Azure
Experienced with Azure? Here’s a quick summary to get started:
- Create App Registration
- Add Permissions for various services:
- AuditLog:
AuditLog.Read.All
(Read all audit log data) - DeviceManagementConfiguration:
DeviceManagementConfiguration.Read.All
(Read Microsoft Intune device configurations and policies) - DeviceManagementManagedDevices:
DeviceManagementManagedDevices.Read.All
(Read Microsoft Intune devices) - Directory:
Directory.Read.All
(Read Azure AD data) - Reports:
Reports.Read.All
(Read all usage reports) - AdvancedQuery:
AdvancedQuery.Read.All
(365 Defender) - Machine:
Machine.Read.All
(365 Defender) - SharePoint:
Sites.Read.All
(Read SharePoint data) - Teams:
Team.ReadBasic.All
(Read Teams data)
- AuditLog:
- Grant Permissions to the subscriptions you want to inventory.
Set up App registration in Azure
To inventory Azure Resource Manager (Azure RM), vScope needs read permissions for your subscriptions. This guide walks through creating an app in Azure and generating a key.
Create an App registration
Log in to Azure Resource Manager, search for App registrations, and select it.
Click + New registration to create the vScope application.
Name the application (e.g., vScope), choose Accounts in this organizational directory only, and click Register.
Add API Permissions for Microsoft Graph
In the API Permissions section, click + Add a permission.
Under Microsoft APIs, select Microsoft Graph.
Select Application permissions.
Choose the following permissions and click Add permissions:
- AuditLog:
AuditLog.Read.All
(Read all audit log data) - DeviceManagementConfiguration:
DeviceManagementConfiguration.Read.All
(Read Microsoft Intune device configurations and policies) - DeviceManagementManagedDevices:
DeviceManagementManagedDevices.Read.All
(Read Microsoft Intune devices) - Directory:
Directory.Read.All
(Read Azure AD data) - Reports:
Reports.Read.All
(Read all usage reports)
Grant these permissions by clicking Grant admin consent.
Add API Permissions for Defender
Click + Add a permission again.
Select APIs my organization uses and search for WindowsDefenderATP.
Under Application permissions, enable AdvancedQuery.Read.All in the AdvancedQuery section and Machine.Read.All in the Machine section, then click Add permissions.
Click Grant admin consent to finalize permissions.
Grant Access to Subscriptions
If you have Azure resources to inventory, such as App Services or storage accounts, grant subscription access. Search for Subscriptions and click the key icon.
Select the subscription name.
In Access Control (IAM), click Add role assignment.
Under the Role tab, select Reader.
On the Members tab, confirm the Reader role, then click + Select members.
Enter the application name created in Create an App Registration 1 (e.g., vScope) in the search bar and click Select.
Click Review + assign to save.
Automated set up with PowerShell
This script creates a tenant-local app registration for vScope, grants required Microsoft Graph and Defender application permissions, admin-consents them, and optionally assigns Azure RBAC Reader.
Requirements:
-
PowerShell 7+
-
Global Admin / Privileged Role Admin / Cloud App Admin
-
Modules:
Install-Module Microsoft.Graph -Scope CurrentUser
Install-Module Az.Accounts,Az.Resources -Scope CurrentUser # only if using RBAC auto-assign
Step-by-step instructions:
- Make sure you have an account with the Global Administrator role in Microsoft Entra ID.
- Open PowerShell on your computer.
- Install the required modules if they aren’t already installed.
- Copy the provided script and save it as a .ps1 file on your computer (e.g., myscript.ps1).
- From the PowerShell terminal, navigate to the folder where you saved the script.
- Run the script using the usage example provided. The -RbacScope parameter is optional.
Usage example:
.\script.ps1 -DisplayName "vScope App Registration" -GenerateClientSecret
Optional parameter: -RbacScope "/subscriptions/subscription-id"
PowerShell script:
param( [Parameter(Mandatory=$true)] [string]$DisplayName,
[switch]$GenerateClientSecret,
[string]$RbacScope = $null,
[string]$AzRoleDefinitionName = "Reader")
# --------------------------------------------------------# 📋 Step 1: Define Required Permission Sets# --------------------------------------------------------
$GraphAppPermissions = @( "AuditLog.Read.All", "DeviceManagementConfiguration.Read.All", "DeviceManagementManagedDevices.Read.All", "Directory.Read.All", "Reports.Read.All", "Sites.Read.All")
$DefenderAppPermissions = @( "AdvancedQuery.Read.All", "Machine.Read.All")
# --------------------------------------------------------# 🎯 Step 2: Connect to Microsoft Graph# --------------------------------------------------------
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Cyan$scopes = @( "Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All")Connect-MgGraph -Scopes $scopes | Out-Null
# --------------------------------------------------------# 🛠️ Step 3: Create the Application and Service Principal# --------------------------------------------------------
Write-Host "Creating application '$DisplayName'..." -ForegroundColor Cyan$app = New-MgApplication -DisplayName $DisplayName$sp = New-MgServicePrincipal -AppId $app.AppIdWrite-Host "App created. AppId: $($app.AppId)" -ForegroundColor Green
