Skip to content
vScope Support Page

Azure

Experienced with Azure? Here’s a quick summary to get started:

  1. Create App Registration
  2. Add Permissions for various services:
    • AuditLog: AuditLog.Read.All (Read all audit log data)
    • DeviceManagementConfiguration: DeviceManagementConfiguration.Read.All (Read Microsoft Intune device configurations and policies)
    • DeviceManagementManagedDevices: DeviceManagementManagedDevices.Read.All (Read Microsoft Intune devices)
    • Directory: Directory.Read.All (Read Azure AD data)
    • Reports: Reports.Read.All (Read all usage reports)
    • AdvancedQuery: AdvancedQuery.Read.All (365 Defender)
    • Machine: Machine.Read.All (365 Defender)
  3. Grant Permissions to the subscriptions you want to inventory.

Set up App registration in Azure

To inventory Azure Resource Manager (Azure RM), vScope needs read permissions for your subscriptions. This guide walks through creating an app in Azure and generating a key.

Create an App registration

Log in to Azure Resource Manager, search for App registrations, and select it.

Azure finding all App registrations

Click + New registration to create the vScope application.

Screenshot of Azure Portal

Name the application (e.g., vScope), choose Accounts in this organizational directory only, and click Register.

Register a new application in Azure

Add API Permissions for Microsoft Graph

In the API Permissions section, click + Add a permission.

Azure adding a new API permission

Under Microsoft APIs, select Microsoft Graph.

Azure Request API permission to Microsoft Graph

Select Application permissions.

Azure request API permission for application

Choose the following permissions and click Add permissions:

  • AuditLog: AuditLog.Read.All (Read all audit log data)
  • DeviceManagementConfiguration: DeviceManagementConfiguration.Read.All (Read Microsoft Intune device configurations and policies)
  • DeviceManagementManagedDevices: DeviceManagementManagedDevices.Read.All (Read Microsoft Intune devices)
  • Directory: Directory.Read.All (Read Azure AD data)
  • Reports: Reports.Read.All (Read all usage reports)

Adding additional permission for Auditlog.Read.All Selecting various API permissions for the App registration for Azure Setting up Azure RM selecting reports read.all

Grant these permissions by clicking Grant admin consent.

Grant Admin Consent for Default Directory in Azure

Add API Permissions for Defender

Click + Add a permission again.

Azure adding a permission for app registration

Select APIs my organization uses and search for WindowsDefenderATP.

Azure adding permission for app registration for Windows Defender

Under Application permissions, enable AdvancedQuery.Read.All in the AdvancedQuery section and Machine.Read.All in the Machine section, then click Add permissions.

Request API permissions Azure Portal

Click Grant admin consent to finalize permissions.

Azure API permissions grant admin consent

Grant Access to Subscriptions

If you have Azure resources to inventory, such as App Services or storage accounts, grant subscription access. Search for Subscriptions and click the key icon.

Finding assets from Azure by building a table

Select the subscription name.

Selecting subscripion for vScope to access

In Access Control (IAM), click Add role assignment.

Azure add role assignment in Azure Access Control (IAM)

Under the Role tab, select Reader.

Adding role assignment reader for Azure app registration

On the Members tab, confirm the Reader role, then click + Select members.

Azure add role assignment for app registration

Enter the application name created in Create an App Registration 1 (e.g., vScope) in the search bar and click Select.

Select vScope as member for Azure Portal

Click Review + assign to save.

Review and assign permissions in Azure

Set up the Azure RM Probe in vScope

In Azure’s Overview section, copy the Application (client) ID.

Azure finding application ID

Open vScope, navigate to Discovery Manager, create an Azure RM probe (+ Credential), and paste the Application ID.

Finding application ID in vScope for Azure

Go to Certificates & secrets in Azure, then click + New client secret.

Azure managing certificates and secrets

Add a description (e.g., vScope), select an expiry date, and click Add.

Azure adding a client secret

Copy the client secret value immediately (it will only be shown once) and paste it into the Key field in vScope.

Azure copy the client secret value

Click Test Credential in vScope. If it’s successful, the indicator should turn green.

Creating a connection to Azure RM in vScope Discovery

Good job! You are now ready to inventory Azure Resource Manager.

Matching Local and Azure Domains

After discovering Azure Resource Manager, we recommend checking out Suggestions under Discovery > Suggestions. Here, you can enhance vScope’s data quality by defining rules that improve how assets are identified.

For Azure, it is common to have different domain names in the local Active Directory compared to Azure and Microsoft Entra ID. To help vScope interpret this correctly, you should create a Custom suggestion.

Creating a domain matching rule in vScope's Discovery suggestions

  • From the dropdown, select the domains that you consider equivalent (e.g., infrasightlabs.com and isl.com).
  • Click Apply to save.
  • Rerun a Discovery.

Once applied, and after running next discovery, vScope will recognize these domains as the same, improving its ability to identify unique and duplicate assets accurately.

Common Errors

ErrorWhat happened?Suggested action
Failed to retrieve…vScope was not able to retrieve data using the specified API endpoint.Confirm that the vScope Azure application has the correct API permissions.
SSLHandshakeExceptionAn issue connecting to Azure.Ensure the connection between vScope and Azure is properly configured.
java.lang.RunTimeException: Found Duplicate ID’sMicrosoft Graph API returns identical valuesMay be resolved by itself depending on what the Microsoft Graph API returns