How does CYBRET integrate with Azure?

CYBRET reads from Azure via API or webhook, models the relevant identities, resources, and configurations as graph nodes, and runs reachable-path and validation analysis on top.

Does the Azure integration require agents?

No agents. CYBRET uses read-only APIs and OAuth/role-based credentials. Runtime detection is optional and uses lightweight call-trace collectors.

What permissions does CYBRET need on Azure?

Read-only by default. CYBRET requests the minimum scopes needed to model your Azure graph; no write access unless you opt into auto-remediation.

Integration / Azure

Connect Azure to CYBRET.

CYBRET reads Entra ID, your subscriptions, and the application code that runs on them. App registrations with delegated Microsoft Graph permissions, AKS pods bound to managed identities, and Key Vault access policies are joined into one attack graph.

Connect Azure All integrations

What CYBRET sees on Azure

Two control planes, joined.

Azure has two control planes that real attacks cross: Entra ID for identity and Azure Resource Manager for resources. CYBRET reads both and treats the join as first-class. App registrations and the resources they can reach via managed identity are the same path in the graph.

Entra ID: users, groups (including dynamic membership rules), app registrations and service principals, role assignments at directory and resource scope, conditional access policies, guest invitations, administrative units.
Azure RBAC: built-in and custom roles assigned at management group, subscription, resource group, and resource scopes, including ABAC conditions.
Compute and runtimes: AKS clusters with their pod identities and Workload Identity federations, App Service apps and their managed identities, Azure Functions, VMs, Container Apps.
Data and secrets: Storage Accounts with SAS / account-key configuration and access policies, Key Vault with access policies and RBAC mode, Cosmos DB account configuration, SQL servers and firewall rules, Service Bus, Event Hub.
Network: VNets, NSGs, Application Gateway and Front Door routes, Private Endpoints, Private DNS zones, Azure Firewall.
Telemetry: Activity Log, Microsoft Graph audit and sign-in logs, Defender for Cloud findings (optional).

Three real attack-path examples

What we find in the first week.

Azure paths cross identity and resource layers more than the other two hyperscalers. These three are common on first connect and rarely seen by tools that look at only one plane.

1. External guest with delegated app permission enumerates the org

Guest user invited months ago → consented to a third-party app with User.Read.All delegated → org-wide directory enumeration including job titles and reporting lines.

The third-party app was approved under a forgotten admin-consent policy. The guest still has an active session and the app still holds its delegated grant. CYBRET reads the consent grants per principal, joins them to the conditional access policies that don't apply to guests, and shows you the directory data the guest can read. Closing the path is a consent revoke and a CA policy change.

2. AKS pod with managed identity reads a production Key Vault

AKS pod → user-assigned managed identity via Workload Identity → Key Vault Secrets User at subscription scope → production secrets readable by every pod in the cluster.

The managed identity was scoped at subscription level instead of the intended Key Vault. Any pod that uses Workload Identity federation to that identity reads every secret in every Key Vault in the subscription. CYBRET resolves the federation chain fromazure.workload.identity/client-id to the identity, then enumerates the effective dataActions against every resource. The fix is the right RBAC scope.

3. App Service Easy Auth bypassed by a forwarded host

App Service with Easy Auth on → framework reads X-Forwarded-Host for routing → /admin route reachable from internet without auth.

The app trusts X-Forwarded-Host for redirect-aware routes. Easy Auth covers the public hostname, not the alternate the framework now resolves. CYBRET combines the App Service configuration (Easy Auth scope) with the framework's code path (host header trust) to surface the bypass. Validation issues a confirming request through the front door.

How the integration works

One enterprise application. Reader at scope.

The integration uses an Entra ID enterprise application with a Reader-shaped role at the management group or subscription scope. Microsoft Graph access is read-only, scoped to the directory data we need to reason about identity paths.

