This guide explains how to connect Microsoft Azure to WatchDog Security using OAuth authentication.Once connected, WatchDog will begin monitoring your Azure environment for security posture risks, configuration issues, vulnerabilities, and asset inventory data across your Azure subscriptions and resources.
What WatchDog Monitors#
WatchDog operates in read-only mode and does not modify configuration settings within your Microsoft Azure environment.
Identity & Access ManagementAzure Active Directory users
Privileged role assignments
Virtual Machine Scale Sets
Azure Kubernetes Service (AKS)
Encryption configurations
Requirements#
Before connecting the integration, ensure the following:You have administrator access to the Azure tenant or subscription you want WatchDog to monitor
You're an Account Owner or Security Admin in the WatchDog Security portal
The Microsoft account used during authorization has access to the Azure subscriptions being monitored
Step 1 — Create an App Registration in Azure#
2.
Navigate to Microsoft Entra ID → App registrations → + New registration.
3.
Enter a name, e.g. WatchDog CSPM Connector.
4.
Under Supported account types, select Accounts in this organizational directory only.
5.
Leave the Redirect URI field blank, then click Register.
Step 2 — Add API Permissions#
1.
Open the newly created app registration.
2.
Go to API permissions → + Add a permission → Microsoft Graph → Application permissions.
3.
Add the following permissions: 5.
Under Grant admin consent, click Grant admin consent for Your Organization.
Step 3 — Create a Client Secret#
1.
Under Certificates & secrets, select + New client secret.
2.
Provide a description (e.g. “WatchDog Integration”) and set an appropriate expiration period (recommendation: 180 days).
3.
Click Add, then copy the Secret Value — this is your Client Secret.⚠️ You won’t be able to view it again after leaving this page.
Step 4 — Collect Connection Details#
You’ll need the following values to connect Azure to WatchDog:| Field | Description | Example |
|---|
| Tenant ID | Found under Microsoft Entra ID → Overview | e4a3a23b-... |
| Application (client) ID | From your App Registration → Overview | b8df23f4-... |
| Client Secret | From the step above | Zxcv1234... |
Step 5 — Assign Reader Role to the App#
1.
In the Azure portal, navigate to Subscriptions.
2.
Select the subscription(s) you want WatchDog to monitor.
3.
Go to Access Control (IAM) → Add role assignment.
5.
Under Members, select User, group, or service principal.
6.
Search for your WatchDog app registration by name and assign it.
Step 6 — Connect Azure in WatchDog Security#
2.
Navigate to Management → Integrations
3.
Locate the Microsoft Azure integration
5.
Enter the following fields:
Initial Sync#
WatchDog will begin collecting configuration and inventory data from Azure
The initial synchronization time depends on the size of your Azure environment
Large environments may take up to one hour
Revoking Access#
To fully remove WatchDog Security's access to your Azure environment, revoke access both in WatchDog and in Microsoft Azure.Step 1 — Disconnect the Integration in WatchDog#
1.
Log into the WatchDog Security Portal
2.
Navigate to Management → Integrations
3.
Locate the Microsoft Azure integration
Step 2 — Remove OAuth Access in Microsoft Entra ID#
2.
Navigate to Microsoft Entra ID → App registrations → + New registration.
3.
Locate the App Registration Created in Step 1 (e.g. WatchDog CSPM Connector.)
Troubleshooting#
Verify the following:
The Microsoft account used during setup has sufficient permissions
The Azure tenant allows OAuth application authorization
Authorization was completed successfully
