--- title: "Azure Connection Scanning Configuration Using Built-In Roles" slug: "fortanix-key-insight-azure-configuration-for-scanning-using-built-in-roles" updated: 2026-04-06T08:42:08Z published: 2026-04-06T08:58:03Z canonical: "support.fortanix.com/fortanix-key-insight-azure-configuration-for-scanning-using-built-in-roles" --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Azure Connection Scanning Configuration Using Built-In Roles ## 1.0 Introduction This article describes the minimum access privileges required for Fortanix Key Insight to scan the Azure cloud subscription(s) or management groups using Azure built-in roles. Fortanix Key Insight scans Azure resources to discover encryption keys, key usage, and encryption configurations across supported services. To enable this functionality, an Azure service principal must be created and granted appropriate Role-Based Access Control (RBAC) permissions. ## 2.0 Configure Azure Cloud in Fortanix Key Insight This section outlines the necessary steps to securely integrate an Azure cloud with Fortanix Key Insight, which enables streamlined monitoring, management, and optimization of key resources. The integration leverages Azure's Role-Based Access Control (RBAC) for granular permission management. *For more information on Azure built-in role permissions required to onboard an Azure connection, refer to*[*Azure Connection Permissions*](https://support.fortanix.com/docs/fortanix-key-insight-azure-connection-permissions)*.* ### 2.1 Prerequisites The following are the prerequisites to configure an Azure cloud in Fortanix Key Insight: - The supported Azure agreement types: Enterprise Agreement, Microsoft Customer Agreement, and Pay-as-you-go. - Access to your Azure subscription: You should be a **Global Administrator** with elevated access to set up Azure integration in Fortanix Key Insight as shown in the following diagram. *For more information, refer to the*[*Microsoft official documentation*](https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal#elevate-access-for-a-global-administrator)*.* ![image-20240313-143554.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/25957421505300.png) **Figure 1: Global administrator with elevated access** - A registered Fortanix Key Insight Account. *For detailed steps to get started with Fortanix Key Insight, refer to*[*Getting Started with Cloud Connection*](https://support.fortanix.com/docs/fortanix-key-insight-getting-started-with-cloud-connection)*.* ### 2.2 Create a Service Principal in Microsoft Entra ID (Azure Active Directory) Perform the following steps to create a service principal in Microsoft Entra ID: 1. Navigate to the [*Azure portal*](https://portal.azure.com/) and search for **Microsoft Entra ID**. 2. Select **App registrations** under **Manage** in the left navigation panel on the **Microsoft Entra ID** page. > [!NOTE] > NOTE > > You can also search for **App registrations** in the Microsoft Azure search bar. 3. Click **New registration.** 4. On the **Register an application** page: - **Name**: Enter a display name for this application. For example, **key-insight-app**. - **Supported account types**: Select **Accounts in this organizational directory only ( only - Single tenant)**. - **Redirect URI**(optional): Enter a redirect URL. 5. Click **Register** to register an application. The new application will be registered in Microsoft Azure. > [!NOTE] > NOTE > > Ensure to copy and save the **Directory (tenant) ID** and **Application (client) ID** values. These values are required during the Azure cloud connection onboarding on Fortanix Key Insight. 6. Create a new client secret: 1. Navigate to **Certificates & secrets** from the left navigation panel. 2. Click **New client secret**. 3. On the **Add a client secret** panel: - **Description**: Enter a description for this secret. For example, **key-insight-app-client-secret**. - **Expires**: Select an expiration period that aligns with your organization’s security policy (for example, 6–12 months). 4. Click **Add.** ![image-20240313-181210.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/25958198048916.png) **Figure 2: Add a new client secret** > [!NOTE] > NOTE > > You can only view **Client secret** value immediately after creation. Ensure to copy and save the secret value before leaving the page. This value is required during the Azure cloud connection onboarding on Fortanix Key Insight. ### 2.3 Choose the Scope You can choose **Management Groups** or **Subscription** scope during Azure cloud setup in Fortanix Key Insight. - If you select **Management groups**, you must enter your **Management Group ID**. *Refer to*[*Section 2.3.1: Obtain a Management Group ID*](/v1/docs/fortanix-key-insight-azure-configuration-for-scanning-using-built-in-roles#231-obtain-a-management-group-id)*for information on how to get a management group ID.* - If you select **Subscription**, you must enter **Subscription ID**. *Refer to*[*Section 2.3.2: Obtain a Subscription ID*](/v1/docs/fortanix-key-insight-azure-configuration-for-scanning-using-built-in-roles#232-obtain-a-subscription-id)*for information on how to get a subscription ID.* #### 2.3.1 Obtain a Management Group ID Perform the following steps to obtain a management group ID: 1. Navigate to **Management groups** on Microsoft Azure. 2. Copy the value from the column **ID** in your Azure **Management groups**. For example, **engineering-management-group** from the **ID** column as shown below: ![image-20240317-230149.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/25958657241876.png) **Figure 3: Get a management group ID** #### 2.3.2 Obtain a Subscription ID Perform the following steps to obtain a subscription ID: 1. Navigate to **Subscriptions** on Microsoft Azure. 2. Select your subscription. 