• 6 Minutes to read
  • PDF


  • PDF


SAFE allows you to onboard and assess your Azure subscription in SAFE. SAFE admins can configure the organization's Azure Tenant account from the Safe Hooks page. Once the Azure is configured, SAFE fetches the misconfiguration issues identified by Microsoft Defender for Cloud-based on the Azure Security Center Default policy assignment, which relies on Azure Security Benchmark and uses it for cloud risk quantification.

  • After successfully configuring and confirming subscriptions from the unconfirmed tab, SAFE scans the added Azure subscriptions and automatically onboards the assets under the "Cloud-Azure" vertical.
  • SAFE Admins can trigger the on-demand sync of the onboarded subscriptions and their recommendations. While onboarding a subscription, users can also set the Auto Scan Frequency (number of days) for Azure subscriptions on the Safe Hooks configuration page.

Integration Architecture

SAFE uses REST APIs provided by Microsoft to consume recommendations data from Microsoft Defender for Cloud. These REST APIs are available on* endpoints. 

SAFE fetches recommendations for all confirmed subscriptions and marks respective controls for supported asset types (see Cloud Azure section under this link) as Qualified, Failed, or Not Applicable. 

If a supported asset type has no recommendations available on Microsoft Defender for Cloud, SAFE will onboard that asset and mark all controls as Not Applicable.

Azure ArchitectureAzure Integration Architecture



The following user permissions must be configured as documented in order for the Azure integration to function.
  • Admin user role in SAFE.
  • Privileges in Azure portal to:
    •   Access Cloud Shell of your Azure subscription to run the PowerShell script downloaded from SAFE.
    • Access to create a Service Principal account.
    • Access to assign the Service Principal account a reader role to subscriptions.

Configure Azure

Azure configuration in SAFE is a 4 step process:

  1.  Confirm that you have correctly met the prerequisites
  2. Generate Connector Details (Tenant ID, Client ID, and Client Secret)
  3. Add Azure Subscription in SAFE
  4. Confirm Subscription

1. Confirm Prerequisites

Review the prerequisites for this document and ensure that you have a Service Principal account with a reader role to subscriptions for use with this integration.

2. Generate Connector Details

SAFE admin can add an Azure subscription from the SAFE Hooks.

To add an Azure subscription:

  1. Navigate to the Administration > SAFE Hooks.
  2. Click the Configure button available on the Azure card. You will be redirected to the Azure configuration page.
  3. Click the Step 1 section to expand it and click the Download File button. The system downloads a PowerShell script on your system.

    Note: You can manually generate (without running the PowerShell script discussed above) the Tenant ID, Client ID, and Client Secret. Refer to the Alternate method for generating credentials for Azure configuration. If you are manually generating the credentials, jump to step 2 to configure the Azure in SAFE.

    Azure 4(1)
  4. Login to your Azure portal and navigate to the Cloud Shell PowerShell terminal.
  5. Run the Connect-AzureAD command in the PowerShell terminal to use Active Directory cmdlet requests.
  6. Upload the PowerShell script (azureSafeOnboardingScript.ps1), which was downloaded in step 3.
    Azure 4(4)
  7. Execute the PowerShell script to create a Service Principal account and assign the Reader access to subscriptions as follows:
    1. Approach A: To provide Reader access to all subscriptions that your current user has privileged access to, run the script as below,
      PS /home/user1> ./azureSafeOnboardingScript.ps1
    2. Approach B: To provide Reader access to only selected subscriptions from which your current user has privileged access, run the script with the command-line argument as below,
      PS /home/user1> ./azureSafeOnboardingScript.ps1 "MySubscription1" "MySubscription2"
  8. Once the PowerShell execution completes, the system creates a Service Principal account with the name SAFE-Azure-App, which has Reader access to all subscriptions.
  9. The system displays the Tenant ID, Client ID, and Client Secret. Copy and save these values to use them in the coming steps.

3. Add Azure Subscription

Follow the below steps to add an Azure subscription in SAFE.

