Sysdig supports Microsoft Azure. Prepare your environment, then follow the wizard’s prompts to install agentless Cloud Security Posture Management (CSPM), Cloud Detection and Response (CDR) and Vulnerability Host Scanning on Azure. You can connect single subscriptions or tenants using Terraform. Azure coverage includes threat detection for Micosoft Entra ID.

Install using the Wizard

The installation options include:

  • Agentless CSPM and/or

  • Agentless CDR


  • Sysdig Secure SaaS with Admin permissions.

  • Terraform v. 1.3.1+ installed on the machine from which you will deploy the installation.

  • The Azure CLI installed on the same machine.

    For more information, see How to install the Azure CLI.

  • Azure requirements for roles, permissions, and environment, as described in Prepare Your Environment.

Review Azure Roles and Permissions

Review these concepts before preparing your environment and running the installation wizard.

User Types

There are two user types in the Azure onboarding:

  • “You:” The human user performing the installation is the primary type of user. Sometimes this “you” may encompass multiple people in an organization. The human user(s) need specific Entra ID and Azure role-based access control (RBAC) roles to perform the cloud account onboarding.
  • Service Principal: The onboarding process creates a “robot user” called a Service Principal. It has different, less permissive roles that are used by Sysdig.

Azure Role Types

Azure has two types of Roles that must be correctly assigned for you to onboard:

  • Entra ID roles that are applied to the entire Tenant and control what actions you can take in that tenant.

    For background information, see the Azure documentation on Entra ID (formerly Active Directory) roles.

  • Azure RBAC roles that are applied to the Subscription or Management Group and control what actions you can take on that subscription/management group.

    For background information, see the Azure documentation on Azure Role-Based Access Control and Assigning Azure Roles in the Azure Portal.

Permissions Required to Install

Entra ID

To perform the installation, you will need to authenticate as a user with the following Entra ID roles:

  • Application Administrator and Privileged Role Administrator
    • Application Administrator is required to create a Service Principal associated with a Sysdig-owned application.

    • Privileged Role Administrator is required to assign the Directory Reader Entra ID role to the created Service Principal.


Azure RBAC

Your user must have the following permission to assign Azure RBAC roles:

  • Microsoft.Authorization/roleAssignments/write
    • This permission is used to assign the Service Principal permission on the specified Subscriptions. The permissions assigned are documented below.

Common roles that contain this permission are:

  • User Access Administrator
  • Owner

Permissions Granted to Sysdig

The installation creates a Service Principal that Sysdig can access. This Service Principal is granted the following roles:

Entra ID:

  • Directory Readers - this role is used to allow Sysdig to list Users and Service Principals for CSPM.

Azure RBAC:

  • Reader - this role is used to allow Sysdig to list resources within your subscriptions for CSPM.
  • Custom Role - this is a custom role used to give Sysdig permissions to collect the AuthSettings object required for CSPM.

Prepare Your Environment

Preparation of your Azure environment, roles, and permissions is the key to a seamless connection between your Azure cloud accounts and Sysdig. When preparation is complete, the installation itself is a simple, wizard-guided process from the Sysdig Secure UI.

Follow each of the steps below to prepare for onboarding.

Step 1: Provide User with Appropriate Roles

Log into Azure and ensure that the user you log in with has all the necessary roles and permissions required to install.

You can:

  • Use an existing user who meets the permissions requirements
  • Create a new user and set up permissions
  • Add permissions to an existing user

To begin:

  1. Log in to Azure and check your Entra ID roles.

    • Navigate to the Entra ID console and select Roles and Administrators.

    • Click on Your Role.

      Entra ID is displayed with associated roles.

    • Add any missing Entra ID roles. (See Permissions Required to Install.)

  2. Check your Azure RBAC Roles.

    • For Single Subscriptions:

      • Navigate to Subscriptions.

      • Click the target subscription and go to Access Control (IAM).

      • Click Role Assignments.

      • Ensure that the required Azure role is assigned to your user. (See Permissions Required to Install.)

    • For Management Groups:

      • Navigate to Management Groups.

      • Click the target Management Group and go to Access Control (IAM).

      • Click Role Assignments.

      • Ensure that the required Azure role is assigned to your user.

      • Add any missing Azure RBAC Role assignments. (See Permissions Required to Install.)

