Documentation

Microsoft Azure

Suggest Edits

The Azure connector provides a script to retrieve the tenant ID, directory name, client ID, and client secret. For tenants with more than 100,000 users, set up the connector with Azure Event Hub.

Prerequisites

Required roles and permissions

The following read-only roles are required for this connector. You do not need to manually grant these roles, as this is managed by the connector install script.

Microsoft Graph

  • Application.Read.All
  • AuditLog.Read.All
  • DelegatedAdminRelationship.Read.All
  • DeviceManagementApps.Read.All
  • Directory.Read.All
  • EntitlementManagement.Read.All
  • Group.Read.All
  • IdentityProvider.Read.Al
  • ldentityRiskEvent.Read.All
  • IdentityRiskyServicePrincipal.Read.All
  • IdentityRiskyUser.Read.All
  • MailboxSettings.Read
  • OnPremDirectorySynchronization.Read.All
  • Policy.Read.All
  • Reports.Read.All
  • RoleManagement.Read.All
  • Sites.Read.All
  • TeamsAppInstallation.ReadForUser.All
  • User.Read.All
  • UserAuthenticationMethod.Read.All

Office 365 management APIs

  • ActivityFeed.Read

Management groups

  • Reader Role

Create the connector

  1. From the top left of any page in Insights, click iconInsightsConnectors.
    The Connectors page displays.

  2. Locate Microsoft Azure in the Available Connectors list.

  3. Click Create Connector.
    The Create Microsoft Azure Connector panel opens.

  4. Enter a human-readable Name for the connector.

  5. Use the link on-screen to sign in to the Microsoft Azure Portal as a user with Azure Global Administrator privileges.

  6. In Entra ID, navigate to the Properties page and toggle Access management for Azure resources to Yes.

    ℹ️

    Note

    You can toggle this back to No after running the script.

  7. In Insights, select an installation method from the drop-down and follow the associated instructions:

    Install using Power Shell

    1. Ensure you have installed Azure PowerShell on Windows. For more information, see the Azure PowerShell documentation.
    2. Once installed, open PowerShell and log in to Azure by running the command Connect -AzAccount. Enter your login credentials in the following window.
    3. Ensure you are connected to the correct Azure tenant and directory, and run the following commands:
      1. Get-AzTenant to see all the directories you have access to.
      2. Set-AzContext -Tenant "TenantID", where TenantID is the ID of the directory where the script will be installed.
      3. Get-AzContext to verify your selection.
      4. Run the resulting script to retrieve the tenant ID, directory name, client ID, and client secret display for use in the following step.

    Install using Cloud Shell

    1. From the Azure portal, launch Cloud Shell.
    2. Select PowerShell from the shell environment drop-down.
    3. Paste and run the resulting script into the shell environment. Once complete, the tenant ID, directory name, client ID, and client secret display for use in the following step.

  8. In Insights, copy the tenant ID, directory name, client ID, and client secret from the script into the appropriate fields.

  9. In the Microsoft Azure Portal:

    1. Navigate to Azure Services > Microsoft Entra ID.
    2. Select App Registrations in the left menu.
    3. Select the BT-SP-Connector application.
    4. In the API permissions section, select Grant admin consent.
    5. Confirm your selection.

  10. In Insights, if you:

    1. have less than 100,000 users or are not subscribed to Azure Event Hub, select No from the Use Azure Event Hub drop-down.
    2. have 100,000 users or more and access to Azure Event Hub, select Yes from the Use Azure Event Hub drop-down.

  11. Set up Azure Event Hub:

    ℹ️

    Note

    If you selected No in the previous section, skip these instructions.

    1. In Insights, copy the Insights-generated Azure Event Hub script.
    2. In the shell environment, paste and run the Insights-generated Azure Event Hub script.
    3. Once complete, copy the Fully Qualified Hub Namespace, Blob Container Url, and Hub Name in a secure location for use in the following step.
    4. Follow Microsoft's procedure to stream logs to an event hub.
    5. Within the Azure Diagnostics settings, select the following log Categories to stream:
      • SignInLogs
      • NonInteractiveUserSignInLogs
      • ServicePrincipalSignInLogs
      • ManagedIdentitySignInLogs
    6. Within Azure's Destination details section, select Stream to an event hub, and select the Fully Qualified Hub Namespace and Hub Name you saved in step iii, above.
    7. In Insights, enter the Fully Qualified Hub Namespace, Blob Container Url, and Hub Name in the appropriate fields.

  12. Click Create Connector.
    The connector is created and displays in your Configured tab on the Connector page.

Register the app

After running the script and entering the values into Identity Security Insights, complete these steps:

  1. In the Microsoft Azure Portal, go to Microsoft Entra ID in Azure Services.
  2. Select App registrations from the left menu.
  3. Choose the BT-SP-Connector application.
  4. Under API permissions for the selected App registration, click Grant admin consent, and confirm.
  5. Navigate to Properties, and toggle Access management for Azure resources to No.

Update the Microsoft Azure Connector Client Secret

Microsoft Azure steps

  1. In Microsoft Azure, use the search box to search for Microsoft Entra ID and select it from the results.
  2. Under the Manage section in the left menu, select App registrations.
  3. Locate and select the BT-SP-Connector application under All applications. Note the Application (client) ID for reference.
  4. Under the Manage section, select Certificates & Secrets.
  5. Select + New client secret, provide a description and set an expiry date according to your company's guidelines, then click Add.
  6. Copy the Secret Value and store it in a secure location.

Insights steps

  1. From the top left of any page in Insights, click icon > Insights > Connectors. The Connectors page will display.
  2. Locate and select the Microsoft Azure connector in the Configured Connectors list that requires attention.
  3. Navigate to the Settings tab, confirm the Client ID matches the one from the Azure steps, and paste in the Secret Value.
  4. Select Save Changes.

ℹ️

Note:

Ensure the connector is turned on. You can verify and enable it on the Overview page of the connector.

Updated 18 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.