In your operating environment, it may not be desirable to allow the Server & Workload Protection to access Azure resources with an
account that has both the Global Administrator role for the Microsoft Entra ID and the Subscription Owner role for the
Azure subscription. As an alternative, you can create an Azure app for Server & Workload Protection that provides read-only access to Azure
resources.
 |
TipIf you have multiple Azure subscriptions, you can create a single Server & Workload Protection Azure app for all of them, as long
as the subscriptions all connect to the same Active Directory. Details are
provided within the set of instructions below.
|
To create an Azure app, you will need to:
Procedure
Assign the correct roles 
To create an Azure app, your account must have the User Administrator role for the
Microsoft Entra ID and the User Access Administrator
role for the Azure subscription. Assign these roles to your Azure account before
proceeding.
Create the Azure app
Procedure
- In the Microsoft Entra ID blade, click App registrations.
- Click New registration.
- Enter a Name (for example, Server & Workload Protection Azure Connector).
- For the Supported account types, select Accounts in this organizational directory only.
- Click Register. The Azure app appears in the App registrations list with the Name you chose in Step 3 (above).
Record the Azure app ID, Active Directory ID, and password
Procedure
- In the App registrations list, click the Azure app.
Note
The Azure app will display with the Name you chose for it in Step 3 of the Create the Azure app procedure. - Record the Application (client) ID.
- Record the Directory (tenant) ID.
- Click Certificates & secrets.
- Click New client secret.
- Enter a Description for the client secret.
- Select an appropriate Duration. The client secret expires after this time.
- Click Add. The client secret Value appears.
- Record the client secret Value. This will be used as the Application Password when registering the Azure app with Server & Workload Protection.
What to do next
 |
WARNINGThe client secret Value only appears once, so record it now. If you do not, you must regenerate it to obtain
a new Value.
|
|
NoteIf the client secret Value expires, you must regenerate it and update it in the associated Azure accounts.
|
Record the Subscription ID(s)
Procedure
- On the left, go to All Services and click
Subscriptions.
Note
If Subscriptions does not appear on the left, use the search box at the top of the screen to find it.A list of subscriptions appears. - Record the Subscription ID of each subscription you want to associate with the Azure app. You will need the ID(s) later, when adding the Azure account(s) to Server & Workload Protection.
Assign the Azure app a role and connector
Procedure
- Under All Services > Subscriptions, click a subscription that you
want to associate with the Azure app.
Note
You can associate another subscription with the Azure app later if you want to. - Click Access Control (IAM).
- In the main pane, click Add and then select Add Role Assignment from the drop-down menu.
- Under Role, enter
Readerand then click the Reader role that appears. - Under Assign access to, select User, user group, or service principal.
- Under Select members, enter the Azure app Name
(for example,
Server & Workload Protection Azure Connector). The Azure app appears with the Name you chose for it in Step 3 of the Create the Azure app procedure. - Click Save.
- If you want to associate the Azure app to another subscription, repeat this procedure (Assign the Azure app a role and connector) for that subscription.
What to do next
You can now configure Server & Workload Protection to add Azure virtual machines
by following the instructions in Add a Microsoft
Azure account to Server & Workload Protection.