Managing security across multiple cloud environments often leads to fragmented visibility and inconsistent protection. By onboarding Azure assets to Security Center, you can centralize asset inventory, run configuration risk checks (CSPM), and apply automated threat response across clouds—all from a single console. This solution uses Azure application credentials with read-only access to securely sync asset information and build a unified multi-cloud security view.
How it works
Register an application in Azure and create a service principal as its access credential.
Security Center uses this credential to access the specified subscription through Azure public APIs, enabling synchronization of assets and configuration information within the subscription scope.
Prerequisites
Before you begin, ensure that you have:
An active Azure subscription with Owner or User Access Administrator permissions.
Security Center (Enterprise edition or above) activated with sufficient quota.
Familiarity with the Azure features you plan to onboard, such as host assets, cloud configuration check (CSPM), or automated threat response.
Procedure
Step 1: Create an application credential in Azure
This step creates an application and its service principal in the Azure portal and generates a client secret for API authentication. You will need to obtain the following credentials: Application (client) ID, Directory (tenant) ID, and the Value of the client secret.
Create an application
Log on to the Azure console.
In the left-side navigation pane, select All services. In the Identity service category, click App registrations, or search for and go to App registrations in the top search bar.
On the App registrations page, click New registration.
On the application registration page, configure the following parameters and then click Register.
Name: Enter an easily recognizable name, such as
aliyun-sasc-connector, for easier search and management later.ImportantThis name will appear as the member name in the role assignment step later.
Supported account types: Configure the account scope that can access this application based on your permission requirements.
After the application is created, the overview page displays the application information. Copy and save the Application (client) ID and Directory (tenant) ID. You will use them in subsequent steps.
Create a client secret
On the application details page created in Step 1, click Manage in the left-side navigation pane, and then click Certificates & secrets.
On the Client secrets tab, click + New client secret and configure the following parameters.
Description: Enter a description for this client secret.
Expires: The validity period of the client secret. We recommend that you set it to 180 days.
ImportantCreate a credential rotation plan and update the secret before it expires to avoid service disruptions caused by credential expiration.
After you click Add, the Value of the client secret is displayed.
WarningThe Value of the client secret is visible only once at creation. After you leave this page, you cannot view it again. Copy and save it immediately before proceeding.
Step 2: Grant subscription access to the application credential
To ensure that Security Center can read asset information, you must assign read-only permissions for the Azure subscription to the application created in the previous step.
Go to the Role assignment page.
Log on to the Azure console.
In the left-side navigation pane, select All services. In the General service category, click Subscriptions, or search for and go to Subscriptions in the top search bar.
Click the name of the target subscription to go to the subscription details page. On the details page, click Access control (IAM).
NoteIf you have not activated a subscription, create one first and select the required services.
On the Access control (IAM) page, click Add in the upper-left corner and select Add role assignment.
Assign a role: On the role assignment page, select the corresponding role and click Next.
Feature
Role
Notes
Host
Reader
None
CSPM (CSPM)
Reader
None
Agentic SOC
Reader
Custom role: Requires
Microsoft.Networkpermissions. For creation steps, see Azure advanced configuration (Agentic SOC).
To enable automated threat response (for example, integrating with Azure Firewall through Response Rules), you must additionally grant
Microsoft.Networkpermissions. For more information, see Third-party cloud components (OpenAPI).ImportantYou must complete the assignment for each role separately. Azure allows only one role assignment at a time.
Agentless Detection
Reader
Disk Snapshot Contributor
None
On the Access control (IAM) page in the Azure portal, click Add role assignment, select the roles listed in the preceding table, and complete the assignment.
Add members: Go to the Members management page, click Select members, and select the application created in Step 1.
NoteYou can quickly search and locate the target application by application name.
For the selected role Reader, assign access to User, group, or service principal.
After confirming the members, click Review + assign in the lower-left corner to complete the authorization.
NoteThe authorization may take a moment. Please wait.
Step 3: Complete the onboarding configuration in Security Center
Go to the authorization page
Recommended path:
Log on to the Security Center console.
In the navigation pane on the left, select . In the upper-left corner of the console, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.
On the tab, click Grant Permission, and then select Azure.
Alternative entry points:
On the following pages, in the Multi-cloud Service Access or Add Multi-cloud Asset section, find and click the Onboard or Authorize button below the
icon:
Configure access credentials
In the Add Assets Outside Cloud panel, select the features to onboard and click Next.
Host: Allows Security Center to automatically discover and synchronize Azure host assets.
CSPM: Use Cloud Security Posture Management to scan the configurations of Azure cloud products to discover and manage configuration risks.
Agentic SOC: Works with the Response Rules Script orchestration feature to automate the handling of security event threats. For more information, see Third-party cloud components (OpenAPI).
Host Protection Agentless Detection: Detects security risks on Azure virtual machines, including vulnerabilities, baseline risks, and malicious files, without installing a client by using snapshot scanning.
On the Submit AccessKey Pair page, enter the credential information that you created earlier.
Enter an AppID: Enter the Application (client) ID obtained from Azure app registration.
Enter a password: Enter the client secret obtained from Azure app registration.
tenant: Enter the Directory (tenant) ID obtained from Azure app registration.
Domain (Select Chinese Edition for China and International Edition for others): For 21Vianet users, select Chinese Edition.
Configure the synchronization policy
On the Policy Configuration page, configure the settings based on your management requirements:
Select region: Select the regions where the Azure assets to be onboarded are located.
