Configure Azure for a Compliance Audit

Register Application: Key

Create Application Client Secret

Click your registered application in Microsoft Entra ID > App Registrations.
Click Certificates and Secrets.
Click + New client secret.
Give the secret a name and click Add.

Tip Copy the secret somewhere safe for use in authenticating during a scan.

Assign the Application to the Reader Role

Click Subscriptions > Your Subscription > Access Control (IAM) > Role Assignments > + Add.
Add the Reader role to the application you previously created for scanning.
Select Reader from the Role drop-down menu.
Assign access to User, Group, or Service Principal.
In the Select field, type the name of your created application.
Select the application.
Click Save.

Create Microsoft Entra ID User Account

Create a new user to scan in the Microsoft Entra ID. See the Microsoft Azure documentation for steps to add a new user.

Assign User the Reader Role

Click Subscriptions > Your Subscription > Access Control (IAM) > Role Assignments > + Add.
Add the Reader role to the user account you created for scanning.

Register Application: Password

Click on Microsoft Entra ID > App registrations.
Click New Registrations application.
Give the application a name.
Choose the supported account types for your environment.
Click Register.
Click Authentication.
Choose Yes for Default Client Type/Treat application as a public client.

Register Application: Certificate

Generate a Certificate

Execute the following PowerShell commands, replacing the appropriate values:

$certname = "{certificateName}" ## Replace {certificateName}
$cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation

"Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature

-KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
Export-Certificate -Cert $cert -FilePath

"C:\Users\admin\Desktop\$certname.cer" ## Specify your preferred location

Add Certificate

Click your registered application in Microsoft Entra ID > App Registrations.
Click Certificates and Secrets.
Click Certificates.
Click Upload certificate.
Select the certificate file you exported.
Give the certificate a description and click Add.

Assign the Application to the Reader Role

Click Subscriptions > Your Subscription > Access Control (IAM) > Role Assignments > + Add.
Add the Reader role to the application you previously created for scanning.
Select Reader from the Role drop-down menu.
Assign access to User, Group, or Service Principal.
In the Select field, type the name of your created application..
Select the application.
Click Save.

Assign API Permissions

Click your registered application in Microsoft Entra ID > App Registrations > Your Application > API Permissions.
Select Microsoft Graph.

Note: If adding permissions for Key Authentication, then select Application permissions. If adding permissions for Password Authentication, then select Delegated permissions.
In the Configured permissions section, click Add a permission.
Add the following permissions:
- Azure Service Management — user_impersonation
- Microsoft Graph — Calendars.Read
- Microsoft Graph — DeviceManagementApps.Read.All
- Microsoft Graph — DeviceManagementConfiguration.Read.All
- Microsoft Graph — Directory.Read.All
- Microsoft Graph — Policy.Read.All
- Microsoft Graph — Reports.Read.All
- Microsoft Graph — User.Read.All
Scanning Microsoft 365 environment:
- Microsoft Graph — SecurityEvents.Read.All
Scanning Microsoft Intune:
- Microsoft Graph — DeviceManagementApps.Read.All
- Microsoft Graph — DeviceManagementManagedDevices.Read.All
Click Grant admin consent.
Click Add permissions.