Automatic Cloud Account Onboarding

Sysdig can automatically detect and onboard newly created Azure subscriptions in an active state to Sysdig without manual intervention. This helps maintain continuous visibility of your Azure environment. This capability is enabled by default. You can enable and disable it via the Sysdig UI or Terraform.

Automatic Cloud Account Onboarding simplifies the onboarding of Azure subscriptions by:

Automatically detecting and onboarding newly created Azure subscriptions under a connected Azure tenant.
Allowing you to enable or disable this behavior via the Sysdig UI.
Providing visibility into newly discovered subscriptions and any additional configuration needed.
Automatically removing (offboarding) any deleted/disabled subscriptions from a connected Azure tenant.

This capability reduces the manual effort of maintaining visibility across a dynamic Azure environment.

When automatic onboarding and offboarding is enabled, newly created Azure subscriptions are automatically detected and onboarded within 24 hours.

Prerequisites

Sysdig Secure account with organization admin rights.
A connected Management Group or Subscription hierarchy in Azure.

Enable Automatic Onboarding and Offboarding

To enable automatic onboarding and offboarding for Azure:

Log in to Sysdig Secure.
Navigate to Integrations > Azure.
Click Add Azure Account.
Select Tenant.
Under Terraform, when preparing for onboarding or offboarding, go to the step Subscriptions to Onboard.
You will see Automatic Onboarding & Offboarding enabled by default.

When deploying via Terraform, ensure the variable enable_automatic_onboarding = true is present in your configuration.

Sysdig will periodically poll Azure Resource Graph to detect, and onboard and offboard new subscriptions from the configured Azure Management Group(s) or tenant.

Validate Automatic Onboarding

Once one Azure subscription is successfully onboarded, you can create new subscriptions in your Azure tenant.

Sysdig will automatically detect and onboard them, assuming they meet the following conditions:

The subscription is in active state.
The subscription is under a Management Group or tenant that Sysdig has visibility into.

To verify onboarding:

Log in to Sysdig Secure.
Go to Integrations > Cloud Accounts > Azure.

Newly discovered subscriptions will be listed with a status of Connected once onboarded successfully.

For example:

Automatic Azure Onboarding Status

Troubleshooting

Automatic Onboarding Fails for New Azure Subscriptions

Sysdig may detect the subscription but fail to onboard it if:

The subscription is not in an active state.

Workaround

Confirm that the subscription is fully active and visible via Azure Resource Graph.
Ensure the connected Management Group includes the new subscription.
Confirm that your Secure app has the required permissions at the tenant or management group level.

Considerations

Foundational, CSPM, Basic CIEM & Workload scanning

These features operate at the Management Group level and inherit cloud resources accordingly. When new Azure subscriptions are created under an onboarded management group, they are automatically included, and no further action is required.

Advanced CIEM, CDR & Agentless Host Scanning

These features require subscription-level access to cloud resources. When new subscriptions are added under an onboarded tenant or management group, you must re-run terraform apply. This ensures that the necessary cloud resources are provisioned for the new subscriptions, allowing these features to function correctly.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.