Skip to main content

About the Azure integration

Comp AI connects to Microsoft Azure to pull security posture, identity, network, and compliance data from Microsoft Defender for Cloud and related services. All access is read-only. The recommended connection method is Microsoft OAuth — you sign in with an Azure AD account that has the required roles, and Comp AI auto-detects your subscription. A service principal flow is also supported for customers who prefer to provision a dedicated identity.
Comp AI only ever issues GET/list API calls. It does not create, modify, or delete Azure resources, even when connected with a user that has write permissions.

How access works

  • Primary flow: OAuth 2.0 against login.microsoftonline.com using the user_impersonation scope on Azure Management API. Comp AI acts on behalf of the signed-in user, constrained by their Azure RBAC assignments.
  • Alternative flow: An Azure AD App Registration (service principal) with a client secret, assigned the required roles on a subscription.
  • Scope: A single Azure subscription per connection. Connect additional subscriptions by adding more connections.

Prerequisites

Before connecting Azure, make sure you have:
  1. An Azure subscription you want to monitor
  2. A user (or service principal) with the following roles on that subscription:
    • Reader — read resource metadata
    • Security Reader — read Microsoft Defender for Cloud findings
    • Monitoring Reader — read activity logs, alerts, and metrics
  3. Microsoft Defender for Cloud enabled on the subscription (the free tier is sufficient for most checks)
  4. Admin access to your Comp AI workspace
1

Start the connection

In Comp AI, go to Cloud Tests → Azure → Connect. Click Sign in with Microsoft.
2

Consent to the requested scopes

Sign in with an Azure AD account that has the roles listed above on the target subscription. Approve the consent screen.
3

Verify detected subscription

Comp AI automatically detects the subscriptions your account can access. The setup guide then runs checks for:
  • Subscription detected
  • Required role assignments
  • Defender for Cloud enabled
Any blocking issue is shown with a link to the exact Azure portal blade to fix it.
4

Run your first scan

When all required steps pass, the first scan starts automatically. You can re-run it any time from the connection’s page.
Microsoft OAuth uses the RBAC roles on your account. Granting Reader + Security Reader + Monitoring Reader is enough — you do not need Contributor or Owner.

Connect with a service principal (alternative)

Use this flow if you want a dedicated non-human identity or your tenant restricts user OAuth consent.
1

Register an app in Microsoft Entra ID

In the Azure portal, go to Microsoft Entra ID → App registrations → New registration. Name it something like comp-security-audit and register.
2

Create a client secret

In the app, open Certificates & secrets → New client secret. Copy the secret value immediately — it is only shown once.
3

Assign the three required roles

Open your target subscription, go to Access control (IAM) → Add role assignment, and assign each of these roles to the app registration:
  • Reader
  • Security Reader
  • Monitoring Reader
4

Collect the four IDs

From the Azure portal, copy:
  • Tenant ID — Microsoft Entra ID → Overview
  • Client ID — App registration → Overview (Application ID)
  • Client Secret — the value from the previous step
  • Subscription ID — Subscriptions → your subscription
5

Paste into Comp AI

In the Azure connection form, switch to the service principal option and paste the four values. Click Save and Connect.

What gets scanned

The Azure integration evaluates findings across services including:
AreaServices
PostureMicrosoft Defender for Cloud (assessments + alerts)
IdentityMicrosoft Entra ID
GovernanceAzure Policy
Data securityKey Vault, Storage Accounts, SQL Database, Cosmos DB
ComputeVirtual Machines, App Service, AKS, Container Registry
NetworkNetwork Watcher (NSGs, flow logs)
ObservabilityAzure Monitor (activity logs, diagnostic settings)
The Services tab inside the connection lets you enable or disable specific checks.

Compliance frameworks

Findings are mapped to the controls used by:
  • Microsoft Cloud Security Benchmark
  • SOC 2
  • ISO 27001
  • PCI DSS
  • HIPAA (where applicable)

Security model

  • Read-only — Comp AI makes no write calls, regardless of the roles you assign
  • Scoped to one subscription per connection — a connection cannot read data outside the subscription it was created for
  • Secrets stay encrypted — client secrets and refresh tokens are stored in an encrypted vault and never returned to the UI
  • Revocable at any time — remove the role assignments in the Azure portal, or delete the connection in Comp AI

Troubleshooting

Defender for Cloud must be enabled on the subscription. Open the Microsoft Defender for Cloud blade, select the subscription, and confirm at least the free tier is turned on. Initial data can take up to 24 hours to appear.
For OAuth: make sure your account still has the three required roles on the subscription — User_impersonation scope alone is not enough.For service principal: confirm the client secret has not expired and the app registration has not been disabled.
Comp AI only sees subscriptions your signed-in account has access to. If you manage multiple subscriptions, sign in with an account that has Reader on the one you want to monitor, or use the service principal flow to target it explicitly.
Check that the service is enabled under the Services tab for this connection. Some services also require Defender plans beyond the free tier — for example, Defender for Servers, SQL, or Containers.

Support

  1. Email support@trycomp.ai
  2. Join our Discord community