1. Introduction
Microsoft Azure is one of the most widely used cloud platforms, powering critical business operations across industries. By integrating Azure with Cye Platform, organizations gain continuous visibility into their cloud configuration and security posture.
Once connected, Cye Platform automatically assesses your Azure environment to identify vulnerabilities and misconfigurations that could put business assets at risk. These assessments run daily with negligible performance impact, ensuring you always have an up-to-date view of your security status.
What you get with the Azure integration
Continuous findings: Cye Platform generates findings directly from Azure assessments.
Real-time updates: When issues are remediated in Azure, their status is automatically updated in Cye Platform.
Configurable notifications: Set up alerts for new findings so nothing slips through the cracks.
Scalable coverage: Supports multiple tenants and subscriptions within a single integration.
Clear visibility: Assessment status is always available on the relevant engagement page.
Focused scope: Note that SIEM integration is not included in this integration.
2. Prerequisites
Before you begin, make sure the following requirements are met:
Integration per tenant – You’ll need to define a separate Cye Platform integration for each Azure tenant you want to assess.
Configured Cloud Shell – Azure Cloud Shell must be set up and ready to run commands.
Dedicated role and policy – Authentication is performed using a dedicated role and policy provided by Cye Platform. This is done via PowerShell.
Management groups in use – Subscriptions should be organized under management groups for streamlined access.
Note: The PowerShell script (last updated September 2024) must be executed against the tenant root group. This grants Cye Platform access to all current and future subscriptions automatically.
Important: Creating the Azure integration alone is not enough. You must also create an Azure engagement in Cye Platform — only then will findings from Azure assessments be generated.
Required IP Addresses
For the integration to work smoothly, you may need to allow traffic from Cye Platform’s servers in your firewall or network configuration. This ensures that Cye Platform can securely connect to your environment and perform scans without being blocked.
Depending on your region and the type of scan, add the following IP addresses:
General IPs:
Europe →
18.198.79.197America →
52.1.10.176,35.171.70.87
IPs for Azure and AWS Scans:
Europe →
18.158.77.90America →
34.206.252.13
In most cases, you only need to add the IPs relevant to your region and use case.
Cye Platform's Group Management and Integrations
If your organization includes multiple subsidiaries, Cye Platform supports a Group Management structure for viewing and managing risk across business units.
Where supported, integrations should be created at the subsidiary level, using credentials relevant to each subsidiary’s data.
In some integrations (such as Azure), certain findings exist only at the tenant level — in these cases, a dedicated “parent” company may be needed to connect to the root tenant.
Findings stay within each subsidiary, while the parent company sees aggregated metrics.
For such a case we need to create Cye Platform companies per subsidiary + Cye Platform company for the global (tenant level) parent company for which all these companies are connected to.
For full details, see the Group Management Guide.
Integration Process
Integrating Azure with Cye Platform follows a simple three-part flow. Understanding the framework upfront will make the step-by-step setup much easier:
Provide tenant details
Begin by entering your integration name and the Azure tenant ID (available in your Azure portal).
Choose an authentication method:
OAuth Authentication - this is a tenant level integration that provides the Cye Platform instance access to the entire Azure tenant, allowing it to scan tenant level items such as users and access privileges related findings are only available through tenant level (OAuth) authentication.
Client ID and Secret Authentication - This type of authentication allows more flexibility and is more useful when you have different business units configured as subscriptions on your Azure tenant, and you want to manage findings for each business unit on a separate Cye Platform account.
With this method, findings are limited to subscription level findings. Tenant level findings are excluded from the scan.If you are hosting multi business units on the same Azure tenant, you might consider creating:
A cross business unit Cye Platform company that authenticates to the entire tenant through OAuth.
Company accounts per business unit, that authenticate through Client ID and Secret, mimicking your business structure using the Cye Platform Group Management setup.
For additional guidance on integrating Cye Platform with Azure, you may reach out to your TCSM or Cye Platform support.
Create an Azure engagement
Once authentication is complete, you must create an Azure engagement in Cye Platform. Only then will findings from Azure assessments start appearing in the platform.
