Integrations

Azure Integration Setup

Connect your Azure subscription for automated scanning of Entra ID, Key Vault, Storage Accounts, NSGs, and Microsoft Defender findings.

Updated March 20266 min read

On this page

Prerequisites

You need an Azure subscription with at least Reader role access and the ability to register an application in Entra ID (Azure AD). The integration uses an app registration with a client secret or certificate for authentication. ComplyWise requires the Security Reader and Reader roles at the subscription level.

  • Azure subscription with Reader access
  • Entra ID admin access for app registration
  • ComplyWise admin role for integration configuration

App Registration

Create an app registration in Entra ID (Azure AD). Navigate to Azure Portal → Entra ID → App registrations → New registration. Name it 'ComplyWise Scanner', set it to single-tenant, and create a client secret. Copy the Application (client) ID, Directory (tenant) ID, and Client Secret — you will need these in the ComplyWise configuration.

  • Register as a single-tenant application
  • Create a client secret with a 12-month expiration (rotate before expiry)
  • Note the Application ID, Directory ID, and Client Secret
  • Certificate-based authentication available for Enterprise customers

Role Assignments

Assign the Reader and Security Reader roles to your app registration at the subscription level. Navigate to your Azure Subscription → Access control (IAM) → Add role assignment. Select Reader, then add the app registration as the member. Repeat for the Security Reader role. These read-only roles allow ComplyWise to inventory resources and security findings without modification capability.

  • Reader — enumerate all resource configurations across the subscription
  • Security Reader — access Microsoft Defender for Cloud findings and security scores
  • No write or contributor permissions required
  • Scope to individual resource groups for more granular access (optional)

What Gets Scanned

The Azure scanner evaluates configuration data across core Azure services. It checks Entra ID for MFA enforcement, conditional access policies, and risky sign-ins. Storage accounts are checked for encryption, public access, and network rules. Network security groups are validated against least-privilege patterns. Key Vault access policies and certificate expirations are monitored.

  • Entra ID: users, MFA status, conditional access, sign-in risk policies
  • Storage Accounts: encryption, public access, network rules, access keys
  • Networking: NSGs, VNets, private endpoints, DDoS protection
  • Key Vault: access policies, key rotation, certificate expiration
  • Microsoft Defender: security recommendations and compliance score
  • SQL databases: encryption, auditing, firewall rules

Configuring in ComplyWise

Navigate to Settings → Integrations → Azure in the ComplyWise dashboard. Enter your Azure Tenant ID, Application (Client) ID, and Client Secret. The platform validates the connection by calling the Azure Resource Manager API. Once verified, the integration is active and included in compliance scans.

  • Enter Azure Tenant ID, Client ID, and Client Secret
  • Connectivity test validates API access
  • Select specific subscriptions to scan (if you have multiple)
  • Integration status visible in the Integrations page
AWS Integration SetupGoogle Workspace
← Back to Documentation