Microsoft Azure
Configuring the Veza integration for Microsoft Azure
Veza connects to Azure tenants using an App Registration granted read-only permissions for the Microsoft Graph API. You will need an app client ID, client secret, and the Azure tenant ID to enable the connection in Veza.
Adding an Azure tenant will parse all its services, including Azure AD as an Identity Provider (IdP), and Microsoft SharePoint Online as an additional data source.
See Notes & Supported Entities for more details and supported Microsoft services.
Integrating with Microsoft Azure

To integrate with Microsoft Azure, you will need to create an App Registration with read-only permissions for the services to discover. You will enter the App Registration's credentials when adding the Veza integration:
1. Register a new application for Veza
From your Azure tenant profile, navigate to App Registrations > New Registration
Name the new application (for example
Veza Integration
)Select Accounts in this organizational directory only (
tenantname
only - Single tenant), and click "Register" to save your changes.
For more information, see the full instructions from Microsoft.
2. Grant permissions for the new app
With the new app registration selected, choose Manage > API Permissions and click "Add a Permission"
Select Microsoft Graph. Click "Application Permissions" and add the permissions:
Application.Read.All
AuditLog.Read.All
(Required to collect last login date for users)CustomSecAttributeAssignment.Read.All
(Required to gather custom security attributes)DeviceManagementManagedDevices.Read.All
(Required to collect Intune devices)DeviceManagementRBAC.Read.All
(Required to collect Intune roles)Device.Read.All
(Required to collect Entra ID devices)Directory.Read.All
Files.Read.All
Group.Read.All
GroupMember.Read.All
IdentityRiskyUser.Read.All
InformationProtectionPolicy.Read.All
(Required for sensitivity labels extraction)Policy.Read.All
(Used to evaluate Conditional Access policies)PrivilegedAccess.Read.AzureAD
(Required for PIM roles and groups)Reports.Read.All
(Required when connecting to SharePoint Online)RoleManagement.Read.All
(Required for PIM roles and groups)Sites.Read.All
User.Read.All
Enable "Grant Admin Consent" on the API permissions screen.

The delegated
User.Read
permission should be granted automatically. If it isn't present, add the permission from Add a Permission > Microsoft Graph > Delegated Permissions.
3. Enable SharePoint integration (optional)
Additional API permissions are required if you plan to connect to SharePoint Online. To grant read-only access for Veza, choose SharePoint on the app registration "Add a Permission" screen, and grant the application permissions:

User.Read.All
Sites.Read.All
The app registration will also need the Reports.Read.All
Microsoft Graph permission from the previous step.
For a complete overview and visual guide, see the official Azure documentation on configuring client application access.
Enable audit log parsing for activity-based extraction
Audit log extraction for SharePoint is provided as an Early Access feature. Please contact your support team to enable this configuration option.
When audit log extraction is enabled for an Azure tenant, Veza will gather audit logs using the Office 365 Management Activity API, and only connect to SharePoint Online for a full update when changes occur.
Enabling activity-based scheduling should help reduce lag between extractions, reducing the total time required to ingest large SharePoint environments. Please see below for the requirements and optional steps to enable:
Auditing must be enabled in the Microsoft Purview compliance portal
Go to
https://compliance.microsoft.com
and sign in. Click Audit.If auditing isn't enabled, a banner will prompt to Start recording user and admin activity.
Click the banner to enable auditing, and wait for the changes to propogate.
Alternatively, use the Exchange Power Shell:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
The Enterprise App used by Veza must have
ActivityFeed.Read
permission on the Office 365 Management API:When adding permisions to Enable SharePoint integration (optional), add the additional permission for the app registration: API permissions → Office 365 Management APIs → Application permissions →
ActivityFeed.Read
After you finish integrating the Azure tenant, enable audit log extraction under Veza Configuration → Cloud Providers. The audit log status column should update to show that extraction is enabled:

4. Generate a Client Secret
From Certificates & Secrets, click "New Client Secret" and select an expiration date. Click "Add" to generate a new client secret value and ID.
Copy the client secret
Value
, which you'll use to configure the integration within Veza.

5. Get the Application and Directory unique identifier
Open the Overview screen for the new application. Copy the
Application (client) ID
.Copy the value for
Directory (tenant) ID.
You will need both values when adding the provider to Veza.

6. Assign the Reader
role for the Veza app
Reader
role for the Veza appFor each Azure subscription to discover, you will need to add the new Veza app as a Reader. If you don't have any subscriptions (as will be the case if only integrating with Azure AD as an identity provider), this step is optional.

