Connect Azure
Create a service principal with the required roles and connect your Azure subscription to VikingCloud.
This guide shows you how to create an Azure service principal with the roles VikingCloud needs to scan your subscription. Choose either the Portal (GUI) method or the CLI method below.
Required Roles
| Role | Scope | Purpose |
|---|---|---|
Reader | Subscription | Resource discovery — enumerate all resources |
AcrPull | Subscription | Container scanning — pull images from Azure Container Registry |
Disk Snapshot Contributor | Subscription | VM scanning — create and delete disk snapshots |
Virtual Machine Contributor | Subscription | VM scanning — create and delete ephemeral scanner VMs |
Method 1: Azure Portal (GUI)
Step 1: Register an Application
- Sign in to the Azure Portal
- Navigate to Microsoft Entra ID > App registrations > New registration
- Enter:
- Name:
vikingcloud-platform-sp - Supported account types: Accounts in this organizational directory only
- Name:
- Click Register
- Note the Application (client) ID and Directory (tenant) ID from the overview page
Step 2: Create a Client Secret
- In the app registration, go to Certificates & secrets > Client secrets > New client secret
- Enter a description (e.g.,
VikingCloud Scanner) - Select an expiration (recommended: 12 months)
- Click Add
- Copy the Value immediately — it will not be shown again
Step 3: Assign Roles
- Navigate to Subscriptions and select your subscription
- Go to Access control (IAM) > Add role assignment
- Add each of the following roles, assigning them to the
vikingcloud-platform-spapplication:ReaderAcrPullDisk Snapshot ContributorVirtual Machine Contributor
- For each role: search for the role name, click Next, select User, group, or service principal, click Select members, search for
vikingcloud-platform-sp, select it, and click Review + assign
Step 4: Enter Credentials in VikingCloud
- In VikingCloud, go to Settings > Connections
- Click Add Connection and select Azure
- Enter the following:
| Field | Value |
|---|---|
| Tenant ID | Directory (tenant) ID from Step 1 |
| Client ID | Application (client) ID from Step 1 |
| Client Secret | The secret value from Step 2 |
| Subscription ID | Your Azure subscription ID (found in Subscriptions) |
- Click Save
Method 2: Azure CLI
Prerequisites
- Azure CLI installed and signed in (
az login)
Step 1: Create the Service Principal and Assign Roles
# Get your subscription ID
SUBSCRIPTION_ID=$(az account show --query id -o tsv)
# Create service principal with Reader role
az ad sp create-for-rbac \
--name vikingcloud-platform-sp \
--role Reader \
--scopes /subscriptions/${SUBSCRIPTION_ID}
# Output will include:
# {
# "appId": "...", ← Client ID
# "password": "...", ← Client Secret
# "tenant": "..." ← Tenant ID
# }
# Save these values — you will need them for VikingCloud.
# Get the service principal's App ID
SP_APP_ID=$(az ad sp list --display-name vikingcloud-platform-sp --query [0].appId -o tsv)
# Add AcrPull role (container scanning)
az role assignment create \
--assignee ${SP_APP_ID} \
--role AcrPull \
--scope /subscriptions/${SUBSCRIPTION_ID}
# Add Disk Snapshot Contributor (VM scanning — snapshots)
az role assignment create \
--assignee ${SP_APP_ID} \
--role "Disk Snapshot Contributor" \
--scope /subscriptions/${SUBSCRIPTION_ID}
# Add Virtual Machine Contributor (VM scanning — scanner VMs)
az role assignment create \
--assignee ${SP_APP_ID} \
--role "Virtual Machine Contributor" \
--scope /subscriptions/${SUBSCRIPTION_ID}
Step 2: Enter Credentials in VikingCloud
Use the appId, password, and tenant from the service principal creation output. Enter them in VikingCloud under Settings > Connections > Add Connection > Azure.
Verification
Verify all roles are assigned:
az role assignment list \ --assignee $(az ad sp list --display-name vikingcloud-platform-sp --query [0].appId -o tsv) \ --output table
Expected roles: Reader, AcrPull, Disk Snapshot Contributor, Virtual Machine Contributor.
Troubleshooting
Permission Denied Errors
List all role assignments for the service principal:
az role assignment list --all --output table
Client Secret Expired
Create a new client secret in Microsoft Entra ID > App registrations > vikingcloud-platform-sp > Certificates & secrets, then update the credential in VikingCloud.
Security Notes
- Scoped by tags: All VikingCloud-created resources are tagged with
owner=vikingcloud - Ephemeral resources: Scanner VMs and snapshots exist only during scans, typically under 10 minutes
- Read-only data access: VikingCloud reads disk data via snapshots but never modifies your VMs
- Resource group isolation: Scanner VMs are created in a dedicated resource group
- Rotate secrets every 12 months as recommended by Microsoft