All sources
Integration
Microsoft Azure
Connect a Service Principal with at least Reader on the subscriptions you want VinTekh to see. Read-only — VinTekh never writes.
Connect with Service Principal
Auth mode: ServicePrincipal
What you'll need
Tenant ID — Microsoft Entra ID directory id.
Client ID — App Registration Application (client) ID.
Client Secret — secret value (not its ID).
Reader role on each subscription you want to scan.
One-line bootstrap
Run once in Cloud Shell
SUB=$(az account show --query id -o tsv) az ad sp create-for-rbac \ --name VinTekh-Reader \ --role Reader \ --scopes /subscriptions/$SUBOfficial Microsoft docs
Step-by-step: connect Azure with one read-only Service Principal
One subscription-scoped SP powers inventory, dependencies, change events and RBAC. Add Security Reader for Defender findings. VinTekh is strictly read-only — never Owner, Contributor, or any data-plane role.
| Collector | Minimum role | Note |
|---|---|---|
| Inventory & dependencies (Resource Graph) | Reader | Resource Graph + resource properties → NSG/NIC/VM/Private-Endpoint/peering edges. |
| Change events (Activity Log) | Reader | Reader includes Microsoft.Insights read, which covers Activity-Log reads. |
| Identity & RBAC (role assignments) | Reader | Reader includes Microsoft.Authorization/*/read — assignments + definition names. |
| Defender for Cloud findings | Security Reader | Needs Microsoft.Security/*/read; Defender for Cloud must be enabled on the subscription. |
| Subscription discovery | Reader (per subscription) | The SP only lists subscriptions where it holds at least Reader. |
Where to get each value›
- Tenant ID — Microsoft Entra ID → Overview → Tenant ID. (
az account show --query tenantId -o tsv) - Application (client) ID — App registrations → your app → Overview. The
appId, not the Object ID. - Client secret — App → Certificates & secrets → New client secret → copy the Value (shown once).
Azure Portal — click-through›
- Microsoft Entra ID → App registrations → New registration. Name it (e.g. vintekh-reader), single tenant, no redirect URI, Register.
- On the app Overview, copy the Application (client) ID and the Directory (tenant) ID.
- Certificates & secrets → Client secrets → New client secret. Set an expiry, Add, then copy the VALUE column immediately (not the Secret ID — the Value is shown only once).
- Subscriptions → [your subscription] → Access control (IAM) → Add role assignment → Reader → select your app → Review + assign.
- (For Defender findings) Repeat the role assignment with Security Reader on the same subscription.
- Repeat the role assignments on every other subscription you want VinTekh to read.
- Back in VinTekh: paste Tenant ID, Application (client) ID, and the secret Value, pick your collectors, Save & start discovery.
Azure CLI / Cloud Shell›
SUB=$(az account show --query id -o tsv) # Create the SP + assign Reader at subscription scope (prints appId, password, tenant — copy the password now, shown once): az ad sp create-for-rbac --display-name vintekh-reader --role Reader --scopes /subscriptions/$SUB --years 2 APP_ID=<appId-from-output> # Add Security Reader for Defender findings: az role assignment create --assignee $APP_ID --role "Security Reader" --scope /subscriptions/$SUB # Tenant ID (third value VinTekh needs): az account show --query tenantId -o tsv # Lost the secret? Reset it: az ad sp credential reset --id $APP_ID --years 2 --query password -o tsv
PowerShell (Az module)›
$sub = (Get-AzContext).Subscription.Id $sp = New-AzADServicePrincipal -DisplayName 'vintekh-reader' -Role 'Reader' -Scope "/subscriptions/$sub" $sp.PasswordCredentials.SecretText # the Client secret — paste into VinTekh $sp.AppId # the Application (client) ID New-AzRoleAssignment -ObjectId $sp.Id -RoleDefinitionName 'Security Reader' -Scope "/subscriptions/$sub" (Get-AzContext).Tenant.Id # the Tenant ID
What works with Reader only vs needs more›
Reader only
- All resource inventory across the subscription (Resource Graph).
- Dependency / topology edges (NSG↔subnet, NIC↔subnet, VM↔NIC, Private-Endpoint↔target, VNet peering).
- Activity-Log change events (who changed what, recent administrative actions).
- RBAC role assignments at subscription scope and below, privileged roles flagged.
- Subscription discovery for every subscription where the SP holds Reader.
Requires more than Reader
- Defender for Cloud findings → add Security Reader (subscription scope) + Defender for Cloud enabled.
- Multiple subscriptions → assign Reader (and Security Reader) on each; one assignment does not span subscriptions.
- Management-group-wide reach → assign Reader at the management group scope instead of per subscription.
- Log Analytics / Microsoft Sentinel data → NOT this SP; those are workspace-scoped, configured as separate connectors (Log Analytics Reader / Sentinel Reader on the workspace).
- Entra ID directory objects (users/groups/app registrations beyond RBAC principals) → needs Microsoft Graph permissions; out of scope for this connector.
- Data-plane content (blob bytes, SQL rows, Key Vault secret values) → never read by VinTekh; intentionally not requested.
Troubleshooting›
- Auth fails immediately / AADSTS7000215 'Invalid client secret'You pasted the secret's ID, not its Value. Create a New client secret and copy the VALUE column (shown only once).
- Defender findings empty / 'insufficientPrivileges' on Microsoft.SecurityThe SP is missing Security Reader. Assign it at subscription scope and confirm Defender for Cloud is enabled.
- 0 subscriptions / 0 resources discoveredThe SP has no role at subscription scope (or it was assigned on a resource group). Assign Reader on the subscription itself; assignments take ~1 min to propagate.
- AADSTS700016 / AADSTS90002 (app or tenant not found)Wrong Tenant ID, or the app is in a different directory. Copy the Directory (tenant) ID from the same app's Overview; all three values must come from one tenant.
- Used the wrong client identifierVinTekh needs the Application (client) ID (appId) from the app Overview — not the app Object ID and not the SP object id.