Azure Integration Setup Guide

Azure Integration Setup Guide

Azure Integration Setup Guide

Azure Integration Setup Guide

Azure Integration Setup Guide

Azure Integration Setup Guide

Azure Integration Setup Guide

This guide walks you through setting up a Microsoft Azure integration using the Service Principal application authentication method.

Prerequisites

Before starting, ensure you have:

  • Azure account administrator access or appropriate Azure AD permissions

  • Access to Azure Portal or Azure CLI

  • Your Azure Subscription ID and Tenant ID

Step-by-Step Setup Process

Step 1: Access the Azure Integration Dialog

Navigate to Integrations in the Swise menu and locate the Microsoft Azure integration. Click Connect to open the "Connect Microsoft Azure" dialog.

Step 2: Enter Subscription Information

In the Subscription ID tab (the first tab), enter your information:

  • Subscription ID: Enter your Azure Subscription ID (e.g., 8asd823h-adsj22jnw-ad23ee-345ja6u...)

  • Provider alias: (Optional) Enter a friendly name to identify this Azure subscription (e.g., "Production Azure" or "Dev Environment")

Click Credentials → to proceed to the next step.

Step 3: Configure Service Principal Credentials

In the Credentials tab, you'll need to provide the Service Principal authentication details. Before proceeding, you must create a Service Principal in Azure with the proper permissions.

Creating the Azure Service Principal

You have two options to create the required Service Principal:

Option A: Using Azure Portal

  1. Access Microsoft Entra ID in the Azure Portal

  2. Navigate to App registrations in the left menu

  3. Click + New registration to register a new application

  4. Fill in the Name, select Supported account types, and click Register

  5. Once created, go to Certificates & secrets in the left menu

  6. Click + New client secret

  7. Fill in Description and Expires fields, then click Add

  8. Important: Copy the secret value immediately - this will be your Client Secret

Option B: Using Azure CLI

  1. Open a terminal and execute:

    bash

    az ad sp create-for-rbac --name "swise-service-principal"

  2. Save the values from the output:

    • appId → Client ID

    • password → Client Secret

    • tenant → Tenant ID

Entering Credentials

Once you have created the Service Principal, complete the credentials section:

  • Client ID: Enter the Application (client) ID from your Service Principal (e.g., 8asd823h-adsj22jnw-ad23ee-345ja6u...)

  • Client Secret: Enter the client secret value you copied (e.g., awe-3jss0dd-ad23ae-fwtdasa-sasf8ggs...)

  • Tenant ID: Enter your Azure Tenant ID (e.g., 328sjdd-shd64hsd-kds9833d-sd2kaift4...)

Click Compliance standards → to proceed.

Step 4: Assign Required Permissions

Before completing the integration, you must assign the proper permissions to your Service Principal. This involves two types of permissions:

Microsoft Entra ID Permissions

Assign the following Microsoft Graph API permissions to your Service Principal:

  • Directory.Read.All - Required for all identity-related checks

  • Policy.Read.All - Required for policy and configuration checks

  • UserAuthenticationMethod.Read.All - Required for MFA-related checks

To assign via Azure Portal:

  1. Navigate to your App registration → API permissions

  2. Click + Add a permissionMicrosoft Graph

  3. Select Application permissions

  4. Search for and select the three permissions listed above

  5. Click Add permissions

  6. Important: Click Grant admin consent to activate the permissions

Azure Subscription Permissions

Assign the following RBAC roles to your Service Principal at the subscription level:

  • Reader - Built-in role for read access to resources

  • SwiseRole - Custom role with minimal required permissions

💡 Note: Additional read-only permissions not included in the built-in reader role are needed for some checks, for these checks we use a custom role. This role is defined in swise-azure-custom-role. Once the custom role is created you can assign it in the same way as the Reader role.

Create SwiseRole from Azure Portal

  1. Download the swise-azure-custom-role file and modify the assignableScopes field to be the subscription ID where the role assignment is going to be made, it should be something like /subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.

  2. Access your subscription.

  3. Select "Access control (IAM)".

  4. Click on "+ Add" and select "Add custom role".

  5. In the "Baseline permissions" select "Start from JSON" and upload the file downloaded and modified in the step 1.

  6. Click on "Review + create" to create the new role.

Step 5: Select Compliance Standards

In the Compliance standards tab, choose which security frameworks to evaluate against:

Auto-selected Standards

Swise will pre-select compliance standards to match your organisation's Security Compliance project. For example, if your organisation's security compliance project is set to SOC 2, then SOC 2 will be auto-selected here.

SOC 2 ✅ (Auto-selected)

  • SOC 2 Standard is designed for organisations that require an international level of security practices

  • This standard is designed for Service organisations that work primarily in the FinTech Industry

Optional Standards

CIS Controls V8 (Optional)

  • Check this option if you'd like to also monitor the Azure resources from the perspective of the CIS Controls framework

  • CIS Controls V8 is a cybersecurity framework developed by the Centre for Internet Security that provides a prioritised set of 18 security controls designed to help organisations defend against the most common cyber attacks

Click Connect to finalise the setup.

Step 6: Swise will make the connection 🎉

After clicking Connect, the Swise system will:

  1. Authenticate with Azure using your Service Principal credentials

  2. Verify the assigned permissions

  3. Activate monitoring for your Azure subscription

Soon results from this monitoring will become available in the Cloud Security dashboard, which you can access by selecting Cloud Security from the Swise menu.

Troubleshooting

Common Issues

Authentication Failed

  • Verify your Client ID, Client Secret, and Tenant ID are correct

  • Ensure the client secret hasn't expired

  • Check that admin consent has been granted for API permissions

Insufficient Permissions

  • Confirm both Microsoft Graph API permissions and Azure RBAC roles are assigned

  • Verify the custom SwiseRole has been created and assigned

  • Check that the Service Principal has access to the target subscription

Connection Timeout

  • Ensure your Azure subscription is active and accessible

  • Verify network connectivity to Azure services

  • Check if any conditional access policies are blocking the Service Principal

© Copyright 2025 Swise Limited • All rights reserved.

© Copyright 2025 Swise Limited • All rights reserved.

© Copyright 2025 Swise Limited • All rights reserved.