Understanding Azure Application Permissions
Before diving into the setup, it’s important to note that Cye Platform’s Azure integration relies on specific application permissions. These define the level of access granted to Cye Platform. Full permissions list:
Policy.Read.ConditionalAccess
AppCatalog.Read.All
CustomSecAttributeDefinition.Read.All
ExternalConnection.Read.All
ServicePrincipalEndpoint.Read.All
CloudPC.Read.All
DeviceManagementManagedDevices.Read.All
Device.Read.All
DelegatedAdminRelationship.Read.All
UserAuthenticationMethod.Read.All
Policy.Read.PermissionGrant
SharePointTenantSettings.Read.All
SecurityEvents.Read.All
IdentityRiskyServicePrincipal.Read.All
PrivilegedAccess.Read.AzureAD
RoleManagement.Read.Directory
SecurityAlert.Read.All
Group.Read.All
AdministrativeUnit.Read.All
MailboxSettings.Read
CrossTenantInformation.ReadBasic.All
Sites.Read.All
DeviceManagementServiceConfig.Read.All
DirectoryRecommendations.Read.All
EntitlementManagement.Read.All
IdentityUserFlow.Read.All
Directory.Read.All
ConsentRequest.Read.All
RoleManagement.Read.All
PrivilegedAccess.Read.AzureResources
User.Read.All
Domain.Read.All
SecurityIncident.Read.All
GroupMember.Read.All
DeviceManagementRBAC.Read.All
RoleManagement.Read.CloudPC
CustomSecAttributeAssignment.Read.All
DeviceManagementConfiguration.Read.All
APIConnectors.Read.All
ExternalItem.Read.All
SecurityActions.Read.All
ThreatAssessment.Read.All
IdentityProvider.Read.All
IdentityRiskyUser.Read.All
AccessReview.Read.All
PrivilegedAccess.Read.AzureADGroup
InformationProtectionPolicy.Read.All
Organization.Read.All
IdentityRiskEvent.Read.All
AuditLog.Read.All
Policy.Read.All
Member.Read.Hidden
Application.Read.All
ProgramControl.Read.All
DeviceManagementApps.Read.All
ThreatIndicators.Read.All
Reports.Read.All
ThreatHunting.Read.All
Microsoft Threat Protection
AdvancedHunting.Read.All
Policy.Read.All
Directory.Read.All
Application.Read.All
Member.Read.Hidden
3. Configuring on the Azure Side
Provide tenant details
To begin setting up the Azure integration:
Open the Integrations page
Click the gear icon (⚙ Settings) in the top-right corner of Cye Platform.
In the left-hand sidebar, select Integrations and Workflows.
Add the Azure integration
Scroll down until you find the Azure integration card.
Click Add:
Then:
Enter tenant information
In the first step of the setup page, provide:
Integration name – any label that will help you recognize this integration in Cye Platform.
Tenant ID – the unique identifier of your Azure tenant:
Where to find the Tenant ID:
Go to your Azure portal.
Navigate to Overview → Overview tab → Basic Information.
Copy the value of the Tenant ID field (a small copy icon is available next to it):
Paste this value into Cye Platform in the Tenant ID field:
Once these details are filled in, you’re ready to move on to the next stage: authentication, where you’ll choose between the two methods (OAuth or Client ID and Secret).
Choose an Authentication Method
At this stage, you’ll select how Cye Platform will authenticate with your Azure tenant. Two authentication options are available:
OAuth Authentication
Client ID and Secret Authentication
We’ll walk through each method step by step.
Method 1: OAuth Authentication
Tenant level authentication.
Check the box that appears, and then click Authenticate:
Subscription setup
If your tenant has no subscriptions, simply click Save.
If subscriptions exist, enable My Azure environment includes subscriptions and provide the CYE application with permission to access them.
Run the Cloud Shell script:
In Cye Platform, you’ll see a script provided for execution.
Copy the script (below) and run it in Azure Cloud Shell (via the Console → PowerShell option in the Azure portal):
Copy the script:
$roleName = "CYE Azure Integration Reader"
$roleDescription = "Allows CYE to view resources within the Azure Tenant."
$actions = @(
"*/read",
"Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action"
)
$appId = "aaa423c9-336c-4489-aa00-b58f7d46361f"
$mgList = az account management-group list --query "[].id" -o tsv
$rootMgName = az account show --query tenantId -o tsv
if ($mgList) {
$rootMgId = az account management-group show --name $rootMgName --query "id" -o tsv
if ($rootMgId) {
# Create the role definition JSON
$roleDefinition = @{
"Name" = $roleName
"Description" = $roleDescription
"Actions" = $actions
"AssignableScopes" = @($rootMgId)
}
$roleDefinitionJson = $roleDefinition | ConvertTo-Json -Depth 5
az role definition create --role-definition $roleDefinitionJson
az role assignment create --role $roleName --assignee $appId --scope $rootMgId
}
} else {
$subs = az account list --query "[?name!='N/A(tenant level account)'].id" -o tsv
if ($subs) {
foreach ($subId in $subs) {
$roleDefinition = @{
"Name" = "$roleName $subId"
"Description" = $roleDescription
"Actions" = $actions
"AssignableScopes" = @("/subscriptions/$subId")
}
$roleDefinitionJson = $roleDefinition | ConvertTo-Json -Depth 5
az role definition create --role-definition $roleDefinitionJson
az role assignment create --role "$roleName $subId" --assignee $appId --scope "/subscriptions/$subId"
}
}
}
Important notes about the script:
You may update the value of $roleName to match your integration (optional).
