Azure Integration Setup Guide
This guide walks you through setting up a Microsoft Azure integration using the Service Principal application authentication method.
Prerequisites
Before starting, ensure you have:
Azure account administrator access or appropriate Azure AD permissions
Access to Azure Portal or Azure CLI
Your Azure Subscription ID and Tenant ID
Step-by-Step Setup Process
Step 1: Access the Azure Integration Dialog

Navigate to Integrations in the Swise menu and locate the Microsoft Azure integration. Click Connect to open the "Connect Microsoft Azure" dialog.
Step 2: Enter Subscription Information
In the Subscription ID tab (the first tab), enter your information:
Subscription ID: Enter your Azure Subscription ID (e.g.,
8asd823h-adsj22jnw-ad23ee-345ja6u...
)Provider alias: (Optional) Enter a friendly name to identify this Azure subscription (e.g., "Production Azure" or "Dev Environment")
Click Credentials → to proceed to the next step.
Step 3: Configure Service Principal Credentials

In the Credentials tab, you'll need to provide the Service Principal authentication details. Before proceeding, you must create a Service Principal in Azure with the proper permissions.
Creating the Azure Service Principal
You have two options to create the required Service Principal:
Option A: Using Azure Portal
Access Microsoft Entra ID in the Azure Portal
Navigate to App registrations in the left menu
Click + New registration to register a new application
Fill in the Name, select Supported account types, and click Register
Once created, go to Certificates & secrets in the left menu
Click + New client secret
Fill in Description and Expires fields, then click Add
Important: Copy the secret value immediately - this will be your
Client Secret
Option B: Using Azure CLI
Open a terminal and execute:
bash
az ad sp create-for-rbac --name "swise-service-principal"
Save the values from the output:
appId
→ Client IDpassword
→ Client Secrettenant
→ Tenant ID
Entering Credentials
Once you have created the Service Principal, complete the credentials section:
Client ID: Enter the Application (client) ID from your Service Principal (e.g.,
8asd823h-adsj22jnw-ad23ee-345ja6u...
)Client Secret: Enter the client secret value you copied (e.g.,
awe-3jss0dd-ad23ae-fwtdasa-sasf8ggs...
)Tenant ID: Enter your Azure Tenant ID (e.g.,
328sjdd-shd64hsd-kds9833d-sd2kaift4...
)
Click Compliance standards → to proceed.
Step 4: Assign Required Permissions
Before completing the integration, you must assign the proper permissions to your Service Principal. This involves two types of permissions:
Microsoft Entra ID Permissions
Assign the following Microsoft Graph API permissions to your Service Principal:
Directory.Read.All
- Required for all identity-related checksPolicy.Read.All
- Required for policy and configuration checksUserAuthenticationMethod.Read.All
- Required for MFA-related checks
To assign via Azure Portal:
Navigate to your App registration → API permissions
Click + Add a permission → Microsoft Graph
Select Application permissions
Search for and select the three permissions listed above
Click Add permissions
Important: Click Grant admin consent to activate the permissions
Azure Subscription Permissions
Assign the following RBAC roles to your Service Principal at the subscription level:
Reader - Built-in role for read access to resources
SwiseRole - Custom role with minimal required permissions
💡 Note: Additional read-only permissions not included in the built-in reader role are needed for some checks, for these checks we use a custom role. This role is defined in swise-azure-custom-role. Once the custom role is created you can assign it in the same way as the Reader
role.
Create SwiseRole from Azure Portal
Download the swise-azure-custom-role file and modify the
assignableScopes
field to be the subscription ID where the role assignment is going to be made, it should be something like/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
.Access your subscription.
Select "Access control (IAM)".
Click on "+ Add" and select "Add custom role".
In the "Baseline permissions" select "Start from JSON" and upload the file downloaded and modified in the step 1.
Click on "Review + create" to create the new role.
Step 5: Select Compliance Standards

In the Compliance standards tab, choose which security frameworks to evaluate against:
Auto-selected Standards
Swise will pre-select compliance standards to match your organisation's Security Compliance project. For example, if your organisation's security compliance project is set to SOC 2, then SOC 2 will be auto-selected here.
SOC 2 ✅ (Auto-selected)
SOC 2 Standard is designed for organisations that require an international level of security practices
This standard is designed for Service organisations that work primarily in the FinTech Industry
Optional Standards
CIS Controls V8 (Optional)
Check this option if you'd like to also monitor the Azure resources from the perspective of the CIS Controls framework
CIS Controls V8 is a cybersecurity framework developed by the Centre for Internet Security that provides a prioritised set of 18 security controls designed to help organisations defend against the most common cyber attacks
Click Connect to finalise the setup.
Step 6: Swise will make the connection 🎉
After clicking Connect, the Swise system will:
Authenticate with Azure using your Service Principal credentials
Verify the assigned permissions
Activate monitoring for your Azure subscription
Soon results from this monitoring will become available in the Cloud Security dashboard, which you can access by selecting Cloud Security from the Swise menu.
Troubleshooting
Common Issues
Authentication Failed
Verify your Client ID, Client Secret, and Tenant ID are correct
Ensure the client secret hasn't expired
Check that admin consent has been granted for API permissions
Insufficient Permissions
Confirm both Microsoft Graph API permissions and Azure RBAC roles are assigned
Verify the custom SwiseRole has been created and assigned
Check that the Service Principal has access to the target subscription
Connection Timeout
Ensure your Azure subscription is active and accessible
Verify network connectivity to Azure services
Check if any conditional access policies are blocking the Service Principal