Microsoft Azure Logo
Integration Guide

Built for Microsoft Azure

TENET provides native integration with Azure, delivering comprehensive visibility across your environment.

14-day free trial · 2 min setup · No credit card required

TENET — Azure IntegrationConnected ✓
Tenants (4 connected)
Production
a1b2-****-prod
148 resources
Development
c3d4-****-dev
62 resources
Shared Services
e5f6-****-ss
34 resources
Staging
g7h8-****-stg
21 resources
Managing multiple Azure tenants?

Each Azure tenant requires a separate integration. Repeat the setup steps below for each tenant you want to connect to TENET.

Integration Setup Guide

Connect your Azure environment to TENET using the automated wizard or the manual steps below.

TENET Setup Wizard (Recommended)

The fastest way to connect TENET to your Azure environment is with the TENET Setup Wizard. It guides you through the entire process automatically — creating the app registration, configuring API permissions, and assigning the required roles — in just a few clicks. Watch the video below to see how it works.

Manual Setup

Follow these steps to manually configure the Azure app registration and permissions required by TENET.

Step 1: Creating an app registration in the Azure Portal

A. Log into your Azure Portal
B. Search for App Registrations in the top search bar.
Search for App registrations in Azure Portal
C. Click on + New registration
Click New registration button in Azure Portal
D. Fill in the details:
  • Name: TENET
  • Redirect URI: Select a platform: Single-page application (SPA)
  • URL: https://tenet-portal.com
  • Click Register
Fill in app registration details - Name: TENET, Redirect URI: Single-page application

Step 2: Configure API Permissions

A. In the top toolbar, search for TENET (or the name you used for the app registration)
Copy Application (client) ID and Directory (tenant) ID from Azure Portal
B. Navigate to Manage → API permissions
Navigate to API permissions menu
C. Select + Add a permission → Microsoft Graph → Application permissions.
Add Microsoft Graph permissions

Ensure you select Application Permissions, not Delegated. This is required for the integration to work correctly.

D. Search for and select AuditLog.Read.All, Directory.Read.All, Reports.Read.All, and SecurityEvents.Read.All

  • Click add permissions
Add Microsoft Graph permissions
E. Grant admin consent
  • Then click on Grant admin consent for [Your Tenant] and confirm selection
Grant admin consent for permissions
F. Ensure all permissions have a green check in the Status column.
Permissions status with green checkmarks
G. Add Office 365 Management Activity API permission
  • Click + Add a permission → APIs my organization uses
  • Search for Office 365 Management Activity API and select it
  • Select Application permissionsActivityFeed.Read
  • Click Add permissions, then Grant admin consent
H. Add Microsoft Defender for Endpoint API permissions
  • Click + Add a permission → APIs my organization uses
  • Search for WindowsDefenderATP and select it
  • Select Application permissions: Machine.Read.All, Vulnerability.Read.All, Alert.Read.All
  • Click Add permissions, then Grant admin consent

These permissions are non-fatal if your tenant has no Microsoft Defender for Endpoint licence. TENET will skip Defender data for unlicensed tenants.

I. Add Application Insights API permission
  • Click + Add a permission → APIs my organization uses
  • Search for Application Insights API and select it
  • Select Delegated permissionsData.Read
  • Click Add permissions, then Grant admin consent (tenant-wide)

Step 3: Assign RBAC roles

The following steps grant TENET read access to all subscriptions within the management group. To limit access to specific subscriptions only, follow the same steps but search for individual subscription names instead of Management Groups.

A. In the top toolbar, search for Management Groups
Navigate to subscription IAM
B. Select your root management group (usually Tenant Root Group).
Navigate to subscription IAM

Global Administrator but can't access Management Groups? Follow Microsoft's guide to elevate your access.

C. Click on Access control (IAM) → Role assignments
Navigate to subscription IAM
D. Select Reader role.

Repeat this step five more times to also assign Monitoring Reader, Security Reader, Cognitive Services Usages Reader, Billing Reader, and Power Platform reader. All six roles are required.

Add role assignment
  • Click on the Members tab, and then + Select members.
Click Members tab and Select members
  • In the + Select Members panel, search for the name of the app registration that you created earlier, then click on it
  • Click Select at the bottom
Search for app registration in Select Members panel

All six roles (Reader, Monitoring Reader, Security Reader, Cognitive Services Usages Reader, Billing Reader, Power Platform reader) are required. If not using management groups, ensure each role is assigned per individual subscription.

