Microsoft Azure app registration setup
A step-by-step walkthrough for producing the credentials AgentSOC needs to act on your Azure subscription — blocking attacker IPs with NSG deny rules, isolating Virtual Machines with a deny-all NSG rule, and powering VMs on and off.
Screenshots: image placeholders below point at
docs/images/azure-*.png. Capture each screenshot and drop it in at that path — the captions describe exactly what to show.
How the connection works
AgentSOC authenticates to Azure as a Microsoft Entra app registration using a client secret, and acts on resources via an RBAC role assignment on your subscription. Four values go into the credential form:
| Value | What it is |
|---|---|
| Subscription ID | The subscription containing the VMs and networking resources |
| Tenant ID | Your Microsoft Entra (Azure AD) directory ID |
| Client ID | The app registration's Application (client) ID |
| Client Secret | A secret generated for that app registration |
By the end of this guide you will have all four and a validated credential in AgentSOC.
Step 1 — Create an app registration
- Open the Microsoft Entra admin center → Identity → Applications → App registrations.
- Click New registration, name it e.g.
agentsoc-soar, and register it (no redirect URI is needed).
Step 2 — Copy the Client ID and Tenant ID
On the app registration's Overview page, copy:
- Application (client) ID → the Client ID field in AgentSOC.
- Directory (tenant) ID → the Tenant ID field in AgentSOC.
Step 3 — Create a client secret
- Go to Certificates & secrets → Client secrets → New client secret.
- Give it a description and an expiry, then Add.
- Copy the secret Value immediately.
Copy the Value, not the Secret ID. The value is shown only once — if you lose it, create a new secret. Track the expiry date and rotate the secret before it lapses.
Step 4 — Get the Subscription ID
In the Azure portal, open Subscriptions and copy the Subscription ID of the subscription that holds the VMs you want AgentSOC to manage.
Step 5 — Assign an RBAC role to the app
The app registration has no resource access until you grant it a role.
- Open the subscription → Access control (IAM) → Add → Add role assignment.
- Assign both built-in roles, selecting your app registration as the member each time:
- Virtual Machine Contributor — read, start, stop, and deallocate VMs.
- Network Contributor — create and delete the NSG rules used to block and isolate.
For least-privilege, replace these with a custom role scoped to the
Microsoft.Compute/virtualMachines/*andMicrosoft.Network/networkSecurityGroups/*actions, assigned only on the resource groups you operate in.
Step 6 — Add the credential in AgentSOC and validate
- In AgentSOC, open AgentSOAR → Settings → Credentials (
/agentsoar/settings/credentials). - Add a Microsoft Azure credential and enter the Subscription ID, Tenant ID, Client ID, and Client Secret gathered above.
- Save. AgentSOC validates by acquiring a token and listing VMs.
- Once it shows Healthy, the Azure action capabilities are ready to use.
Troubleshooting
| Error | Likely cause and fix |
|---|---|
AADSTS7000215 — invalid client secret | The Client Secret is wrong, expired, or you copied the Secret ID instead of the Value. Create a new secret (Step 3). |
AADSTS700016 — application not found | The Client ID or Tenant ID is wrong. Re-copy both from the app registration Overview (Step 2). |
AuthorizationFailed when running an action | The app has no role on the subscription, or the role is missing an action. Re-check Step 5. |
SubscriptionNotFound | The Subscription ID is wrong, or the app's role is assigned on a different subscription. |
Reference: Microsoft — Register an app and create a client secret