Azure Cloud

The OX Azure connector connects OX Security to your Microsoft Azure environment and provides cloud-level visibility, asset context, and Kubernetes deployment enrichment across the platform.

The connector enables OX to collect metadata from your Azure subscriptions and correlate it with applications, workloads, container images, and security findings.

The Azure connector is also required when connecting Azure Kubernetes Service (AKS) clusters to OX.

What the Azure connector provides

Capability
Description

Cloud asset visibility

Identifies assets deployed across your Azure subscriptions

Kubernetes enrichment

Adds deployment and runtime context for AKS workloads

Internet exposure context

Detects whether workloads are publicly reachable

Cloud BOM generation

Builds a cloud-based bill of materials (Cloud BOM)

Runtime-aware prioritization

Enriches issues with severity context based on live deployment status

Attack path visibility

Extends Attack Path analysis with cloud reachability information

Runtime-aware scanning

Scans the specific container image versions actively running in your cloud environment, not only the latest versions available in the registry. This improves prioritization accuracy and reduces unnecessary scanning noise.

Supported environments

The Azure connector supports:

  • Microsoft Azure subscriptions

  • Azure Kubernetes Service (AKS)

Enriched visibility across OX

After the connector is configured, cloud deployment context is reflected across multiple areas in OX.

Area
Enrichment

Applications

Displays Kubernetes deployment details, Application Flow data, and deployment tags

Active Issues

Adds Kubernetes reachability and runtime severity factors

Attack Path

Displays cloud and Kubernetes reachability paths

Artifact BOM

Shows where artifacts are deployed across cloud environments and clusters

Artifact integrity

Detects images running from untrusted or unknown sources

Prerequisites

  • An Azure account with permission to register applications in Microsoft Entra ID

  • Owner or User Access Administrator IAM role on the Azure subscription you want to connect

  • Global Administrator or Application Administrator role in Microsoft Entra ID (required to grant admin consent for Microsoft Graph API permissions in Step 2)

Step 1: Register an application and assign predefined and custom roles [Azure]

  1. Sign in to the Azure portal.

  2. Navigate to App registrations and select New registration.

  1. Enter a name for the application. For example: ox-security-connector.

  2. Under Supported account types, keep Accounts in this organizational directory only (Single tenant) selected.

  3. Select Register.

  4. On the application's Overview page, note the following values. You need them in Step 4.

    • Application (client) ID

    • Directory (tenant) ID

  5. Navigate to Subscriptions and select the subscription you want to connect.

  1. To assign predefined roles, select Access control (IAM), then select Add > Add role assignment.

  1. On the Role tab, select a role.

  2. On the Members tab, select your application.

  3. On the Review + assign tab, select Review + assign.

  1. Repeat steps 9–11 for each of the following roles:

  • Reader

  • Storage Blob Data Reader

  • Storage File Data Privileged Reader

Note: To connect to Azure Kubernetes Service (AKS), assign the following roles at the subscription or cluster level:

  • Azure Kubernetes Service RBAC Reader

  • Azure Kubernetes Service Cluster User Role

  1. To define a custom role, select Access control (IAM), then select Add > Add custom role.

  1. Add a custom role name, a description, and select Next.

  2. Add the following actions:

  • Micandrosoft.Web/sites/config/list/action

  • Microsoft.Network/bastionHosts/getShareableLinks/action

  1. Select Next. The new custom role details appear.

  1. Select Create.

  2. On the Role assignments tab, confirm that all the roles you have created are assigned to your application.

  1. Navigate to Resource Manager > Management groups.

  1. Select the root management group.

  2. Select Access control (IAM), then select Add > Add role assignment.

  3. Assign the Management Group Reader role to your application and select Review + assign.

Step 2: Configure API permissions and create a client secret [Azure]

  1. Navigate to App registrations and select your application.

  2. Select API permissions, then select Add a permission.

  3. Select Microsoft Graph.

  1. Select Application permissions.

  2. Search for and enable Directory.Read.All.

  3. Search for and enable Policy.Read.All.

  4. Select Add permissions.

  5. If required, select Grant admin consent and confirm.

  1. Select Certificates & secrets, then select New client secret.

  1. Enter a description for the secret.

  2. Set the expiration period.

  3. Select Add.

  4. Copy the Value immediately. It is not shown again after you leave this page. Note: If the client secret expires, you must generate a new one and reconnect in the OX platform.

Step 3: Generate an Azure access token [Azure]

You can generate an Azure access token to verify API access independently of the OX connector.

To generate an Azure access token using the Azure CLI:

  1. Sign in to Azure:

  1. Run the following command to retrieve an access token:

To generate an Azure access token using Azure Cloud Shell:

  1. Select the Cloud Shell icon (>_) in the top bar.

  2. Select Bash.

  3. Run the following command:

  1. Copy the token.

To generate an Azure access token using Graph Explorer (Microsoft Graph tokens only):

  1. Sign in.

  2. Select the profile icon and open the Access token tab.

  3. Copy the token.

Step 4: Connect to Azure [OX]

  1. In the OX Security platform, go to Connectors and search for Azure.

  2. Select Azure and enter the following credentials in the Configure your Azure credentials dialog.

Field
What to use

Tenant ID

Directory (tenant) ID noted in Step 1

Client ID

Application (client) ID noted in Step 1

Client Secret

Secret value copied in Step 2

  1. Select CONNECT. A success message appears.

Last updated