E. Once all permissions have been added, click Review + assign (twice) to complete
Review and assign role
F. Assign the Global Reader directory role in Microsoft Entra ID
  • Navigate to the Microsoft Entra admin center
  • Go to Roles & administrators → Global Reader
  • Click + Add assignments, search for your TENET app registration, and assign

Global Reader grants read access to Conditional Access policies, Identity Protection, and Intune device compliance — scoped to Entra ID rather than Azure subscriptions.

Step 4: Create Client Secret

A. Return to App registrations and open your registered app

Please take note of the Application (client) ID and Directory (tenant) ID from this page. You will need to copy these across to the TENET Platform later.

Application overview showing Client ID and Tenant ID
B. Navigate to Manage → Certificates & secrets → Client secrets
Navigate to Certificates & secrets
C. Click + New client secret, provide a name and expiry, and then click Add
Copy the client secret value
D. Please take note of the Value of the secret - this is the final data point you will need to copy across to the TENET Platform.
Copy the client secret value

Step 5: Add Credentials to TENET

A. Log in to TENET and navigate to Settings (tenet-portal.com/settings)

Enter a friendly Tenant Name and previously noted Tenant ID, Client ID & Client Secret then click on Start Assessment

TENET settings page - Azure Credentials

Wait for validation and initial data fetch to be completed (about 45 seconds) and you can start reviewing TENET's insights.

You're done! 🎉

Managing and Monitoring Assessments

Once connected, TENET continuously monitors your Azure environment. Here's what to expect.

Automatic assessments

Full assessments run every 12 hours. Anomaly detection refreshes every hour. A manual refresh is also available in the Directories tab.

Permission errors

If missing permissions or invalid credentials are detected, TENET surfaces error messages in the platform. Adjust your Azure role assignments accordingly.

Plan Limits

Azure integration is available on all plans. The number of tenants you can connect depends on your plan.

TRIAL — 14 DAYS

Full access to all Scale plan features. Explore every capability with no restrictions during your trial.

SCALE PLAN

Automated and on-demand assessments for a single Azure tenant with up to 5 platform users.

PRO PLAN

Automated and on-demand assessments for multiple tenants simultaneously with a custom number of users.

Supported Services

Azure service integrations, out of the box

No agents, deployments or configurations required.

Compute
Virtual Machines
Virtual Machines
VM Scale Sets
VM Scale Sets
Managed Disks
Managed Disks
App Platform
App Service (Web Apps)
App Service (Web Apps)
Function Apps
Function Apps
App Service Plans
App Service Plans
Static Web Apps
Static Web Apps
Container Apps
Container Apps
AKS Managed Clusters
AKS Managed Clusters
Data & Storage
Storage Accounts
Storage Accounts
SQL Databases
SQL Databases
Cosmos DB / DocumentDB
Cosmos DB / DocumentDB
Cosmos DB for MongoDB
Cosmos DB for MongoDB
PostgreSQL Servers
PostgreSQL Servers
MySQL Servers
MySQL Servers
Redis Cache
Redis Cache
Redis Enterprise
Redis Enterprise
Networking
Application Gateway
Application Gateway
Load Balancer
Load Balancer
Virtual Network Gateway
Virtual Network Gateway
Front Door / CDN
Front Door / CDN
NAT Gateway
NAT Gateway
API Management
API Management
Integration & Security
Service Bus
Service Bus
Event Hubs
Event Hubs
Key Vault
Key Vault
Recovery Services Vaults
Recovery Services Vaults
Entra ID
Entra ID
Microsoft Teams
Microsoft Teams
Security & Monitoring
Microsoft Defender for Cloud
Microsoft Defender for Cloud
Microsoft Sentinel
Microsoft Sentinel
Application Insights
Application Insights
Azure Monitor
Azure Monitor
Activity Logs
Activity Logs
Resource Health
Resource Health
Azure Policy
Azure Policy
Network Security Groups
Network Security Groups
Azure RBAC
Azure RBAC
AI & Machine Learning
Azure OpenAI
Azure OpenAI
Cognitive Services
Cognitive Services
Azure AI Search
Azure AI Search
Azure Bot Service
Azure Bot Service
Azure Machine Learning
Azure Machine Learning
AI Foundry
AI Foundry
Management
Cost Management
Cost Management
Log Analytics Workspaces
Log Analytics Workspaces
Featured Resources

Want to learn more?
Dig into more resources.

Also connect Microsoft 365

TENET extends beyond Azure to give you unified audit logging, identity risk events, device compliance, and data sharing audit across your Microsoft 365 tenant.

View Microsoft 365 integration

Ready to integrate your Azure environment?

Get up and running in minutes with TENET's native Azure integration

14-day free trial · 2 min setup · No credit card required