Microsoft Azure integration

Integrate Identity Security Posture Management (ISPM) with Microsoft Azure by assigning a reader role to the ISPM app. The integration allows ISPM to analyze the access to Microsoft Entra ID cloud resources.

Complete the steps in Microsoft Entra ID integration to integrate ISPM with Microsoft Microsoft Entra ID. This is required before you can integrate ISPM with Microsoft Azure.

Select the assignment scope

You can assign a role to a subscription, management group, or tenant root group. Each assignment scope gives Identity Security Posture Management the same level of access to your Microsoft Entra ID resources.

Assign the role to a subscription

Complete these steps if your org uses five or fewer subscriptions.

  1. In the Microsoft Entra ID admin center, go to the Subscriptions panel.
  2. Select the subscription that you want to associate with the Identity Security Posture Management app.
  3. Click Access Control (IAM).
  4. Repeat steps 1–3 for each additional subscription that you want to collect data from.
  5. Complete the steps listed in the Assign the reader role section.

Assign the role to a management group

Complete these steps if your org uses more than five subscriptions, or if you plan to make changes to your subscriptions over time.

Avoid creating management groups and move subscriptions under them without careful consideration, as that can change the accesses and policies that are applied.

  1. In the Microsoft Entra ID admin center, go to the Management Groups panel.
  2. Select the management group that you want to assign the role to.
  3. Click Access Control (IAM).
  4. Repeat steps 1–3 for each additional management group that you want to collect data from.
  5. Complete the steps listed in the Assign the reader role section.

Assign a role to the tenant root group

This method requires you to temporarily elevate your admin role to a user access admin. To avoid this, ISPM recommends that you assign a role to a subscription, or create a management group and then assign the role to it.

  1. In the Microsoft Entra ID admin center, go to the Microsoft Entra ID panel.
  2. Select ManageProperties.
  3. Toggle on Access management for Microsoft Entra ID resources.
  4. Click Save.
  5. Refresh the browser for the changes to take effect.
  6. In the Microsoft Entra ID admin center, go to the Management Group panel.
  7. Click Tenant Root Group.
  8. Click Access Control (IAM).
  9. Complete the steps listed in the Assign the reader role section.

Assign the reader role

  1. In Access Control (IAM), click Add, and then select Add Role Assignment.
  2. Select the Reader role.
  3. In Select members, search for and select the app you created earlier.
  4. Click Review + assign.
  5. Review the details and then the role assignment.

If you've assigned the role to the Tenant Root Group, go to Microsoft Entra IDManageProperties and toggle off Access management for Microsoft Entra ID resources.

After you've assigned the reader role to ISPM, enable the integration in the Identity Security Posture Management console.