Security Center:Onboard Azure assets

Step 1: Create an application credential in Azure

This step creates an application and its service principal in the Azure portal and generates a client secret for API authentication. Obtain the following credentials: Application (client) ID, Directory (tenant) ID, and the client secret value.

1. Create an application

   1. Log on to the Azure console.

   2. In the navigation pane on the left, select All Services. Under the Logo section, click Application Registration, or search for and open Application Registration in the top search bar.

      

   3. On the Application Registration page, click New Registration.

   4. On the registration page, complete the following settings, then click Register.

      • Name: Enter a recognizable name, such as aliyun-sasc-connector, to simplify future searches and management.

        Important

        This name will appear as the member name in the later "Role assignment" step.

      • Supported account types: Configure the account scope based on your actual permission requirements.

   5. After successful creation, the overview page displays your application details. Copy and securely store the Application (Client) ID and Directory (Tenant) ID—you will need them in later steps.

   

2. Download certificate and secret

   1. On the application details page created in Step 1, click Manage > AccessKey Leak Detection in the left navigation pane.

   2. On the Client secrets tab, click + New client secret and configure as follows:

      • Description: Describe the purpose of this secret.

      • Expires: Set the client secret expiration period. We recommend 180 days.

        Important

        Create a credential rotation plan and update before expiration to avoid service interruption due to credential failure.

   3. After clicking Add, the client secret value appears.

      Warning

      The client secret Value is visible only once during creation. You cannot view it again after leaving this page. Immediately copy and securely store it before proceeding.

      

Step 2: Grant subscription access permissions to the application credential

To let Security Center read your asset information, assign read-only permissions on your Azure subscription to the application created in the previous step.

1. Go to the Role assignments page

   1. Log on to the Azure console.

   2. In the navigation pane on the left, select All Services. Under the System Settings section, click Subscription, or search for and open Subscription in the top search bar.

   3. Click your target subscription name to open its details page. Then click Access control.

      Note

      If you do not have a subscription yet, create one and choose products based on your business needs.

   4. On the Access control page, click Add role assignment under the Add button in the upper-left corner.

2. Assign roles: On the role assignment page, select the appropriate role, then click Next.

   Feature	Role	Notes
   Host	Reader	None
   CSPM	Reader	None
   Agentic SOC	Reader Custom role: Must include Microsoft.Network permissions. For creation steps, see Azure advanced configuration (Agentic SOC).	To enable automated threat response (such as integrating with Cloud Firewall through SOAR), grant additional Microsoft.Network permissions. For more information, see External components (OpenAPI). Important You must assign each role separately because Azure allows only one role per assignment.
   Agentless Detection	Reader Disk Snapshot Contributor	None

   

3. Add members: On the Members management page, click Add access key and select the application created in Step 1.

   Note

   You can quickly locate the target application by application name.

   

4. After confirming the member, click Review + assign in the lower-left corner to complete authorization.

   Note

   Authorization may take some time. Please wait patiently.

Step 3: Complete onboarding configuration in Security Center

1. Go to the authorization page

   1. Recommended path:

      1. Log on to the Security Center console.

      2. In the navigation pane on the left, choose System Settings > Feature Settings. In the upper-left corner of the console, select the region where your protected assets are located: Chinese Mainland or Outside Chinese Mainland.

      3. On the Multi-cloud Configuration Management > Multi-cloud Assets tab, click Grant Permission, then select Azure.

   2. Other entry points:

      On the following pages, find and click the Onboard or Authorize button below the icon in the Multi-cloud Service Access or Add Multi-cloud Asset sections:

      • Assets > Host

      • Risk Governance > CSPM > Cloud Service Configuration Risk

      • Protection Configuration > Host Protection > Agentless Detection

2. Configure onboarding credentials

   1. On the Add Assets Outside Cloud panel, select the features you want to onboard, then click Next:

      • Host: Lets Security Center automatically discover and sync Azure host assets.

