Skip to main content
Enable Cloudgeni to scan your Azure infrastructure by connecting to Azure Defender for Cloud (now Microsoft Defender for Cloud). This integration provides comprehensive coverage of your Azure resources and security findings.

Prerequisites

  • Azure subscription with administrative access
  • Microsoft Defender for Cloud enabled on your subscription
  • Cloudgeni account (free trial available)
  • Time estimate: 10-15 minutes

Step 1: Enable Microsoft Defender for Cloud

  1. Log into your Azure Portal
  2. Navigate to Microsoft Defender for Cloud service
  3. Go to “Environment settings” > Select your subscription
  4. Turn on Defender plans for comprehensive coverage:
    • Servers - VM and server protection
    • App Service - Web application protection
    • Databases - SQL database protection
    • Storage - Storage account protection
    • Key Vault - Key vault protection
    • Resource Manager - Subscription-level protection
    • DNS - DNS layer protection
  5. Click “Save” to enable the plans
Microsoft Defender for Cloud offers a free tier with basic security assessments. Enhanced security features require paid plans.

Step 2: Create Service Principal for Cloudgeni

Cloudgeni needs read-only access to Defender for Cloud and related services:

Option A: Using Azure CLI

# Create service principal
az ad sp create-for-rbac --name "CloudgeniDefenderReader" \
  --role "Security Reader" \
  --scopes "/subscriptions/{subscription-id}"

# Add additional role for compliance data
az role assignment create \
  --assignee {service-principal-id} \
  --role "Reader" \
  --scope "/subscriptions/{subscription-id}"

Option B: Using Azure Portal

  1. Go to Azure Active Directory > App registrations > New registration
  2. Name: CloudgeniDefenderReader
  3. Click “Register”
  4. Go to Certificates & secrets > New client secret
  5. Copy the client secret (you won’t see it again)
  6. Note down Application (client) ID and Directory (tenant) ID
  7. Go to Subscriptions > Your subscription > Access control (IAM)
  8. Click “Add role assignment”
  9. Assign these roles to your service principal:
    • Security Reader - Access to security findings
    • Reader - Access to resource metadata
Required Information:
  • Tenant ID: Directory (tenant) ID
  • Client ID: Application (client) ID
  • Client Secret: The secret you created
  • Subscription ID: Your Azure subscription ID

Step 3: Configure Cloudgeni Integration

  1. Log into your Cloudgeni dashboard
  2. Navigate to “Integrations” > “Add Integration”
  3. Select “Azure Defender for Cloud”
  4. Enter your configuration:
    • Integration Name: Azure Production (or your environment name)
    • Subscription ID: Your Azure subscription ID
    • Tenant ID: Azure AD tenant ID
    • Client ID: Service principal application ID
    • Client Secret: Service principal secret
    • Resource Groups: Select specific resource groups (optional)
  5. Click “Test Connection” to verify
  6. Click “Save Integration”
Start with one resource group to test, then expand to full subscription once confirmed working.

Step 4: Verify Integration and Run First Scan

  1. In Cloudgeni, go to “Cloud Infrastructure” > “Azure”
  2. Click “Scan Now” to trigger initial scan
  3. Wait 2-5 minutes for scan completion
  4. Review the results:
    • Security findings from Defender for Cloud
    • Compliance status by standard
    • Resource inventory by service
    • Risk prioritization by severity
Expected Results:
  • Virtual machines with security configurations
  • Storage accounts with access control findings
  • Network security groups with rule violations
  • Key vaults with access policy issues
  • SQL databases with security recommendations

Sample Findings

  • VM vulnerability assessment - Missing security updates
  • Storage account - Allow Blob public access is enabled
  • Network security group - Unrestricted inbound SSH access
  • SQL Database - Transparent data encryption disabled
  • Key Vault - No diagnostic logs enabled

Multi-Subscription Setup

For comprehensive coverage across multiple subscriptions:Centralized Approach:
  1. Create service principal in management subscription
  2. Grant cross-subscription permissions: 
    # For each additional subscription
az role assignment create \
  --assignee {service-principal-id} \
  --role "Security Reader" \
  --scope "/subscriptions/{other-subscription-id}"
  3. Add each subscription to your Cloudgeni integration
Distributed Approach:
  1. Create separate integrations for each subscription
  2. Use subscription-specific service principals
  3. Manage access controls per subscription requirements
Consider using Azure Lighthouse for managing multiple customer subscriptions.

Troubleshooting

Connection Test Fails:
  • Verify service principal credentials are correct
  • Check tenant ID and subscription ID are accurate
  • Ensure service principal has required role assignments
  • Confirm client secret hasn’t expired
No Findings Returned:
  • Wait 24-48 hours for Defender for Cloud to populate findings
  • Check that Defender plans are enabled for your resources
  • Verify you have resources in the scanned subscription
  • Ensure security policies are assigned
Permission Errors:
  • Ensure Security Reader role is assigned
  • Verify Reader role for resource metadata access
  • Check role assignments at correct scope level
  • Confirm service principal is active
Integration Shows “Disconnected”:
  • Re-test connection in Cloudgeni dashboard
  • Check Azure Activity Log for authentication failures
  • Verify service principal hasn’t been disabled
  • Ensure client secret is still valid
Specific Resource Types Missing:
  • Enable corresponding Defender plans (Storage, SQL, etc.)
  • Check resource group filtering in integration settings
  • Verify resources exist in scanned subscription

Security Standards and Compliance

Configure compliance standards in Defender for Cloud:
  1. Go to Regulatory compliance in Defender for Cloud
  2. Add relevant standards:
    • Azure Security Benchmark (default)
    • CIS Microsoft Azure Foundations Benchmark
    • PCI DSS 3.2.1
    • SOC TSP
    • NIST SP 800-53 R4
    • ISO 27001
  3. Review compliance scores and recommendations
  4. Cloudgeni will import these compliance mappings automatically
Some compliance standards may require Defender for Cloud paid plans.

What’s Next?

Azure Permissions Setup

Configure Azure service principal permissions

Understanding Findings

Learn how to interpret and prioritize security findings

Automated Remediation

Set up AI-powered fix generation and deployment

Compliance Reporting

Generate compliance reports for audits

Need Help?

Having Issues?

I