Azure Integration
Connect your Azure subscriptions to Seenty for automated cloud security scanning.
Azure Integration
Connect your Azure subscriptions to Seenty to automatically scan for security misconfigurations in RBAC, Storage, and Network Security Groups. Azure integration is available on Ultra plans and above.
Azure cloud scanning requires an Ultra plan or higher. Upgrade from Workspace > Billing to enable this integration.
What it scans
Seenty scans three core Azure service areas for security misconfigurations:
RBAC (Role-Based Access Control)
| Finding | Severity | Description |
|---|---|---|
| Users without MFA | High | Azure AD users with access to resources but no multi-factor authentication configured. |
| Inactive users | Medium | Accounts that have not signed in for an extended period but still hold active role assignments. |
| Excessive role assignments | Medium | Users with Owner or Contributor roles at broad scopes (subscription or resource group level) when a more restricted role would suffice. |
| Guest users with privileged roles | High | External guest accounts with elevated permissions in your directory. |
Storage
| Finding | Severity | Description |
|---|---|---|
| Public blob access enabled | High | Storage accounts allowing anonymous public access to blob containers. |
| Encryption at rest disabled | Medium | Storage accounts without encryption at rest configured. |
| HTTP access allowed | Medium | Storage accounts that accept unencrypted HTTP connections instead of requiring HTTPS only. |
| Shared key access enabled | Low | Storage accounts allowing shared key authorization, which is less secure than Azure AD authentication. |
NSG (Network Security Groups)
| Finding | Severity | Description |
|---|---|---|
| SSH (22) open to any source | High | NSG rules allowing SSH access from 0.0.0.0/0 or *. |
| RDP (3389) open to any source | High | NSG rules allowing Remote Desktop from any source address. |
| All ports open inbound | Critical | NSG rules allowing inbound traffic on all ports from any source. |
| Missing NSG on subnet | Medium | Subnets without any network security group attached, leaving all inbound traffic unfiltered. |
Setup
Create a Service Principal in Azure AD
Seenty requires read-only access to scan your Azure resources. Create a Service Principal (app registration) for this purpose:
- Sign in to the Azure Portal.
- Go to Azure Active Directory > App registrations.
- Click New registration.
- Enter a name (e.g., "Seenty Scanner") and leave the redirect URI blank.
- Click Register.
- Note the Application (client) ID and Directory (tenant) ID from the overview page.
Create a client secret
- In the app registration, go to Certificates & secrets.
- Click New client secret.
- Enter a description (e.g., "Seenty") and choose an expiration period.
- Click Add.
- Copy the Client Secret value immediately -- it is only displayed once.
The client secret value is only shown at creation time. If you navigate away without copying it, you will need to create a new secret.
Assign the Reader role
Grant the Service Principal read-only access to the resources you want to scan:
- Go to the Subscription you want Seenty to scan.
- Click Access control (IAM) > Add role assignment.
- Select the Reader role.
- In the Members tab, select User, group, or service principal and search for the app name you registered (e.g., "Seenty Scanner").
- Click Review + assign.
The Reader role provides read-only access to all resources in the subscription. Seenty cannot modify, create, or delete any resources. For tighter scoping, you can assign the Reader role at the resource group level instead.
Add the Azure account in Seenty
- Go to Assets > Cloud Accounts in the Seenty dashboard.
- Click Add Azure Account.
- Enter a friendly name for the account (e.g., "Production Azure").
- Enter the Tenant ID, Client ID, and Client Secret from the previous steps.
- Click Test Connection to verify that Seenty can authenticate with the provided credentials.
- Click Save.
Enable scanning
Once the account is added and the connection is verified, enable scanning. Seenty will run an initial scan immediately and schedule periodic scans going forward.
Managing scans
- Manual scan -- Trigger a scan at any time from the cloud account detail page by clicking Scan Now.
- Scheduled scans -- Seenty runs periodic scans automatically after the initial scan.
- Scan results -- Findings appear in Security Posture > Misconfigurations with the source labeled as Azure.
Credential security
Your Azure credentials are:
- Encrypted at rest -- The Tenant ID, Client ID, and Client Secret are encrypted before being stored.
- Never logged -- Credentials never appear in logs or error messages.
- Used only for scanning -- Seenty only performs read operations through the Reader role. No resources are modified.
Credential rotation
Azure client secrets have an expiration date. Before the secret expires:
- Create a new client secret in the Azure Portal (App registrations > Certificates & secrets).
- Update the Client Secret in Seenty from Assets > Cloud Accounts by editing the Azure account.
- Test the connection with the new secret.
- Delete the old client secret in the Azure Portal.
If your Azure client secret expires without being rotated, scans will fail. Set a calendar reminder to rotate the secret before its expiration date.
Troubleshooting
Connection test failing?
- Verify the Tenant ID, Client ID, and Client Secret are correct (no extra spaces or characters).
- Ensure the client secret has not expired.
- Check that the Service Principal has the Reader role assigned on the subscription or resource group you want to scan.
Missing findings?
- Seenty scans RBAC, Storage accounts, and NSG configurations. Other Azure services are not currently covered.
- Ensure the Reader role is assigned at the correct scope (subscription level for full coverage).
Scan showing stale results?
- Trigger a manual rescan from the cloud account page. Results reflect the state at the time of the most recent scan.
Permission errors during scan?
- Some Azure subscriptions have custom RBAC restrictions that may block certain read operations even with the Reader role. Check your subscription's access policies or contact your Azure administrator.