The script automatically grants read access to all subscriptions under the root management group.
If you are not using management groups, you’ll need to rerun the script for each new subscription:
Complete the configuration
Wait for the script to finish running.
Back in Cye Platform, click Save at the bottom right to finalize the integration.
A confirmation message will appear once the integration has been successfully created.
Method 2: Client ID and Secret Authentication
Subscription level authentication.
Check the box of "Client ID and Secret Authentication":
Create application credentials in Azure
Open the Azure portal and navigate to App registrations.
Copy the Application (client) ID – this will be your Client ID:
Generate a client secret
Under your app registration, go to Manage → Certificates & secrets.
Click New client secret:
A new pane opens on the right, where you’ll enter a name and set the token’s expiration. The choice is yours, but remember: once the token expires, you’ll need to create a new one. Choose a shorter or longer validity period based on your preference:
Click Add. Once the client secret is created, copy its value from the Client Secrets tab (under the Value field) and paste it into the corresponding field in Cye Platform:
4. Configuring in Cye Platform
On the Cye Platform side, your next steps are to enter the credentials and then create an engagement, which is required for the integration to run. We’ll now walk through both steps in detail:
Enter credentials in Cye Platform
Paste the Client ID and Client Secret into the corresponding fields in Cye Platform.
Click Validate. If successful, you’ll see a green confirmation message:
Finally, click Save in the lower-right corner.
Once authentication is complete — either via OAuth or Client ID and Secret — you’re ready to move on to Step 3: Creating the engagement and activation.
Create an Azure Engagement
An engagement defines the scope and context of the Azure assessment in Cye Platform. Without an engagement, no findings will be generated — even if the integration is already configured.
Engagement Overview
An engagement specifies:
Type of assessment – in this case, Azure
Scope – the integration to be assessed
Start and end dates
Frequency – set to Continuous for ongoing assessments
How to Create an Engagement in Cye Platform
In Cye Platform, go to Engagements.
Click + New Engagement.
Fill in the engagement details:
Engagement Name
Type: select Azure
Start/End Dates
Optional: add a description or restrictions if needed
Under Assessment Scope, select the Azure integration you created earlier.
If the dropdown is empty, click New/modify definition to create a new integration:
Click Create.
Assign members and groups to define who has access.
5. Viewing Results
Viewing Azure Assessments
To review assessment results:
Navigate to Engagements.
Click the relevant engagement card.
Open the Assessments tab:
Note: If subscriptions are not defined, a limited access warning will appear.
6. Types of Fetched Entities
Findings in Azure Engagements
Once the engagement is active, Cye Platform begins generating findings:
Vulnerability Findings – created automatically and continuously updated.
Potential Findings – require customer verification before being confirmed.
Automatic Remediation Verification – fixed issues are updated in Cye Platform without manual intervention.
7. Deleting the Integration
You can remove an Azure integration at any time. Keep in mind that deletion is a two-sided process: the integration must be deleted both in Cye Platform and in the Azure portal.
From Cye Platform
Go to Settings → Integrations.
Locate the Azure integration.
Click Delete.
Deletion is only available if the integration is not in use (i.e., not linked to an active engagement).
From the Azure Portal
Log in to the Azure portal with appropriate permissions.
Navigate to Enterprise applications.
Search for and select the CYE application.
Go to View properties → Delete to remove the application from Azure.
Once both actions are completed, the integration is fully removed and Cye Platform no longer has access to your Azure environment.
Wrap-up
In this article, we explored how to connect Microsoft Azure with Cye Platform to strengthen cloud security visibility. We reviewed the prerequisites, tenant setup, and the two available authentication methods (OAuth or Client ID and Secret). We then walked through creating an Azure engagement to generate findings, and learned how Cye Platform automatically updates remediation status. Finally, we covered how to delete the integration from both Cye Platform and the Azure portal. Together, these steps ensure a secure, complete, and maintainable Azure integration.