  1. Go to the Azure configuration page in SAFE and click the Step 2 section to expand it. 
  2. Enter the Tenant ID, Client ID, and Client Secret generated in step 1.
  3. Enter a value for the Auto-Sync Frequency. This controls how often SAFE will synchronize with Azure for the most recent data. We recommend setting sync frequency to 1 day for a better view of the current risk posture.
    Azure config(1)
  4. Click the Get Subscriptions button. The system discovers the subscription details for your Azure account and pulls them into SAFE.
  5. The added subscriptions will be available under the Unconfirmed Subscriptions tab. You need to confirm these subscriptions to be able to assess them.

4. Confirm Subscription

Follow the below steps to confirm the added subscriptions in SAFE.

  1. In step 3 on the azure configuration page, click the Unconfirmed Subscriptions tab. 
  2. Select any subscriptions that have been discovered that you wish SAFE to assess and click the Confirm button.
  3. The system then moves them to the Confirmed Subscriptions tab.
    Azure 2(2)

Sync assessment data for confirmed Azure subscriptions

You can manually trigger the sync of assessment data from the confirmed Azure subscriptions. You can click the Sync-now icon available above the confirmed subscription list to start the synchronization of the assessment data in SAFE.

Azure 6(2)

SAFE will auto-sync during the next sync cycle, which initiates at 02:00 UTC as per the defined auto-sync frequency of the corresponding SAFE instance.

View assessment results of the onboarded Azure Subscriptions

SAFE assesses the added Azure subscriptions and automatically onboards the assets under the "Cloud-Azure" vertical.

To view the assessment result of the onboarded Azure subscriptions:

  1. Navigate to the Technology > Inside-out assessment dashboard.
  2. Click the Cloud-Azure vertical from the Technology Score Trend section.
  3. The system opens the Azure details page. Users can view the assessment result for all the assets under this vertical.

Remove Subscription

To remove a subscription:

  1. Navigate to the Administration > SAFE Hooks.
  2. Click the Configure button available on the Azure card. You will be redirected to the Azure configuration page. 
  3. Click the Delete icon available against the confirmed subscriptions.
  4. On the confirmation page, click the Yes, Delete button. Those subscriptions will then be retired. This means that if you want to re-add them, the historical scan data is preserved.
    Subscriptions left in a retired state will be deleted from the system as per the global Auto Asset Off-boarding settings. At such time the assessment history will be wiped for those subscriptions.
    Remove subscription

Import Azure Tags in SAFE 

Refer to Import Tags from Azure Subscriptions into SAFE.



1. How can I add a new Azure subscription that was created after the onboarding process?

You can either manually provide the "Reader" privileges to these new subscriptions to SAFE-Azure-App Service Principal through your Azure Portal or re-run the PowerShell script. Any new subscriptions will then be visible under the Unconfirmed Subscriptions tab upon the next sync or by clicking on the Get Subscriptions button.

2. What happens when an existing confirmed subscription is deleted from Azure or the Reader privileges of SAFE-Azure-App is removed for this subscription?

If a subscription is deleted or permission for the subscription is revoked, then the system highlights these subscriptions with an exclamation mark and a tooltip message on the Azure configuration page. The system auto-retires the assets belonging to these subscriptions, and it will then re-activate them should they show up again in future sync.

3. What happens when an existing confirmed subscription is deleted from SAFE?

When we delete a subscription from SAFE, then the system auto-retires all the assets of this subscription from SAFE. SAFE will no longer display these assets under Technology > Inside-out > Cloud - Azure.

On the next sync with Azure, if SAFE finds these subscriptions again, they will be added to the Unconfirmed Subscriptions section, just like any newly discovered subscription.

4. What is the significance of the "Azure is Enabled" toggle switch available at the top-right of the Azure Safe Hooks page?

If the Azure toggle switch available at the top-right of the Azure Safe Hooks page is disabled, then the system pauses the SAFE - Azure integration. In this case, SAFE will not perform periodic auto-sync with Azure, and you can not trigger the manual sync of Azure to SAFE.

5. Why are there certain resources with all controls marked as Not Assessed?

For all asset types that SAFE supports but doesn’t have any recommendations available on Microsoft Defender for Cloud, they will be onboarded by SAFE, and the controls are marked as Not Assessed.

6. Is there a way to onboard multiple Azure Tenant accounts on SAFE?

Currently, SAFE supports the onboarding of only one Azure Tenant account. Supporting multiple tenant accounts is in the future roadmap.

Was this article helpful?

What's Next