User Guide
Release Notes

Notes & Supported Entities

Supported entity types and more information about the Veza-Azure connector.

Veza integrates with Azure to parse service and resource metadata using Microsoft Graph APIs, connecting as an Enterprise Application granted read-only permissions. Veza creates entities in the data catalog to represent the discovered tenants, subscriptions, resources, and identities.

You can interact with the catalog using Veza's search interfaces, or get immediate insights using built-in reporting queries.

See the sections in this document for more information about the supported entity types for Microsoft Azure:

Azure RBAC

  • Azure Subscription

  • Azure Tenant

  • Azure Management Group

  • Azure Resource Group

  • Azure Managed Identity

  • Azure Role

  • Azure Classic Administrator

  • Azure Deny Assignment

  • Azure Role Assignment

  • Azure RBAC Effective Permission

  • Azure Key Vault

Azure Cloud Infrastructure

  • Azure Infrastructure Service

  • Azure Virtual Machine

  • Azure Virtual Network

  • Network Security Group

  • Network Interface Card

  • Azure Subnet

Azure AD

AzureAD entities appear on left in Authorization Graph results, and can have federated access (cross-service connections) to external resources such as Snowflake tables or AWS S3 buckets.

If Veza cannot automatically detect your single sign-on configuration, you can add a custom identity mapping to correlate Azure AD users with local accounts in other integrations.

  • Azure AD Domain

  • Azure AD User

  • Azure AD Group

  • Azure AD Role

  • Azure AD Enterprise Application

  • Azure AD App Role

  • Azure AD Effective Permission

An Azure AD Premium P1/P2 license is required to gather Azure AD User last login dates. The Veza integration must also have the AuditLog.Read.All graph permission.

If your organization uses Azure AD as an identity provider, but no other services, you might want to set limits to skip extracting unnecessary resources.

SharePoint Online

To enable optional discovery of SharePoint Online, you will need to upload a valid LDAP certificate and ensure the service account has the required API permissions. See SharePoint Online for more details.

  • SharePoint Online (service)

  • SharePoint User

  • SharePoint Group

  • SharePoint Site

  • SharePoint Library

  • SharePoint Folder

  • SharePoint Effective Permission

Storage

  • Azure Blob Service

  • Azure Blob Container

  • Datalake Filesystem

  • Datalake Directory

Azure Data Lake

No additional configuration is needed to discover Azure Data Lake Storage (ADLS). You can enable or disable ADLS as a data source using the provider configuration menu for the Azure tenant Select Services to Enable.

  • ADLS Gen. 1 is not supported. The max directory extraction depth is 2 levels.

  • Storage accounts have new properties: allowBlobPublicAcccess, allowSharedKeyAccess (default value null is equivalent to false), is_adls_gen2_enabled

  • Storage containers now indicate if publicAccess is enabled

  • If a filesystem or directory has an access control list, the full ACL string is shown as a property when viewing node details

Azure SQL

  • To collect granular authorization for each Azure SQL database, you will need to create a local SQL user that Veza can use to execute read-only queries. See Azure SQL for instructions to create a SQL database user for Veza.

  • SQL Server Service

  • SQL Server Instance

  • SQL Server Login

  • SQL Server Role

PreviousAzure PostgreSQL DatabaseNextMicrosoft Azure AD

Last updated