Azure Configuration Guide
© 2026 Sonrai Security. All rights reserved.
Overview
Learn how to onboard your Microsoft Azure tenant so that Cloud Permissions Firewall (CPF) can analyze and govern access across your cloud.
CPF onboards at the tenant level — the entire Azure Active Directory tenant — and discovers every role assignment for every identity across your management groups, subscriptions, and resource groups. Once the tenant is onboarded, you can enforce controls at any level of the hierarchy, starting as granularly as a single subscription or resource group and expanding over time.
How Azure Differs From AWS and GCP
Azure support shares the same goals as AWS and GCP CPF — least privilege with minimal friction — but the controls work differently:
- CPF manages Azure role-based access control (RBAC) role assignments directly, rather than applying Privileged Permission controls as it does in AWS and GCP.
- Access changes are user-initiated. CPF does not automatically grant Just-In-Time (JIT) Access for Azure.
- After onboarding, you govern access from the Azure Role-Based Controls page.
- Every governed change is reviewed on the Pending Changes page before it is deployed to your cloud.
Pre-Deployment Prerequisites
Required
Review and implement the required prerequisites before progressing onto account configuration:
Adding Accounts — Onboarding Your Azure Tenant
How do I onboard an Azure tenant in the Accounts section of the Cloud Permissions Firewall?
In the left-hand navigation menu, click Manage > Accounts. The Your Cloud page lists the cloud organizations and tenants you have already onboarded.
![[AI GENERATED] The Cloud Permissions Firewall Manage > Accounts page listing onboarded cloud organizations, including a Microsoft Azure tenant card showing verified subscriptions, management groups, and resource groups.](/cpf-public/img/cpf-interface/manage/accounts/azure/azure-guide/azure-accounts-overview-light.png)
Click , then select the Microsoft Azure tab to begin onboarding. Work through each step of the onboarding wizard in order.
![[AI GENERATED] The Cloud Permissions Firewall Azure onboarding wizard showing the Azure Login, Grant Admin Consent, and Mode steps, including the command to retrieve the Tenant ID and the Monitor and Firewall mode options.](/cpf-public/img/cpf-interface/manage/accounts/azure/azure-guide/azure-onboarding-consent.png)
Azure Login — Log in to your Azure tenant using the link provided.
Grant Admin Consent — Before CPF can set up accounts for your tenant, you must trust the Sonrai application, which CPF uses to collect data about your cloud. Retrieve your Tenant ID by running the command shown in the wizard:
az account show | jq '.tenantId'
Paste your Tenant ID into the field, then click . You are taken to the Azure Portal to authorize the application.
Mode — Choose how CPF operates in this tenant:
- Monitor provides read-only visibility into the tenant.
- Firewall grants the additional permissions required to deploy controls.
You can upgrade from Monitor to Firewall mode later, but the change is one-way.
Generate Script — Enter the Azure Subscription ID that CPF will use, then click . Sonrai recommends creating a new subscription specifically for this purpose.
![[AI GENERATED] The Cloud Permissions Firewall Azure onboarding wizard showing the Generate Script, Run Script, and Verify steps, including the download link and CLI commands to run the customized onboarding script and the Validate Permissions and Resources button.](/cpf-public/img/cpf-interface/manage/accounts/azure/azure-guide/azure-onboarding-runscript.png)
Run Script — The generated script creates a service principal with all required permissions, sets up the necessary logging, and lets CPF securely access your Azure environment. You have two ways to run it:
- Download the script and run it manually in your Azure CLI, or
- Copy the CLI command shown in the wizard to fetch and run it directly in your terminal.
To run the script once it is downloaded, use:
bash ./sonrai_onboarding.sh
Verify — Click to confirm that the script has run and your tenant is configured correctly.
Click to complete setup and begin discovery for your tenant.
Post-Deployment
After onboarding, CPF begins discovery — reading your tenant's role assignments and identity activity. Discovery can take time to complete depending on the size of your tenant and the number of subscriptions.
Once discovery is complete, manage access from the Azure Role-Based Controls page, where you can review each role, right-size over-privileged assignments, remove unused assignments, and protect roles across your tenant.