---
title: "Azure Connection Scanning Configuration Using Custom Roles"
slug: "fortanix-key-insight-azure-configuration-for-scanning-using-custom-roles"
updated: 2026-04-06T08:41:33Z
published: 2026-04-06T08:58:03Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure Connection Scanning Configuration Using Custom Roles

## 1.0 Introduction

This article describes the least-privilege permissions required by Fortanix Key Insight to use an Azure custom role through an Azure CLI script.

## 2.0 Configure Azure Access Using Custom Roles

Use the Azure Command-Line Interface (CLI) script to configure Azure access using a custom role that follows the principle of least privilege.

*For a comprehensive list of permissions required for the Azure custom role, refer to*[*Azure Connection Permissions*](https://support.fortanix.com/docs/fortanix-key-insight-azure-connection-permissions)*.*

The Azure script helps you to:

- Create an Azure service principal.
- Create a custom role with specific permissions.
- Assign the custom role to the service principal within the scope of the subscription or management group.

> [!NOTE]
> NOTE
> 
> - Run the script in a Bash-compatible shell (for example, Azure Cloud Shell or Linux/macOS terminal).
> - You must have the following permissions at the appropriate levels:
>   - The **Application Administrator** or **Cloud Application Administrator** role at the Azure tenant level. They allow app registration and service principal creation in Microsoft Entra ID.
>   - The **Owner, User Access Administrator,** or **Role Based Access Control Administrator** permissions at the Subscription or Management Group level to create and assign a custom role.

Perform the following steps to configure an Azure cloud using the Azure script with Subscription or Management Group scopes:

1. Download the following script (`.sh`) file:

[](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/fortanix_key_insight_azure_cloud_onboarding(7).sh)fortanix_key_insight_azure_cloud_onboarding37.71 KB[**](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/fortanix_key_insight_azure_cloud_onboarding(7).sh)
2. Run the following command to make the script executable:

```bash
chmod +x fortanix_key_insight_azure_cloud_onboarding.sh
```
3. Use the various options to run the script at different scopes:
  - **Subscription**scope

```bash
./fortanix_key_insight_azure_cloud_onboarding.sh -s <subscription-id>    
```
  - **Management Group**scope

```bash
./fortanix_key_insight_azure_cloud_onboarding.sh -m <management-group-name-or-id>
```

> [!NOTE]
> NOTE
> 
> You can specify either a subscription ID **or** a management group ID as the scope, but **not both**.
  - Use the following command to get **all the available options**:

```bash
./fortanix_key_insight_azure_cloud_onboarding.sh -h
```
4. After the script runs successfully, it outputs the following values:

You must use these values to set up the Azure cloud connection in Fortanix Key Insight. *Refer to*[*Getting Started with Cloud Connection*](https://support.fortanix.com/docs/fortanix-key-insight-getting-started-with-cloud-connection)*for guidance on establishing a connection to Azure within Fortanix Key Insight.*
  - **Subscription ID**or**Management Group ID**
  - **Client ID**
  - **Client secret**
  - **Tenant ID**
5. After you complete the configuration and scan your Azure resources, you can view the discovery and assessment results in the Fortanix Key Insight dashboard. The dashboard provides a detailed overview of your scanned key vaults and the keys in those vaults, along with the use of these keys in services. You will see an assessment of the keys with a risk score, highlighting any violations, expired keys, disabled key rotation, vulnerable keys, and instances where the same key is used across multiple resources.

*For more information on the Azure dashboard, refer to*[*Azure Connection - User Interface Components*](/v1/docs/fortanix-key-insight-user-interface-components-azure)*.*

## 3.0 Additional References

- *For Fortanix Key Insight and Azure terminologies, refer to*[*All Connections Concepts*](/v1/docs/fortanix-key-insight-concepts)*and*[*Azure Connection Concepts*](/v1/docs/fortanix-key-insight-for-azure-concepts).
- *To onboard an Azure cloud in Fortanix Key Insight using Azure built-in roles, refer to*[*Azure Connection Scanning Configuration Using Built-In Roles*](/v1/docs/fortanix-key-insight-azure-configuration-for-scanning-using-built-in-roles)*.*

Fortanix Key Insight identifies encryption keys and data services across on-premises and hybrid multicloud environments, providing a unified dashboard for tracking key mappings and cryptographic security. It offers security and compliance teams data-driven insights to assess risks, align with best practices, and meet industry regulations. Iy also supports continuous risk mitigation and crypto-agility, adapting to evolving security needs, including preparation for the post-quantum era.

## Related

- [Azure Connection Scanning Configuration Using Built-In Roles](/fortanix-key-insight-azure-configuration-for-scanning-using-built-in-roles.md)
- [AWS Connection Scanning Configuration](/fortanix-key-insight-aws-configuration-for-scanning.md)
- [Command-Line Interface (CLI) for Fortanix DSM (sdkms-cli)](/fortanix-dsm-clients-command-line-interface-cli.md)