a full path. If not specifying a path; AzureHound will output logs to the specified file name within the same directory as the AzureHound binary


  21. Decide if AzureHound should generate JSON-structured logs


  22. When completed, a settings summary is shown

  23. If using Certificate authentication; the summary also includes the location of the certificate to complete the configuration within Azure


  24. Continue to Run and Upgrade AzureHound (Windows, Docker, or Kubernetes)

Updated