Connecting Microsoft Azure to WatchDog Security

This guide explains how to connect Microsoft Azure to WatchDog Security using OAuth authentication.

Once connected, WatchDog will begin monitoring your Azure environment for security posture risks, configuration issues, vulnerabilities, and asset inventory data across your Azure subscriptions and resources.

What WatchDog Monitors

WatchDog operates in read-only mode and does not modify configuration settings within your Microsoft Azure environment.

After the integration is connected, WatchDog may monitor the following services and configuration areas.

Scopes

Identity & Access Management

Azure Active Directory users

Service principals

Managed identities

Role assignments

Privileged role assignments

Compute & Infrastructure

Virtual Machines

Virtual Machine Scale Sets

App Services

Azure Kubernetes Service (AKS)

Networking

Virtual Networks

Network Security Groups

Public IP addresses

Load Balancers

Application Gateways

Storage

Storage Accounts

Blob Containers

File Shares

Databases

Azure SQL Databases

SQL Servers

Cosmos DB

Security & Encryption

Key Vault

Disk encryption settings

Managed keys

Encryption configurations

Monitoring & Logging

Azure Monitor

Activity Logs

Diagnostic settings

The exact information collected depends on the permissions granted during authorization.

Requirements

Before connecting the integration, ensure the following:

You have administrator access to the Azure tenant or subscription you want WatchDog to monitor

You're an Account Owner or Security Admin in the WatchDog Security portal

The Microsoft account used during authorization has access to the Azure subscriptions being monitored

Step 1 — Create an App Registration in Azure

Navigate to Microsoft Entra ID → App registrations → + New registration.

Enter a name, e.g. WatchDog CSPM Connector.

Under Supported account types, select Accounts in this organizational directory only.

Leave the Redirect URI field blank, then click Register.

Step 2 — Add API Permissions

Open the newly created app registration.

Go to API permissions → + Add a permission → Microsoft Graph → Application permissions.

Add the following permissions:

User.Read.All

Group.Read.All

Application.Read.All

Click Add permissions.

Under Grant admin consent, click Grant admin consent for Your Organization.

These permissions are required for WatchDog to inventory your Azure AD users, groups, and app registrations.

Step 3 — Create a Client Secret

Under Certificates & secrets, select + New client secret.

Provide a description (e.g. “WatchDog Integration”) and set an appropriate expiration period (recommendation: 180 days).

Click Add, then copy the Secret Value — this is your Client Secret.

⚠️ You won’t be able to view it again after leaving this page.

Step 4 — Collect Connection Details

You’ll need the following values to connect Azure to WatchDog:

Field	Description	Example
Tenant ID	Found under Microsoft Entra ID → Overview	`e4a3a23b-...`
Application (client) ID	From your App Registration → Overview	`b8df23f4-...`
Client Secret	From the step above	`Zxcv1234...`

Step 5 — Assign Reader Role to the App

In the Azure portal, navigate to Subscriptions.

Select the subscription(s) you want WatchDog to monitor.

Go to Access Control (IAM) → Add role assignment.

Choose the Reader role.

Under Members, select User, group, or service principal.

Search for your WatchDog app registration by name and assign it.

This grants WatchDog read-only access to your Azure environment for security posture monitoring

Step 6 — Connect Azure in WatchDog Security

Navigate to Management → Integrations

Locate the Microsoft Azure integration

Click Connect.

Enter the following fields:

Tenant ID

Client ID

Client Secret

Click Test Connection.

Initial Sync

After the integration is connected

WatchDog will begin collecting configuration and inventory data from Azure

The initial synchronization time depends on the size of your Azure environment

Large environments may take up to one hour

Data will appear within the following modules

Posture Management

Inventory

Vulnerabilities

Compliance Center

Revoking Access

To fully remove WatchDog Security's access to your Azure environment, revoke access both in WatchDog and in Microsoft Azure.

Step 1 — Disconnect the Integration in WatchDog

Log into the WatchDog Security Portal

Navigate to Management → Integrations

Locate the Microsoft Azure integration

Click Disconnect

Confirm the action

This removes the integration and deletes stored OAuth tokens.

Step 2 — Remove OAuth Access in Microsoft Entra ID

Navigate to Microsoft Entra ID → App registrations → + New registration.

Locate the App Registration Created in Step 1 (e.g. WatchDog CSPM Connector.)

Select the application

Click Delete

Troubleshooting

Integration Fails to Connect

Verify the following:

The Microsoft account used during setup has sufficient permissions

The Azure tenant allows OAuth application authorization

Authorization was completed successfully

No Data Appears

What WatchDog Monitors#

Requirements#

Step 1 — Create an App Registration in Azure#

Step 2 — Add API Permissions#

Step 3 — Create a Client Secret#

Step 4 — Collect Connection Details#

Step 5 — Assign Reader Role to the App#

Step 6 — Connect Azure in WatchDog Security#

Initial Sync#

Revoking Access#

Step 1 — Disconnect the Integration in WatchDog#

Step 2 — Remove OAuth Access in Microsoft Entra ID#

Troubleshooting#

What WatchDog Monitors

Requirements

Step 1 — Create an App Registration in Azure

Step 2 — Add API Permissions

Step 3 — Create a Client Secret

Step 4 — Collect Connection Details

Step 5 — Assign Reader Role to the App

Step 6 — Connect Azure in WatchDog Security

Initial Sync

Revoking Access

Step 1 — Disconnect the Integration in WatchDog

Step 2 — Remove OAuth Access in Microsoft Entra ID

Troubleshooting