Skip to content
vScope Support Page

Azure

Experienced with Azure? Here’s a quick summary to get started:

  1. Create App Registration
  2. Add Permissions for various services:
    • AuditLog: AuditLog.Read.All (Read all audit log data)
    • DeviceManagementConfiguration: DeviceManagementConfiguration.Read.All (Read Microsoft Intune device configurations and policies)
    • DeviceManagementManagedDevices: DeviceManagementManagedDevices.Read.All (Read Microsoft Intune devices)
    • Directory: Directory.Read.All (Read Azure AD data)
    • Reports: Reports.Read.All (Read all usage reports)
    • AdvancedQuery: AdvancedQuery.Read.All (365 Defender)
    • Machine: Machine.Read.All (365 Defender)
  3. Grant Permissions to the subscriptions you want to inventory.

Detailed Setup Guide for Adding Azure RM to vScope

To inventory Azure Resource Manager (Azure RM), vScope needs read permissions for your subscriptions. This guide walks through creating an app in Azure, generating a key, and configuring Azure RM credentials in vScope.

Prerequisite: Ensure you have permissions to set up applications in Azure. Learn more about roles and permissions here.

Create an Application Registration

1.1 Log in to Azure Resource Manager, search for App registrations, and select it.

Azure finding all App registrations

1.2 Click + New registration to create the vScope application.

Screenshot of Azure Portal

1.3 Name the application (e.g., vScope), choose Accounts in this organizational directory only, and click Register.

Register a new application in Azure

Add API Permissions for Microsoft Graph

2.1 In the API Permissions section, click + Add a permission.

Azure adding a new API permission

2.2 Under Microsoft APIs, select Microsoft Graph.

Azure Request API permission to Microsoft Graph

2.3 Select Application permissions.

Azure request API permission for application

2.4 Choose the following permissions and click Add permissions:

  • AuditLog: AuditLog.Read.All (Read all audit log data)
  • DeviceManagementConfiguration: DeviceManagementConfiguration.Read.All (Read Microsoft Intune device configurations and policies)
  • DeviceManagementManagedDevices: DeviceManagementManagedDevices.Read.All (Read Microsoft Intune devices)
  • Directory: Directory.Read.All (Read Azure AD data)
  • Reports: Reports.Read.All (Read all usage reports)
  • AdvancedQuery: AdvancedQuery.Read.All (365 Defender)
  • Machine: Machine.Read.All (365 Defender)

Adding additional permission for Auditlog.Read.All Selecting various API permissions for the App registration for Azure Setting up Azure RM selecting reports read.all

2.5 Grant these permissions by clicking Grant admin consent.

Grant Admin Consent for Default Directory in Azure

Add API Permissions for Defender

3.1 Click + Add a permission again.

Azure adding a permission for app registration

3.2 Select APIs my organization uses and search for WindowsDefenderATP.

Azure adding permission for app registration for Windows Defender

  1. Under Application permissions, enable AdvancedQuery.Read.All in the AdvancedQuery section and Machine.Read.All in the Machine section, then click Add permissions.

    Request API permissions Azure Portal

  2. Click Grant admin consent to finalize permissions.

    Azure API permissions grant admin consent

Grant Access to Subscriptions

4.1 If you have Azure resources to inventory, such as App Services or storage accounts, grant subscription access. Search for Subscriptions and click the key icon.

Finding assets from Azure by building a table

4.2 Select the subscription name.

Selecting subscripion for vScope to access

4.3 In Access Control (IAM), click Add role assignment.

Azure add role assignment in Azure Access Control (IAM)

4.4 Under the Role tab, select Reader.

Adding role assignment reader for Azure app registration

4.5 On the Members tab, confirm the Reader role, then click + Select members.

Azure add role assignment for app registration

4.6 Enter the application name created in Create an App Registration 1 (e.g., vScope) in the search bar and click Select.

Select vScope as member for Azure Portal

4.7 Click Review + assign to save.

Review and assign permissions in Azure

Set Up the Azure RM Probe in vScope

5.1 In Azure’s Overview section, copy the Application (client) ID.

Azure finding application ID

5.2 Open vScope, navigate to Discovery Manager, create an Azure RM probe (+ Credential), and paste the Application ID.

Finding application ID in vScope for Azure

5.3 Go to Certificates & secrets in Azure, then click + New client secret.

Azure managing certificates and secrets

5.4 Add a description (e.g., vScope), select an expiry date, and click Add.

Azure adding a client secret

5.5 Copy the client secret value immediately (it will only be shown once) and paste it into the Key field in vScope.

Azure copy the client secret value

5.6 Click Test Credential in vScope. If it’s successful, the indicator should turn green.

Creating a connection to Azure RM in vScope Discovery

Common Errors

ErrorWhat happened?Suggested action
Failed to retrieve…vScope was not able to retrieve data using the specified API endpoint.Confirm that the vScope Azure application has the correct API permissions.
SSLHandshakeExceptionAn issue connecting to Azure.Ensure the connection between vScope and Azure is properly configured.
java.lang.RunTimeException: Found Duplicate ID’sMicrosoft Graph API returns identical valuesMay be resolved by itself depending on what the Microsoft Graph API returns