Step 2: Configure Your Subscriptions

Register the resource provider Microsoft.ManagedService in each subscription to be onboarded.

For further guidance, see Azure’s registration instructions.

Step 3: Authenticate and Configure Terraform

Configure your environment from your local machine, preparing to apply Terraform.

  1. Ensure the prerequisites are met:

    • Terraform v.1.3.1+ installed
    • Terraform CLI installed
  2. Authenticate your user and configure Terraform to use these credentials.

    A common way to do this is:

    1. Ensure you are logged in to the correct Tenant.

      Log in using the Azure CLI:

      az login --tenant "TENANT_ID_OR_DOMAIN"

      You will be presented with a web page to select your user account. Be sure to log in as the user you configured in Step 1.

    2. Confirm you are logged in as the correct user, by running:

      az ad signed-in-user show

      (For alternative ways to authenticate Terraform, see the Terraform documentation: Authenticating to Azure Active Directory and Authenticating to Azure.)

Install using Wizard

To install agentless CSPM and/or CDR, follow the Wizard Quick Start.

  1. Log in and authenticate in Azure, per the Preparation steps above.

  2. Log in to Sysdig Secure as admin, select Integrations > Cloud Accounts | Azure, and click +Add Azure Account.

  3. It is possible to install agentless CDR only.

  4. In all other cases, all agentless Azure installations include CSPM.
    All features are included by default. Deselect individual features if desired:

    • Cloud Detection and Response (CDR)

    • Vulnerability Host Scanning

    and click Next.

  5. Select which installation method matches your enterprise and click Next.

    • Tenant Multi-Subscription: Configure Azure for a tenant.
    • Single Subscription: Configure Azure for a single subscription.
  6. The Installation screen appears.As prompted by the wizard screen, specify the following:

    • Subscription ID: The ID of the Azure subscription where Sysdig resources will be created.
    • Tenant ID: The ID of the Azure Active Directory Tenant you want to connect.
    • Management Groups: To onboard your entire Tenant, enter your Root Management Group ID. To onboard a subset, enter the Management Group IDs in a comma separated list. Check your groups using the wizard link, if needed.

    The wizard will auto-populate a code snippet, along with autodetected Sysdig Secure endpoint and Sysdig Secure API token information.

  7. Create a file called

  8. Copy the code snippet from the Wizard into the file and run terraform init && terraform apply.

  9. Return to the wizard and click Complete.

  10. After deploying, validate the services are working.


Log in to Sysdig Secure and check that each module you deployed is functioning. Events may take 10 minutes or so to collect and display. To validate the successful connection of each of the chosen features:

  1. In Sysdig Secure, select Integrations > Cloud Accounts > Azure.
  2. The Status column shows the overall connection status (Connected/Partial Error/Error/Unknown).

See also: Cloud Accounts | Azure.

Check Overall Connection Status

Data Sources: Select Integrations > Data Sources | Cloud Accounts to see all connected cloud accounts.

Check CSPM

Inventory: Select the Inventory module and filter for subscription =. Check for your Azure cloud account in the drop-down.

Features and Resources on Azure

Agentless CSPM

Resources Created

  • azuread_service_principal
  • azuread_directory_role_assignment
  • azurerm_role_assignment
  • azurerm_role_definition

Agentless Cloud Detection and Response (CDR)

This feature performs threat detection using Falco rules and policies on platform logs. Agentless CDR relies on the following Azure features; see the linked Azure docs for details:

Resources Created

  • azuread_service_principal
  • azurerm_role_assignment
  • azurerm_resource_group
  • azurerm_eventhub_namespace
  • azurerm_eventhub
  • azurerm_eventhub_consumer_group
  • azurerm_eventhub_namespace_authorization_rule
  • azurerm_monitor_diagnostic_setting

Disable CDR for Microsoft Entra ID

Cloud Detection & Response (CDR) coverage of Azure includes threat detection for Microsoft Entra ID. Entra logs are monitored with dedicated policies and rule types through a dedicated Falco plugin.

Threat detection for Entra ID is enabled by default. To disable the ingestion of Entra ID logs, set the enable_entra parameter on Terraform to false.

Advanced: Tuning Event Hub

Sysdig provides a default configuration for Event Hub that relies on a standard tier Event Hub with four partitions and throughput unit autoscaling enabled, starting from 1 TU and capped at 20 maximum TUs.