Open the CYBRET console and go to Integrations → Azure.
Click Connect Azure. Copy the consent URL or the supplied az commands / Bicep template.
Consent to the CYBRET enterprise application as a Global Administrator. The Microsoft Graph scopes are read-only (Directory.Read.All, Policy.Read.All, RoleManagement.Read.All).
Assign Reader at the management-group or subscription scope where you want CYBRET to enumerate Azure resources.
Configure federated credentials between CYBRET's tenant and the application. CYBRET never holds an Entra application client secret.
Wait for the first build (typically ten to twenty minutes for a single subscription, longer for org-wide). Reachable paths land in Exposure Intelligence as the graph fills.

Disconnect by removing the role assignment or the application from the enterprise app gallery; CYBRET stops ingesting at the next poll.

Permissions and data scope

Reader, plus directory read. No agents.

The base scope is the built-in Reader role at the subscription or management-group level, plus a small set of read-only Microsoft Graph permissions: Directory.Read.All,Policy.Read.All, RoleManagement.Read.All,Application.Read.All. Nothing in this scope grants a write action to any Azure or Entra resource. There is no agent on AKS, App Service, or any VM. The integration uses federated credentials so we never store an enterprise application client secret.

For runtime detection, an optional Event Hub is provisioned in the customer tenancy and Activity Log + Microsoft Graph audit log diagnostic settings stream to it. The CYBRET runtime collector reads from that Event Hub. Customers who run CYBRET in a self-managed configuration can use a service principal with the same Reader scope without consenting to the gallery application.

How Azure maps to the three CYBRET products

Where Azure data shows up in the platform.

Exposure Intelligence is the product that benefits most from an Azure connect. The reachable-path engine resolves Entra ID role assignments, Azure RBAC including ABAC conditions, and Workload Identity federations into a single graph. App-registration paths (delegated Graph permissions on guest accounts, old admin consents) are some of the highest-impact findings on first connect.

Validation uses Azure context to generate proof-of-exploit. When CYBRET claims an App Service auth bypass is reachable, Validation issues the request from the public front door and confirms with a non-destructive read. Where validation would mutate state, we run against a non-prod copy that the integration enumerates.

Runtime Detection consumes the Activity Log and Microsoft Graph audit stream via Event Hub. A reachable path becomes a runtime alert when its underlying role assignment is exercised by a non-employee principal. Azure-only telemetry is one signal; pairing the application Runtime collector gives the strongest coverage.

FAQ

Questions security engineers actually ask.

How does authentication work?

A CYBRET enterprise application registered in your Entra tenant, plus federated credentials between your tenant and ours. We do not store client secrets. The role assignment is yours to revoke at any time.

Where does the Azure data live?

Inside the CYBRET deployment in your VPC / VNet. EU customers run an EU-resident control plane; US customers run a US one. We do not copy Azure metadata to a multi-tenant SaaS backend.

Is it really agentless?

Yes. The base integration calls Azure Resource Manager and Microsoft Graph only. No DaemonSet on AKS, no extension on App Service, no VM extension. Runtime Detection on Azure also runs agentlessly via Activity Log and Event Hub.

How do you handle Microsoft Graph throttling?

We use change-tracking endpoints (delta queries) where they exist for Entra objects, and respect the standard retry-after envelope. Large tenants with many app registrations and conditional access policies complete first build inside the standard 24-hour window.

Multi-tenant and Microsoft Cloud for Sovereignty?

Multi-tenant Entra topologies are supported with one CYBRET-side connection per tenant. Microsoft Cloud for Sovereignty deployments run in a regional CYBRET tenant; we operate Germany, UK, and US Government variants.

On-prem Active Directory and ADFS?

CYBRET reads the Entra ID side of the hybrid. For on-prem Active Directory specifics, customers typically pair CYBRET with an existing AD security tool (BloodHound, Tenable AD) and we ingest its findings.

Next step

Connect Azure →

One enterprise application, one Reader assignment, federated credentials. First reachable paths usually resolve inside the first hour.

Connect Azure See Exposure Intelligence