Selective Cloud Account Onboarding

Selective Cloud Account Onboarding lets you control which Azure subscriptions or Management Groups are onboarded using the Include/Exclude option. Excluded subscriptions and resources can be added later as needed. This provides the flexibility to onboard only the Azure subscriptions or Management Groups relevant to your organization’s needs.

To perform selective cloud account onboarding for Azure:

  1. Log in to Sysdig Secure as an Admin.

  2. Navigate to Integrations > Connective Environments > Azure.

  3. Follow the steps to Configure Installation Permissions and Enter your Subscription Details.

  4. At the step Subscriptions to Onboard, review the Account Selection Options.


Include Azure Subscriptions
Exclude Azure Subscriptions

Account Selection Options

By default, when you onboard an Azure account, all Management Groups are onboarded. You can configure Azure onboarding using the following methods:

All

This is the default option, which selects all subscriptions within the connected Azure tenant or Management Group.

  • All existing and newly created active subscriptions will be onboarded.
  • Use this option if your organization wants full coverage across its Azure environment.

Include Management Groups

This option lets you explicitly include one or more Management Groups during onboarding.

Management Groups to Include

  • All subscriptions under these Management Groups will be considered for onboarding.
  • You can list one or more Management Groups to include during onboarding. If you are using Terraform, set them using include_management_groups.

Exclude Subscriptions (optional)

  • These subscriptions will not be onboarded, even though their parent Management Group is included.
  • You can exclude certain subscriptions within included Management Groups. If you are using Terraform, set them using exclude_subscriptions.

Include Extra Subscriptions (optional)

  • These subscriptions will be onboarded even though their parent Management Groups are not included.
  • You can include specific subscriptions from Management Groups that are not listed in include_management_groups by explicitly adding them to include_subscriptions.

Exclude Management Groups

This option lets you exclude one or more Management Groups from onboarding.

Management Groups to Exclude

  • All subscriptions under these Management Groups will be skipped unless explicitly included.
  • You can exclude one or more Management Groups from the onboarding process. If you are using Terraform, set them using exclude_management_groups.

Include Subscriptions (optional)

  • These subscriptions will be onboarded even if their parent Management Groups are excluded.
  • You can include specific subscriptions from excluded Management Groups by adding their subscription IDs, ensuring they are still onboarded. If you are using Terraform, set them using include_subscriptions.

Exclude Extra Subscriptions (optional)

  • These subscriptions will not be onboarded even though their parent Management Groups are included.
  • You can exclude specific subscriptions within included Management Groups by explicitly listing them.

For both include and exclude inputs (for Management Groups and Subscriptions), always use the Azure resource IDs (for example, /providers/Microsoft.Management/managementGroups/abc-group or /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) and not display names.

Terraform Configuration

You can also perform select cloud account onboarding via terraform, using the following variable:

Terraform VariablePurpose
include_management_groupsOnly subscriptions under these Management Groups are considered for onboarding.
exclude_management_groupsAny Management Groups listed here will be skipped.
include_subscriptionsExplicitly include these subscription IDs, even if they fall outside Management Groups
exclude_subscriptionsExclude these subscriptions, even if they’re under included Management Groups