3. Copy the **Subscription ID** from your Azure subscription. For example, the **Subscription ID** is copied from the**Fortanix-Internal** subscription as shown below: ![image-20240318-002646.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/25958611558804.png) **Figure 4: Get a subscription ID** ### 2.4 Assign Built-In Roles to the Azure Service Principal You must provide access to the following built-in roles in your Azure service principal at the management group and subscription levels to help users scan the required Azure keys and services on Fortanix Key Insight: - **Reader**: Allows discovery of Azure resources and configurations. - **Key Vault Reader**: Allows reading metadata of keys, secrets, and certificates in Azure Key Vault. - **Storage Blob Data Reader**: Allows read access to blob metadata used for encryption analysis. #### 2.4.1 Assign Roles at the Management Group Level Perform the following steps to provide access to the built-in roles at the Management group level: 1. Navigate to **Access control (IAM)** in the selected management group. 2. Click **Add role assignment**. 3. Perform *Steps 3 to 6* mentioned in [*Section 2.4.2: Assign Roles at the Subscriptions Level*](/v1/docs/fortanix-key-insight-azure-configuration-for-scanning-using-built-in-roles#242-assign-roles-at-the-subscriptions-level) to assign the following roles to the selected management group: These permissions are inherited by all subscriptions under the management group. - Reader - Key Vault Reader - Storage Blob Data Reader This approach allows Fortanix Key Insight to scan resources across all subscriptions within the management group without assigning roles individually. #### 2.4.2 Assign Roles at the Subscriptions Level Perform the following steps to provide access to the built-in roles at the subscription level: 1. Select your subscription. 2. Navigate to **Access control (IAM)**. 3. Click **Add role assignment**. 4. Provide access to the specific role: ![image-20240318-010728.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/25960395671444.png) **Figure 5: Add a Reader role** - **Reader** 1. On the **Role** tab, select the **Reader** role and click **Next.** 2. Perform the following steps to select members: 1. Click **Select members** on the **Members** tab. 2. Add your app (for example, **key-insight-app**), as created in [*Section 2.2: Create a Service Principal for Microsoft Entra ID.*](/v1/docs/fortanix-key-insight-azure-configuration-for-scanning-using-built-in-roles#22-create-a-service-principal-in-microsoft-entra-id-azure-active-directory) 3. Click **Select.** 4. After adding the members, click **Review + assign**. - **Key Vault Reader** ![image-20240318-023856.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/25960418152724.png) **Figure 6: Add a Key Vault Reader role** 1. On the **Role** tab, select the **Key Vault Reader** role and click **Next.** 2. Perform the following steps to select members: 1. Click **Select members** on the **Members** tab. 2. Add your app (for example, **key-insight-app**), as created in [*Section 2.2: Create a Service Principal for Microsoft Entra ID.*](/v1/docs/fortanix-key-insight-azure-configuration-for-scanning-using-built-in-roles#22-create-a-service-principal-in-microsoft-entra-id-azure-active-directory) 3. Click **Select.** 4. After adding the members, click **Review + assign**. - **Storage Blob Data Reader** ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_Azure Blob Reader Role.png) **Figure 7: Add a Storage Blob Data Reader role** 1. On the **Role** tab, select the **Storage Blob Data Reader** role and click **Next.** 2. Perform the following steps to select members: 1. Click **Select members** on the **Members** tab. 2. Add your app (for example, **key-insight-app**), as created in [*Section 2.2: Create a Service Principal for Microsoft Entra ID.*](/v1/docs/fortanix-key-insight-azure-configuration-for-scanning-using-built-in-roles#22-create-a-service-principal-in-microsoft-entra-id-azure-active-directory) 3. Click **Select.** 4. After adding the members, click **Review + assign**. After assigning the required roles at either the management group level or the subscription level, Fortanix Key Insight will have the necessary permissions to scan Azure resources and encryption configurations. ## 3.0 Help and Support - If there are any issues with the configuration or permissions, you may need to review and adjust them accordingly. *For**information on**establishing a connection to Azure within Fortanix Key Insight, refer to*[*Getting Started with Cloud Connection*](https://support.fortanix.com/docs/fortanix-key-insight-getting-started-with-cloud-connection)*.* - *For Fortanix Key Insight and Azure terminologies*, *refer to*[*All Connections Concepts*](https://support.fortanix.com/docs/fortanix-key-insight-concepts-for-all-connections)*and*[*Azure Connection Concepts*](/v1/docs/fortanix-key-insight-for-azure-concepts). - If you need further assistance, contact Fortanix Support. Fortanix Key Insight identifies encryption keys and data services across on-premises and hybrid multicloud environments, providing a unified dashboard for tracking key mappings and cryptographic security. It offers security and compliance teams data-driven insights to assess risks, align with best practices, and meet industry regulations. Iy also supports continuous risk mitigation and crypto-agility, adapting to evolving security needs, including preparation for the post-quantum era. ## Related - [Azure Connection Scanning Configuration Using Built-In Roles](/fortanix-key-insight-azure-configuration-for-scanning-using-built-in-roles.md) - [AWS Connection Scanning Configuration](/fortanix-key-insight-aws-configuration-for-scanning.md) - [Command-Line Interface (CLI) for Fortanix DSM (sdkms-cli)](/fortanix-dsm-clients-command-line-interface-cli.md)