To customize this, you can adapt the arguments of the threat detection Terraform module (source = sysdiglabs/secure/azurerm//modules/services/event-hub-data-source). Review the module specifications here.

Vulnerability Management Agentless Host Scanning

This feature performs vulnerability host scanning using disk Snapshots and Lighthouse to provide highly accurate views of vulnerability risk, access to public exploits, and risk management. Vulnerability Host Scanning relies on the following Azure features; see the linked Azure docs for details:

  • Azure LightHouse to manage the relationship between the Sysdig Service Principal and the target subscription(s)
  • Snapshot to share disks with Sysdig

Resources Created

  • azurerm_lighthouse_definition
  • azurerm_lighthouse_assignment

The Lighthouse Definition and Assignment are created in the target subscription(s) to allow Sysdig to access the disks for scanning. The role assigned to the Sysdig Service Principal is VM scanner operator to allow Sysdig to read the disks and create snapshots. The detailed list of permissions is:

  • Microsoft.Compute/disks/read
  • Microsoft.Compute/disks/beginGetAccess/action
  • Microsoft.Compute/disks/diskEncryptionSets/read
  • Microsoft.Compute/virtualMachines/instanceView/read
  • Microsoft.Compute/virtualMachines/read
  • Microsoft.Compute/virtualMachineScaleSets/instanceView/read
  • Microsoft.Compute/virtualMachineScaleSets/read
  • Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
  • Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read

This role has the minimal permission set to create snapshots.

How to Exclude/Include Resources from Vulnerability Scanning in Azure

When you connect your Azure subscription with Vulnerability Host Scanning, by default all Resource Groups and Virtual Machines with root disks in the subscription are included in the scan.

If you need to exclude specific Resource Groups or Virtual Machines from being scanned, you can do so using tags.

How to exclude Resource Groups or Hosts:. To exclude certain Resource Groups or Virtual Machines from being scanned, you must assign specific tags to them in the Azure Console or via Azure APIs.

It is recommended to set these tags before initiating the scanning process. You can add tags after onboarding, but note that the exclusion will only take effect in subsequent scans.

How to include Data Disks in Scans:. By default, only root disks of Virtual Machines are scanned.

To also include data disks in scans, you need to use the specific tags declared below.

Tagging Semantics

You can use the following tags at the Disk, Virtual Machine, or Resource Group level. Tagging can be added at any time, for example, if you want to exclude/include something that was or was not scanned.

Keys: sysdig:secure:scan, sysdig:secure:data-volumes:scan.

Values: true, false

Usage Examples

  • “sysdig:secure:scan": "false” on a Resource Group excludes all resources within that group from scanning;
  • "sysdig:secure:scan": "false" on a Virtual Machine excludes the VM and all its disks from scanning;
  • “sysdig:secure:scan” : “true” on a data-disk of a VM includes such disk for scanning;
  • “sysdig:secure:data-volumes:scan” : “true” on a Resource Group has the same effect as applying the “sysdig:secure:scan” : “true” tag to all the data-disks of all the VMs in it;
  • “sysdig:secure:data-volumes:scan” : “true” on a VM has the same effect as applying the “sysdig:secure:scan” : “true” tag to all its data-disks;
  • “sysdig:secure:data-volumes:scan” : “true” on a Resource Group, while “sysdig:secure:data-volumes:scan” : “false” on a VM of the same Resource Group, has the same effect as applying the “sysdig:secure:scan” : “true” tag to all data-disks of all the VMs within the Resource Group but the one explicitly excluded via the tag.

The following tags are redundant; using them will have the same effect as not having them. This is either because Sysdig scans them by default or because the values have been overridden by a tag at a higher level (such as a Resource Group or a Virtual Machine).

  • “sysdig:secure:scan” : “true” on a Resource Group;
  • “sysdig:secure:scan” : “true” on a VM;
  • “sysdig:secure:scan” : “true” on a root disk of a VM;
  • “sysdig:secure:scan” : “false” on any data-disks of a VM;
  • “sysdig:secure:scan” : “false” on the root disk of a VM has no effect. The root disk is always scanned as part of the VM scan;
  • “sysdig:secure:data-volumes:scan” : “false” on a Resource Group;
  • “sysdig:secure:data-volumes:scan” : “false” on a VM;
  • “sysdig:secure:data-volumes:scan” : “false” on any data-disks of a VM.