> For the complete documentation index, see [llms.txt](https://docs.ox.security/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.ox.security/ox-integrations/3rd-party-integrations/cloud-security/azure-new.md).
# Azure Cloud
The OX Azure connector connects OX Security to your Microsoft Azure environment and provides cloud-level visibility, asset context, and Kubernetes deployment enrichment across the platform.
The connector enables OX to collect metadata from your Azure subscriptions and correlate it with applications, workloads, container images, and security findings.
The Azure connector is also required when connecting Azure Kubernetes Service (AKS) clusters to OX.
#### What the Azure connector provides
| Capability | Description |
| ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Cloud asset visibility | Identifies assets deployed across your Azure subscriptions |
| Kubernetes enrichment | Adds deployment and runtime context for AKS workloads |
| Internet exposure context | Detects whether workloads are publicly reachable |
| Cloud BOM generation | Builds a cloud-based bill of materials (Cloud BOM) |
| Runtime-aware prioritization | Enriches issues with severity context based on live deployment status |
| Attack path visibility | Extends Attack Path analysis with cloud reachability information |
| Runtime-aware scanning | Scans the specific container image versions actively running in your cloud environment, not only the latest versions available in the registry. This improves prioritization accuracy and reduces unnecessary scanning noise. |
#### Supported environments
The Azure connector supports:
* Microsoft Azure subscriptions
* Azure Kubernetes Service (AKS)
#### Enriched visibility across OX
After the connector is configured, cloud deployment context is reflected across multiple areas in OX.
| Area | Enrichment |
| ------------------ | ---------------------------------------------------------------------------------- |
| Applications | Displays Kubernetes deployment details, Application Flow data, and deployment tags |
| Active Issues | Adds Kubernetes reachability and runtime severity factors |
| Attack Path | Displays cloud and Kubernetes reachability paths |
| Artifact BOM | Shows where artifacts are deployed across cloud environments and clusters |
| Artifact integrity | Detects images running from untrusted or unknown sources |
### Prerequisites
* An Azure account with permission to register applications in Microsoft Entra ID
* **Owner** or **User Access Administrator** IAM role on the Azure subscription you want to connect
* **Global Administrator** or **Application Administrator** role in Microsoft Entra ID (required to grant admin consent for Microsoft Graph API permissions in Step 2)
### Step 1: Register an application and assign predefined and custom roles \[Azure]
1. Sign in to the [Azure portal](https://portal.azure.com/).
2. Navigate to **App registrations** and select **New registration**.
3. Enter a name for the application. For example: `ox-security-connector`.
4. Under **Supported account types**, keep **Accounts in this organizational directory only (Single tenant)** selected.
5. Select **Register**.
6. On the application's **Overview** page, note the following values. You need them in Step 4.
* **Application (client) ID**
* **Directory (tenant) ID**
7. Navigate to **Subscriptions** and select the subscription you want to connect.
8. To assign predefined roles, select **Access control (IAM)**, then select **Add** > **Add role assignment**.
9. On the **Role** tab, select a role.
10. On the **Members** tab, select your application.
11. On the **Review + assign** tab, select **Review + assign**.
12. Repeat steps 9–11 for each of the following roles:
* **Reader**
* **Storage Blob Data Reader**
* **Storage File Data Privileged Reader**
**Note:** To connect to Azure Kubernetes Service (AKS), assign the following roles at the subscription or cluster level:
* **Azure Kubernetes Service RBAC Reader**
* **Azure Kubernetes Service Cluster User Role**
13. To define a custom role, select **Access control (IAM)**, then select **Add** > **Add custom role**.
14. Add a custom role name, a description, and select **Next**.
15. Add the following actions:
* `Micandrosoft.Web/sites/config/list/action`
* `Microsoft.Network/bastionHosts/getShareableLinks/action`
16. Select **Next**. The new custom role details appear.
17. Select **Create**.
18. On the **Role assignments** tab, confirm that all the roles you have created are assigned to your application.
19. Navigate to **Resource Manager** > **Management groups**.
20. Select the root management group.
21. Select **Access control (IAM)**, then select **Add** > **Add role assignment**.
22. Assign the **Management Group Reader** role to your application and select **Review + assign**.
### Step 2: Configure API permissions and create a client secret \[Azure]
1. Navigate to **App registrations** and select your application.
2. Select **API permissions**, then select **Add a permission**.
3. Select **Microsoft Graph**.
4. Select **Application permissions**.
5. Search for and enable `Directory.Read.All`.
6. Search for and enable `Policy.Read.All`.
7. Select **Add permissions**.
8. If required, select **Grant admin consent** and confirm.
9. Select **Certificates & secrets**, then select **New client secret**.
10. Enter a description for the secret.
11. Set the expiration period.
12. Select **Add**.
13. Copy the **Value** immediately. It is not shown again after you leave this page. **Note:** If the client secret expires, you must generate a new one and reconnect in the OX platform.
### Step 3: Generate an Azure access token \[Azure]
You can generate an Azure access token to verify API access independently of the OX connector.
**To generate an Azure access token using the Azure CLI:**
1. Sign in to Azure:
```bash
az login
```
2. Run the following command to retrieve an access token:
```bash
az account get-access-token --resource https://management.azure.com --query accessToken -o tsv
```
**To generate an Azure access token using Azure Cloud Shell:**
1. Open [portal.azure.com](https://portal.azure.com/).
2. Select the **Cloud Shell** icon (`>_`) in the top bar.
3. Select **Bash**.
4. Run the following command:
```bash
az account get-access-token --query accessToken -o tsv
```
5. Copy the token.
**To generate an Azure access token using Graph Explorer (Microsoft Graph tokens only):**
1. Open [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
2. Sign in.
3. Select the profile icon and open the **Access token** tab.
4. Copy the token.
### Step 4: Connect to Azure \[OX]
1. In the OX Security platform, go to **Connectors** and search for **Azure**.
2. Select **Azure** and enter the following credentials in the **Configure your Azure credentials** dialog.
| Field | What to use |
| ----------------- | --------------------------------------- |
| **Tenant ID** | Directory (tenant) ID noted in Step 1 |
| **Client ID** | Application (client) ID noted in Step 1 |
| **Client Secret** | Secret value copied in Step 2 |
3. Select **CONNECT**. A success message appears.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.ox.security/ox-integrations/3rd-party-integrations/cloud-security/azure-new.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.