Skip to main content

Overview

Connect your Azure subscriptions so Backline can securely analyze your cloud environment for richer risk analysis and smarter remediation. By integrating with Azure, Backline gains visibility into your runtime environment — including AKS clusters, App Services, Container Apps, VMs, and network configurations — to determine whether a vulnerability is actually exploitable in your specific infrastructure. This moves security prioritization from theoretical severity (CVSS scores) to contextual exploitability.

What You Can Do

With the Azure Cloud integration, Backline can:
  • Assess whether vulnerabilities are actually exploitable in your Azure environment
  • Analyze AKS clusters, App Services, Container Apps, and VMs for runtime security context
  • Evaluate network exposure and access controls to determine reachability
  • Provide evidence-backed exploitability verdicts with cloud context (e.g., “Service is in a private VNet with no public endpoint”)
  • Support multiple Azure subscriptions and tenants from a single Backline workspace

Prerequisites

Before connecting Azure Cloud, ensure you have:
  • Azure CLI installed and logged in (az login)
  • An Azure account with permissions to create service principals and assign roles
  • Your Azure Tenant ID (GUID)
  • One or more Azure Subscription IDs where you want Backline to analyze resources

Connecting Azure Cloud

Backline provides an automated installation script to set up the required service principal and permissions.
1

Run the Installation Script

Clone the azure-integration repository and run the installation script with your subscription IDs:
./scripts/azure/install_azure_integration.sh --cloud-sub <subscription-id>
You can specify multiple subscriptions by repeating the --cloud-sub flag:
./scripts/azure/install_azure_integration.sh \
  --cloud-sub 00000000-0000-0000-0000-000000000001 \
  --cloud-sub 00000000-0000-0000-0000-000000000002
The script creates a service principal for Backline and assigns Reader role on the specified subscriptions.
The script is idempotent and safe to run multiple times. Use --dry-run to preview changes before applying them.
2

Copy Your Tenant ID

After running the script, it will output your Tenant ID. Save this value — you’ll need it for the Backline UI.
3

Go to Integration Hub

Navigate to Integrations from the main menu in Backline.
4

Select Azure Cloud

Find and click on the Azure Cloud integration card under the Cloud category.
5

Enter Connection Details

In Backline, enter:
  • Tenant ID: Your Azure Active Directory Tenant ID (GUID format)
  • Subscription IDs: Comma-separated list of Azure Subscription IDs you want Backline to analyze
6

Connect

Click Connect to validate and save the connection. Backline will verify it can authenticate to your Azure tenant and access the specified subscriptions.
If you prefer not to use the installation script, you can grant Backline access through Azure’s admin consent flow.
1

Grant Admin Consent

An Azure AD administrator navigates to the admin consent URL for the Backline application and approves the requested permissions. This creates the service principal in your tenant automatically.
2

Assign Reader Role

After the service principal is created, assign the Reader role on each subscription you want Backline to analyze:
az role assignment create \
  --assignee 3fc75f55-e53f-4950-9127-665106cded58 \
  --role Reader \
  --scope /subscriptions/<subscription-id>
Replace <subscription-id> with each subscription’s GUID.
3

Complete Integration in Backline

Return to the Enter Connection Details step above and enter your Tenant ID and Subscription IDs.

Required Permissions

The Azure Cloud integration requires:
PermissionScopePurpose
ReaderSubscriptionRead-only access to Azure resources for runtime exploitability analysis
Backline follows the principle of least privilege. The Reader role grants read-only access and cannot modify any resources in your Azure environment.

After Connection

Once connected, Backline begins collecting cloud context from your Azure environment, including:
  • AKS clusters: Pod deployments, services, and network policies
  • App Services and Container Apps: Configuration, networking, and runtime state
  • Virtual Machines: Running state, network interfaces, and security groups
  • Network topology: VNets, subnets, NSGs, and public IP exposure
This context is used to evaluate exploitability for every vulnerability detected in your environment, producing evidence-backed verdicts such as:
“This vulnerability is not exploitable because the affected service runs in an AKS cluster with no public load balancer or ingress. The pod is only accessible within the cluster’s private VNet.”

Connecting Multiple Azure Tenants

Azure Cloud supports multiple connections, allowing you to monitor several Azure tenants or subscription sets from a single Backline workspace.
1

Open Integration Details

Go to the Azure Cloud integration card in the Integration Hub and click Configure to open the integration details.
2

Add Connection

At the bottom of the integration details, click the Add Connection button.
3

Enter New Tenant Details

Provide the Tenant ID and Subscription IDs for the additional Azure tenant.
4

Save

Click Save to add the new connection. It will appear in the connections list alongside your existing tenants.
All connected Azure tenants are displayed in the integration details page, identified by their Tenant ID.

Managing the Integration

Removing Subscription Access

To remove Backline’s access from specific subscriptions, use the cleanup script: 
./scripts/azure/cleanup_azure_integration.sh --cloud-sub <subscription-id>

Disconnecting

To remove the Azure Cloud integration:
  1. Go to the Integration Hub
  2. Click on the Azure Cloud integration
  3. Select Disconnect
  4. Confirm your choice
Disconnecting will stop cloud-aware exploitability analysis for your Azure environment. Existing vulnerability data will remain but won’t include Azure runtime context.

Troubleshooting

Symptom: Test connection fails with “unauthorized” or “consent required” error. Cause: The Backline service principal has not been created in your Azure AD tenant. This happens when neither the installation script nor the admin consent flow has been completed. Resolution:

Role Assignment Error (403)

Symptom: Test connection fails with “forbidden” or “authorization failed” error. Cause: The service principal exists in your tenant but does not have Reader role on the specified subscriptions. Resolution: Assign the Reader role on each subscription: 
az role assignment create \
  --assignee 3fc75f55-e53f-4950-9127-665106cded58 \
  --role Reader \
  --scope /subscriptions/<subscription-id>

Invalid Tenant ID or Subscription ID

Symptom: Validation error when entering connection details. Cause: Tenant ID and Subscription IDs must be valid GUIDs in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. Resolution:
  • Find your Tenant ID: az account show --query tenantId -o tsv
  • List your Subscription IDs: az account list --query "[].id" -o tsv