In your operating environment, it may not be desirable to allow Workload Security to access Azure resources with an account that has both the Global Administrator role for the Microsoft Entra ID and the Subscription Owner role for the Azure subscription. As an alternative, you can create an Azure application for Workload Security that provides read-only access to Azure resources.
If you have multiple Azure subscriptions, you can create a single Workload Security Azure application for all of them, as long as the subscriptions all connect to the same Microsoft Entra ID.
To create an Azure application :

Procedure

  1. Assign the correct roles.
  2. Create the Azure app.
  3. Record the Azure app ID, Microsoft Entra ID, and password.
  4. Record the Subscription ID(s).
  5. Assign the Azure app a role and connector.

Assign the correct roles Parent topic

To create an Azure application, your account must have the User Administrator role for the Microsoft Entra ID and the User Access Administrator role for the Azure subscription. Assign these roles to your Azure account before proceeding.

Create the Azure application Parent topic

Procedure

  1. In the Microsoft Entra ID blade, click App registrations.
  2. Click New registration.
  3. Enter a Name (for example, Workload Security Azure Connector).
  4. For the Supported account types, select Accounts in this organizational directory only.
  5. Click Register. The Azure app appears in the App registrations list with the Name you chose in Step 3.

Record the Azure application ID, Microsoft Entra ID, and password Parent topic

Procedure

  1. In the App registrations list, select the Azure application .
    Note
    Note
    The Azure application displays with the Name you chose for it in Step 3 of the Create the Azure app procedure.
  2. Record the Application (client) ID.
  3. Record the Directory (tenant) ID.
  4. Click Certificates & secrets.
  5. Click New client secret.
  6. Enter a Description for the client secret.
  7. Select an appropriate Duration. The client secret expires after this time.
  8. Click Add. The client secret Value appears.
  9. Record the client secret Value. This will be used as the Application Password when registering the Azure app with Workload Security.
    WARNING
    WARNING
    The client secret Value only appears once, so record it now. If you do not, you will have to regenerate it to obtain a new Value.
    If the client secret Value expires, you must regenerate it and update it in the associated Azure accounts.

Record the Subscription IDs Parent topic

Procedure

  1. On the left, go to All Services and click Subscriptions.
    Note
    Note
    If Subscriptions does not appear on the left, use the search box at the top to find it.
    A list of subscriptions appears.
  2. Record the Subscription ID of each subscription you want to associate with the Azure application . You will need the IDs later, when adding the Azure accounts to Workload Security.

What to do next

Assign the Azure application a role and connector Parent topic

Procedure

  1. Under All Services > Subscriptions, click a subscription that you want to associate with the Azure application .
    Note
    Note
    You can associate another subscription with the Azure application later if you want to.
  2. Click Access Control (IAM).
  3. In the main pane, click Add and then select Add Role Assignment from the menu.
  4. Under Role, enter Reader and then click the Reader role that appears.
  5. Under Assign access to, select User, user group, or service principal.
  6. Under Select members, enter the Azure app Name (for example, Workload Security Azure Connector). The Azure application appears with the Name you chose for it in Step 3 of the Create the Azure app procedure.
  7. Click Save.
  8. If you want to associate the Azure application to another subscription, repeat this procedure (Assign the Azure app a role and connector) for that subscription.
    You can now configure Workload Security to add Azure virtual machines by following the instructions in Add a Microsoft Azure account to Workload Security.