      • CSPM: Uses CSPM to scan Azure cloud product configurations and manage configuration risks.

      • Agentic SOC: Works with SOAR and Script to automate security incident response. For more information, see External components (OpenAPI).

      • Host Protection > Agentless Detection: Uses snapshot scanning to detect security risks on Azure virtual machines—including vulnerabilities, baseline deviations, and malicious files—without installing a client.

   2. On the Submit AccessKey Pair page, accurately enter the credential information created earlier:

      • Enter an AppID: The Application (client) ID from your Azure app registration.

      • Enter a password: The client secret from your Azure app registration.

      • tenant: The Directory (tenant) ID from your Azure app registration.

      • Domain (Select Chinese Edition for China and International Edition for others): CenturyLink users should select Chinese Edition.

3. Configure synchronization policy

   On the Policy Configuration page, set the following based on your management needs:

   • Select region: Choose the Azure region where your assets reside.

     Note

     Asset data will automatically be stored in the data center corresponding to the region selected in the upper-left corner of the Security Center console.

     • Chinese Mainland: Data center in the Chinese mainland.

     • Outside Chinese Mainland: Singapore data center.

   • Region Management: We recommend selecting this option. Selecting this option automatically synchronizes assets in new regions that are added to this AWS account.

   • Host Asset Synchronization Frequency: Set how often Azure host assets sync automatically. Set to "Off" if you do not need syncing.

     Note

     Configure this parameter only if you selected Host during onboarding.

   • Cloud Service Synchronization Frequency: Set how often Azure cloud product configurations sync automatically. Set to "Off" if you do not need syncing.

     Note

     Configure this parameter only if you selected Cloud Security Posture Management during onboarding.

   • AK Service Status Check: Set how often Security Center checks the validity of your Azure credentials. Select "Off" to disable this check.

4. After completing the configuration, click Synchronize Assets. The system will automatically sync data from your Azure account to Security Center.

Host

Go to Assets > Host. In the Add Multi-cloud Asset section, click the icon to view your onboarded Azure hosts. Follow these steps to apply advanced protection and management:

1. Install the client: Install the Security Center client on your Azure hosts. When running the installation command, select Service Provider as the service provider. For detailed steps, see Install the client.

2. Upgrade for full protection: The default Free Edition provides only basic security detection. To get full protection capabilities (such as antivirus, vulnerability remediation, and intrusion prevention), bind a paid edition (Anti-virus Edition or higher) to your Azure hosts. For details, see Manage host and container security licenses.

CSPM (CSPM)

Go to the Assets > Cloud Product page. In the left-side navigation under All Alibaba Cloud Services, click Azure to view the integrated Azure assets. The integrated Azure assets can use the following CSPM features:

1. Run configuration risk checks: Check for configuration risks in your Azure products. For details, see Set up and run cloud platform configuration risk check policies.

2. Address risks: Review and fix failed risk checks to improve compliance and security of your cloud assets. For details, see View and address failed cloud platform configuration risk checks.

Agentic SOC

In Agentic SOC > SOAR, when creating a custom playbook, select the Azure component from External components (OpenAPI) to automate responses to detected Azure asset security events.

Host ProtectionAgentless Detection

Go to Protection Configuration > Host Protection > Agentless Detection. On the Server Check, Server Check, or Custom Image Check tab, in the Add Multi-cloud Asset area, click the icon to view the threats detected by the import scan. The steps are as follows:

1. Run detection jobs: Perform multidimensional security checks on your Azure servers for vulnerabilities, malware, baseline deviations, sensitive files, and other potential security risks.

2. Analyze and address risks:

   1. Vulnerability risks: Support Add to Whitelist.

      Warning

      Agentless detection does not support vulnerability remediation.

   2. Baseline check risks: Support Add to Whitelist.

   3. Malware and sensitive file risks: Support Add to Whitelist, Manually Handled, Mark as False Positive, and Ignore.