From the Azure Subscription, select Access control (IAM)
Click on "+ Add" -> "Add role assignment"
Select "Reader" as the role
Select User, Group, or Service Principal" under Assign Access To
Select or search for the Veza app, and assign it the "Reader" role
(Optional) Assign the "Reader and Data Access" role to discover storage accounts and keys.
Save your changes
(Optional) Assign the Cosmos DB Account Reader role
To discover Azure CosmosDB resources, assign the Cosmos DB Account Reader
role to the Veza app:
Navigate to your CosmosDB account in Azure Portal
Select Access control (IAM)
Click "+ Add" -> "Add role assignment"
Select "Cosmos DB Account Reader" as the role
Choose "User, Group, or Service Principal" under Assign access to
Search for and select the Veza app
Save the role assignment
This role provides the minimum required permissions to discover CosmosDB accounts, SQL role definitions, SQL role assignments, and databases. See Azure CosmosDB Support for more details.
7. Add Key Vault Permissions (Optional)
To connect to Azure Key Vault, a Key Vault access policy must grant the Veza app List
permissions on Keys, Secrets, and Certificates. To create this policy:
On the Key Vaults services page, choose the vault Veza will discover.
Select Access policies.
Click + Create.
Select List under Key Permissions, Secret permissions, and Certificate permissions.
Click Next.
Search and select the Veza app as the Authorized Application.
Click Next, Next, and Create to save the policy.