NoteAsset data is automatically stored in the data center corresponding to the region selected in the upper-left corner of the Security Center console.
Chinese Mainland: Data center in Chinese Mainland.
Outside Chinese Mainland: Data center in Singapore (Singapore).
Region Management: We recommend that you select this option. After you select this option, assets in new regions added to this Azure account in the future will be automatically synchronized without manual configuration.
Host Asset Synchronization Frequency: Set the interval for automatically synchronizing Azure host assets. If you do not need synchronization, you can set it to Off.
NoteThis parameter is required only when the onboarded features include Host.
Cloud Service Synchronization Frequency: Set the interval for automatically synchronizing Azure cloud product configurations. If you do not need synchronization, you can set it to Off.
NoteThis parameter is required only when the onboarded features include Cloud Security Posture Management.
AK Service Status Check: Set the interval for Security Center to automatically check the validity of the Azure account credentials. You can select Off to disable the check.
After the configuration is complete, click Synchronize Assets. The system automatically synchronizes data from the Azure account to Security Center.
Step 4: Verify that Azure assets are onboarded
After completing the onboarding configuration, verify that Azure assets appear in Security Center:
Wait for the initial data synchronization to complete. This may take a few minutes.
Go to and filter by Azure to confirm that Azure host assets appear.
If you onboarded CSPM, go to and filter by Azure to confirm that Azure cloud resources appear.
Azure advanced configuration (Agentic SOC)
For more information, see the official Azure documentation: Azure permissions for networking and Create custom roles in Azure.
Go to the custom role creation page
Log on to the Azure console.
In the left-side navigation pane, select All services. In the General service category, click Subscriptions.
NoteAlternatively, search for Subscriptions in the top search bar and click to go directly.
Click the name of the target subscription to go to the subscription details page. On the details page, click Access control (IAM).
On the Access control (IAM) page, click Add and select Add custom role.
Enter basic information
Custom role name: Enter an easily recognizable name, such as
aliyun-agentic-soc-role, for easier search and management later.Baseline: Select Start from scratch.
Assign permissions
On the Permissions tab, click Add permissions.
Search for the
Microsoft.Networkpermission at the top and click the permission name.On the permissions page, select all permissions under Actions and click Add.
After configuring the permissions, click Review + create. Confirm the information and click Create.
Manage onboarded assets
Host
Go to the page. In the Add Multi-cloud Asset section, click the
icon to view the onboarded Azure hosts. You can follow the steps below to apply in-depth protection and management to the onboarded hosts.
For more information, see Manage servers.
Install the agent: Install the Security Center agent on the Azure hosts. When you run the installation command, select Azure for Service Provider. For detailed steps, see Install the agent.
Upgrade to obtain full protection: The default Free edition provides only basic security detection. To obtain full security protection capabilities (such as anti-virus, vulnerability fixing, and intrusion prevention), bind a paid edition (Anti-virus or higher) to the Azure hosts. For detailed steps, see Manage host and container security quotas.
CSPM
Go to the page. In the All Alibaba Cloud Services navigation pane on the left, click Azure to view the onboarded Azure assets. For onboarded Azure assets, you can use the following CSPM features:
For more information, see View cloud service information.
Run configuration risk checks: Check for configuration risks in Azure products. For detailed steps, see Set up and run cloud platform configuration risk check policies.
Handle risk items: View and fix failed risk check items based on the check results to improve the compliance and security of cloud assets. For detailed steps, see View and handle failed cloud platform configuration risk checks.
Agentic SOC
Go to . When you create a custom playbook, you can select the Azure component from Third-party cloud components (OpenAPI) to automate the handling of detected Azure asset security events.
Host Protection Agentless Detection
Go to . On the Server Check, Server Check, or Custom Image Check tab, in the Add Multi-cloud Asset section, click the
icon to view the scanned risk items. The following operations are available:
Run detection tasks: Perform multi-dimensional security detection on Azure servers for vulnerabilities, malicious software, configuration baselines, sensitive files, and other security dimensions to discover potential security risks.
Analyze and handle risks:
Vulnerability risks: Supports Add to Whitelist.
WarningAgentless detection does not support fixing vulnerabilities.
Baseline check risks: Supports Add to Whitelist.
Malicious sample risks and sensitive file risks: Supports Add to Whitelist, Manually Handled, Mark as False Positive, and Ignore.
Costs and risks
Costs: The default Free edition of Security Center provides only basic security detection. To obtain full security protection capabilities, such as anti-virus, vulnerability fixing, and intrusion prevention, you must bind a paid edition (Anti-virus or higher) license to the onboarded Azure hosts.
Risks:
The client secret is a critical credential for connecting Azure and Security Center. If leaked, it may lead to unauthorized access to asset data.
If the client secret expires, asset synchronization and security detection will be interrupted. Safeguard the credential and create a regular rotation plan.
FAQ
Why can't I see some onboarded Azure resources in Security Center?
Region not selected: In the onboarding configuration of Security Center, check whether you have selected the Azure region where the resource is located.
Synchronization delay: After initial onboarding or configuration changes, asset synchronization may be delayed. Wait for the synchronization to complete.
What should I do if automatic credential and permission validation fails after entering the credentials?
Permission issue: The client secret of the Azure application has expired. Refer to Create a client secret to create and save a new client secret, then update it in Security Center.
Region issue: The currently selected region is unavailable. Switch to another available region or the corresponding domain, and then submit again.