Notes & Supported Entities
Supported entity types and more information about the Veza-Azure connector.
Veza integrates with Azure to parse service and resource metadata using Microsoft Graph APIs, connecting as an Enterprise Application granted read-only permissions. Veza creates entities in the data catalog to represent the discovered tenants, subscriptions, resources, and identities.
You can interact with the catalog using Veza's search interfaces, or get immediate insights using built-in reporting queries.
See the sections in this document for more information about the supported entity types for Microsoft Azure:
Azure RBAC
Azure Subscription
Azure Tenant
Azure Management Group
Azure Resource Group
Azure Managed Identity
Azure Role
Azure Classic Administrator
Azure Deny Assignment
Azure Role Assignment
Azure RBAC Effective Permission
Azure Key Vault
Azure Cloud Infrastructure
Azure Infrastructure Service
Azure Virtual Machine
Azure Virtual Network
Network Security Group
Network Interface Card
Azure Subnet
Azure AD
AzureAD entities appear on left in Authorization Graph results, and can have federated access (cross-service connections) to external resources such as Snowflake tables or AWS S3 buckets.
If Veza cannot automatically detect your single sign-on configuration, you can add a custom identity mapping to correlate Azure AD users with local accounts in other integrations.
Azure AD Domain
Azure AD User
Azure AD Group
Azure AD Role
Azure AD Enterprise Application
Azure AD App Role
Azure AD Effective Permission
An Azure AD Premium P1/P2 license is required to gather Azure AD User last login dates. The Veza integration must also have the AuditLog.Read.All
graph permission.
If your organization uses Azure AD as an identity provider, but no other services, you might want to set limits to skip extracting unnecessary resources.
SharePoint Online
To enable optional discovery of SharePoint Online, you will need to upload a valid LDAP certificate and ensure the service account has the required API permissions. See SharePoint Online for more details.
SharePoint Online (service)
SharePoint User
SharePoint Group
SharePoint Site
SharePoint Library
SharePoint Folder
SharePoint Effective Permission
Storage
Azure Blob Service
Azure Blob Container
Datalake Filesystem
Datalake Directory
Azure Data Lake
No additional configuration is needed to discover Azure Data Lake Storage (ADLS). You can enable or disable ADLS as a data source using the provider configuration menu for the Azure tenant Select Services to Enable.
ADLS Gen. 1 is not supported. The max directory extraction depth is 2 levels.
Storage accounts have new properties:
allowBlobPublicAcccess
,allowSharedKeyAccess
(default valuenull
is equivalent to false),is_adls_gen2_enabled
Storage containers now indicate if
publicAccess
is enabledIf a filesystem or directory has an access control list, the full ACL string is shown as a property when viewing node details
Azure SQL
To collect granular authorization for each Azure SQL database, you will need to create a local SQL user that Veza can use to execute read-only queries. See Azure SQL for instructions to create a SQL database user for Veza.
SQL Server Service
SQL Server Instance
SQL Server Login
SQL Server Role
Last updated