8. Add the Azure tenant to Veza
After completing the steps above, you can add the credentials and enable discovery by navigating to Veza Integrations > Add Integration. Choose Azure as the Integration Type.
Insight Point
Leave default unless using an Insight Point
Name
Friendly name for the account
Tenant ID
Azure tenant ID to discover
Application ID
App UUID
Client Secret Value
App client secret value
Auth Certificate
Optional certificate for connecting to SharePoint
Auth certificate password
Password for SharePoint certificate (optional)
Subscription ID Allow List
Comma-separated list of subscription IDs; if present, discovery will be limited to the listed subscriptions (optional)
Subscription ID Deny List
Comma-separated list of subscription IDs; if present, listed subscriptions will be excluded from discovery (optional)
Limit Azure services extracted
Choose individual services to discover (See below)
Domains
Comma-separated list of domains to discover, ignoring any others
Dynamics 365 CRM Environments
Optional list of Dynamics 365 CRM environments to discover, e.g. https://org50e57fbd.crm.dynamics.com
.
Dynamics 365 ERP Environments
Optional list of Dynamics 365 ERP environments to discover, e.g. https://company.operations.dynamics.com
.
Azure Gov Cloud
Azure Government Cloud region where the tenant is located (currently supported: "None," "US").
Extract PIM Eligibility
Optionally discover temporary role assumptions based on Privileged Identity Management scheduling rules.
Veza will gather metadata for all discovered Azure AD (Entra ID) domains for the tenant. Use the Domains list to only include the specified domains in the extraction.
Limit Services
Additional options when adding or editing an integration enable limits on the data sources and identities that are extracted. When configuring limited services, you can select specific Microsoft 365 services to enable, including:
Exchange Online - Email permissions and distribution groups (see Exchange Online setup)
SharePoint - Document and site permissions
Teams - Team channels and collaboration access
Intune - Device management
And other Azure services (SQL Server, Azure VM, CosmosDB, etc.)
Gather disabled users
Whether to include disabled users
Gather guest users
Whether to parse identity metadata for Azure AD Guest users
Gather personal sites
Whether to include personal SharePoint sites
Gather Group Extra Information
Whether to collect additional group attributes (allow_external_senders
, hide_from_address_lists
, hide_from_outlook_clients
). Requires separate API calls that significantly increase extraction time. Unchecking improves performance but loses these group attributes.
Gather Group Owner Details
Whether to identify and collect group ownership information. Requires additional API calls that can delay extraction. Unchecking improves performance but loses group ownership visibility.
Data source allow/deny lists
Indicate resources to ignore by name or *
Custom Properties
Indicate custom security attributes to gather
Azure Subscription Filtering
You can control which Azure subscriptions are discovered by configuring subscription allow and deny lists. This is particularly useful for focusing extraction on production or specific environment subscriptions, excluding test, development, or deprecated subscriptions, and improving extraction performance by reducing API calls.
To configure subscription filtering:
When adding or editing an Azure integration, navigate to the Advanced Settings section
Use the following fields:
Subscription ID Allow List: Comma-separated list of subscription IDs to include (if specified, only these subscriptions will be extracted)
Subscription ID Deny List: Comma-separated list of subscription IDs to exclude
Examples:
To extract only production subscriptions: Add their IDs to the allow list
To exclude dev/test subscriptions: Add their IDs to the deny list
If both lists are provided, the allow list takes precedence
Troubleshooting
If the initial connection fails with the status "Insufficient privileges to complete the operation," validate that the correct API Permissions are granted, and are granted with the type application and not delegated.
Connecting to SharePoint
You can connect to SharePoint Online by uploading a .PFX certificate generated for app-only access, and optionally providing a password for the certificate. For information about generating the certificate, please see the Microsoft documentation. You will also need to update the permissions granted the Veza app to include User.Read.All
and Sites.Read.All
, as outlined in the SharePoint setup instructions.
Custom Security Attributes
Veza can optionally gather and show custom security attributes on Azure AD objects. The custom properties to discover must be identified by name and type in the Azure tenant configuration.
An Azure AD Premium P1 or P2 license is required to use Custom Attributes for Azure AD. The Enterprise Application used by Veza must have the
CustomSecAttributeAssignment.Read.All
Microsoft Graph permission.
To enable custom property extraction:
Add or edit a new Azure cloud provider configuration.
On the provider configuration modal, click + Add Custom Property.
Provide the
type
andname
of the custom property.For Azure AD, the name is the
attribute name
of the custom security attribute. The data type is a property of the custom security attribute (Boolean, Integer, or String).For example: (
EngineeringCertification
,Boolean
), (MarketingLevel
,String
).If the custom properties are part of an Attribute Set, include the attribute set name as a prefix, for example
<AttributeSetName>_<AttributeName>
.
Save the configuration. The custom attributes will be collected the next time the data source is parsed.
Enable Privileged Identity Management (PIM)
Veza supports Azure Privileged Identity Management (PIM) for both roles and groups. For more information about PIM support, see the Azure AD documentation.
To enable PIM extraction:
Ensure the required permissions are granted to the Veza app:
RoleManagement.Read.All
PrivilegedAccess.Read.AzureAD
Group.Read.All
When configuring the Azure integration, set the "Extract PIM Eligibility" option to "Yes"
Save the configuration. PIM assignments will be collected during the next extraction
Enable Dynamics 365
The Microsoft Azure integration includes optional support for Microsoft Dynamics 365. This integration allows Veza to discover connections between Azure AD Users, Groups, and Service Principals, and the permissions they can assume within Dynamics 365 environments.
Veza supports both Dynamics 365 CRM and Dynamics 365 ERP environments:
Dynamics 365 CRM - Customer relationship management environments (URLs such as
https://orgXXXXXXX.crm.dynamics.com
)Dynamics 365 ERP - Enterprise resource planning environments (URLs such as
https://xxx.operations.dynamics.com
)
For full setup instructions and supported entities, see the specific integration guides.
Enable Microsoft Intune
The Microsoft Azure integration includes optional support for Intune, including Managed Devices and Role Definitions. Veza discovers and shows connections between Azure AD Users and Groups, and the Devices and Roles to which they are assigned in Intune.
In order to extract Intune, Veza requires the following Application Permissions for the Microsoft Graph API:
DeviceManagementManagedDevices.Read.All
DeviceManagementRBAC.Read.All
Enable Exchange Online
The Microsoft Azure integration includes optional support for Exchange Online, providing visibility into email and collaboration permissions. This integration discovers mailbox permissions, distribution groups, folder-level access controls, and delegation rights.
Important: Many organizations using Microsoft 365 require both Azure AD and Exchange Online visibility for complete access governance.
To enable Exchange Online:
Add API Permission: Grant
Office 365 Exchange Online
>Exchange.ManageAsApp
permission to your Azure app registrationAssign Role: Add the Exchange Administrator role to your Azure app
Enable Service: In your Azure integration settings, go to Limit Services and select Exchange Online
For detailed setup instructions, see the Exchange Online integration guide.
Enable Microsoft Teams
To discover Microsoft Teams resources, including teams, channels, and relationships to external organization users, Veza requires the additional Graph API permissions:
Team.ReadBasic.All
TeamMember.Read.All
Channel.ReadBasic.All
ChannelMember.Read.All
User.Read.All
Last updated
Was this helpful?