Creating Azure segments

Preview

This page describes how to create an Azure segment for scanning your Microsoft Azure environment to discover resources and later audit those you need.

NOTE: This feature is currently in preview and may change or evolve over time.

Azure minimal permissions

Before creating an Azure segment, prepare an App Registration with the minimal permissions required to discover and audit your Azure resources. You will need its Client ID, Client secret, and Tenant ID when configuring the segment.

There are two options:

• Use the built-in Reader role

  This role allows the Audit Service to read Azure resource metadata. It does not grant access to data or Graph API. The Reader role fully supports all current audit capabilities and will continue to work as new Azure resources are added.

• Use a custom role

  You can create a custom role with the minimal permissions required for auditing. A sample JSON role definition is provided below. You can copy it into your Azure role configuration. We may update this definition in the future as needed.

  NOTE: The permissions listed here reflect the current configuration. They may be updated from time to time as new resource types are supported.

  {
  	"properties": {
  		"roleName": "Audit Inventory Reader",
  		"description": "",
  		"assignableScopes": [
  			"/subscriptions/acd33f9b-9e00-4a3e-ac4e-fd7c6fc8df9a"
  		],
  		"permissions": [
  			{
  				"actions": [
  					"Microsoft.Compute/virtualMachines/read",
  					"Microsoft.Compute/disks/read",
  					"Microsoft.Network/loadBalancers/read",
  					"Microsoft.Network/networkSecurityGroups/read",
  					"Microsoft.Network/virtualNetworks/read",
  					"Microsoft.Network/networkInterfaces/read",
  					"Microsoft.Network/publicIPAddresses/read",
  					"Microsoft.Network/applicationGateways/read",
  					"Microsoft.Resources/subscriptions/read",
  					"Microsoft.Resources/subscriptions/resourceGroups/read"
  			],
  				"notActions": [],
  				"dataActions": [],
  				"notDataActions": []
  			}
  		]
  	}
  }
  

Copy the Client ID and Client secret from your App Registration, and the Tenant ID from the Entra ID Overview. You will need this information when you create the segment.

Create an Azure segment

Follow these steps to set up a new Azure segment and provide the necessary credentials for scanning and auditing your cloud resources.

To create an Azure segment:

1. In the left navigation sidebar, choose Network.

2. In the Network section, click on the Segments tile.

3. Click the + New Segment button.

4. Select the Azure icon and click Next to open the new segment's configuration parameters.

5. In the Select or install Audit Service section, click the down arrow and choose a previously deployed Audit Service instance.

   TIP: If none of the registered services apply, click Download Alloy Audit Service to download a new Audit Service, and then run the installation package on a computer with internet access. Once the Alloy Audit Service is successfully installed, it will appear in the list above, so you can select it and proceed with the configuration.

6. Expand the Azure section.

7. The Name of the new segment is assigned automatically, but you can edit it if necessary.

8. Under Available resources, select the cloud resources you want to scan.

9. Expand the Credentials section and enter the Azure credentials for the service principal used for the audit:

   • Tenant ID: Enter your the tenant ID.

     TIP: Your tenant ID is a globally unique identifier (GUID) that is different than your organization name or domain. You can find your tenant ID in the Microsoft Entra (former Azure AD) admin center, on the Properties page.

   • Client ID: Enter the client ID for the service principal.

   • Client secret: Enter and confirm the client secret for the service principal.

   You can obtain these credentials from Microsoft Entra ID (Azure AD) inside the App Registration that the service principal belongs to.

   INFO: For details, refer to Segment audit credentials.

10. Creating a Scan schedule is entirely optional at this stage. You can opt to continue without setting a schedule by clicking Continue without a schedule. Alternatively, if you prefer to establish a schedule, you can choose the scan frequency from options like Daily, Weekly, or Monthly and specify the details accordingly.

11. The final Let's get started! Discover where to find the results step shows where you can find discovered resources.

    After creating the segment, it will appear in the Network section and can be scanned either automatically or on demand.

    The first scan performs discovery only, listing resources by name. To collect detailed information about a resource, you must run an audit. Audited resources are automatically added to the Inventory section.

    IMPORTANT: Scanning lists only resource names and does not count toward your licensed nodes. Auditing collects detailed information and does count. For details and best practices, see Scanning and auditing

12. To finalize the process, click Create.