# --------------------------------------------------------# 🔑 Step 4: Optionally Create a Client Secret# --------------------------------------------------------
$secretValue = $nullif ($GenerateClientSecret.IsPresent) { Write-Host "Creating client secret (shown once)..." -ForegroundColor Yellow $pwd = Add-MgApplicationPassword -ApplicationId $app.Id -PasswordCredential @{ displayName = "ApplicationSecret" } $secretValue = $pwd.SecretText}
# --------------------------------------------------------# ⚙️ Step 5: Resolve Resource Service Principals# --------------------------------------------------------
function Get-ResourceSp { param([string]$WellKnownAppId, [string]$FallbackDisplayName) $spn = $null if ($WellKnownAppId) { $spn = Get-MgServicePrincipal -Filter "appId eq '$WellKnownAppId'" } if (-not $spn -and $FallbackDisplayName) { $spn = Get-MgServicePrincipal -Filter "displayName eq '$FallbackDisplayName'" } return $spn}
$graphSp = Get-ResourceSp -WellKnownAppId "00000003-0000-0000-c000-000000000000" -FallbackDisplayName "Microsoft Graph"if (-not $graphSp) { throw "Could not find Microsoft Graph service principal in this tenant." }
$defenderSp = Get-ResourceSp -WellKnownAppId $null -FallbackDisplayName "WindowsDefenderATP"if (-not $defenderSp) { Write-Warning "WindowsDefenderATP service principal not found. The Defender permissions step will be skipped."; $DefenderAppPermissions = @() }
# --------------------------------------------------------# 🛡️ Step 6: Grant Application Permissions# --------------------------------------------------------
function Grant-AppRole { param( [Microsoft.Graph.PowerShell.Models.MicrosoftGraphServicePrincipal]$ResourceSp, [string]$RoleValue ) $role = $ResourceSp.AppRoles | Where-Object { $_.Value -eq $RoleValue -and $_.AllowedMemberTypes -contains "Application" -and $_.IsEnabled } if (-not $role) { throw "App role '$RoleValue' not found on resource '$($ResourceSp.DisplayName)'." } New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $sp.Id -BodyParameter @{ principalId = $sp.Id resourceId = $ResourceSp.Id appRoleId = $role.Id } | Out-Null Write-Host "Granted application permission '$RoleValue' on '$($ResourceSp.DisplayName)'." -ForegroundColor Green}
Write-Host "Granting Microsoft Graph application permissions..." -ForegroundColor Cyanforeach ($perm in $GraphAppPermissions) { Grant-AppRole -ResourceSp $graphSp -RoleValue $perm }
if ($DefenderAppPermissions.Count -gt 0) { Write-Host "Granting Defender for Endpoint application permissions..." -ForegroundColor Cyan foreach ($perm in $DefenderAppPermissions) { Grant-AppRole -ResourceSp $defenderSp -RoleValue $perm }}
# --------------------------------------------------------# 🌐 Step 7: Optional Azure RBAC Assignment# --------------------------------------------------------
if ($RbacScope) { Write-Host "Assigning Azure RBAC role '$AzRoleDefinitionName' at scope $RbacScope ..." -ForegroundColor Cyan try { try { Get-AzContext | Out-Null } catch { Connect-AzAccount | Out-Null } New-AzRoleAssignment -ObjectId $sp.Id -RoleDefinitionName $AzRoleDefinitionName -Scope $RbacScope | Out-Null Write-Host "Azure RBAC role assigned." -ForegroundColor Green } catch { Write-Warning "Failed to assign Azure RBAC role. Assign later in Portal > Access control (IAM). Error: $($_.Exception.Message)" }}
# --------------------------------------------------------# 📋 Step 8: Output Configuration Summary# --------------------------------------------------------
$summary = [pscustomobject]@{ TenantId = (Get-MgContext).TenantId ApplicationName = $app.DisplayName ApplicationId = $app.AppId ServicePrincipalId = $sp.Id ClientSecret = $secretValue NextSteps = "Use TenantId, ApplicationId (ClientId) and ClientSecret (or cert) in vScope's Azure RM credential."}$summary | Format-List
Set up the Azure RM Probe in vScope
In Azure’s Overview section, copy the Application (client) ID.
Open vScope, navigate to Discovery Manager, create an Azure RM probe (+ Credential), and paste the Application ID.
Go to Certificates & secrets in Azure, then click + New client secret.
Add a description (e.g., vScope), select an expiry date, and click Add.
Copy the client secret value immediately (it will only be shown once) and paste it into the Key field in vScope.
Click Test Credential in vScope. If it’s successful, the indicator should turn green.
Good job! You are now ready to inventory Azure Resource Manager.
Matching Local and Azure Domains
After discovering Azure Resource Manager, we recommend checking out Suggestions under Discovery > Suggestions. Here, you can enhance vScope’s data quality by defining rules that improve how assets are identified.
For Azure, it is common to have different domain names in the local Active Directory compared to Azure and Microsoft Entra ID. To help vScope interpret this correctly, you should create a Custom suggestion.
- From the dropdown, select the domains that you consider equivalent (e.g.,
infrasightlabs.com
andisl.com
). - Click Apply to save.
- Rerun a Discovery.
Once applied, and after running next discovery, vScope will recognize these domains as the same, improving its ability to identify unique and duplicate assets accurately.
Common Errors
Error | What happened? | Suggested action |
---|---|---|
Failed to retrieve… | vScope was not able to retrieve data using the specified API endpoint. | Confirm that the vScope Azure application has the correct API permissions. |
SSLHandshakeException | An issue connecting to Azure. | Ensure the connection between vScope and Azure is properly configured. |
java.lang.RunTimeException: Found Duplicate ID’s | Microsoft Graph API returns identical values | May be resolved by itself depending on what the Microsoft Graph API returns |