Overview

LowerPlane connects to Azure using an App Registration (service principal) with read-only permissions across your subscription and Entra ID tenant.

Services Monitored

Azure ServiceWhat LowerPlane Collects
Defender for CloudSecurity recommendations and secure score
Entra ID (Azure AD)Users, groups, MFA status, conditional access policies
Activity LogAdministrative and security event audit trails
Network WatcherNetwork security group rules and flow logs
Key VaultKey and secret management configuration
StorageStorage account encryption and access settings
PolicyAzure Policy compliance state

Step 1: Open Azure Portal

Go to https://portal.azure.com/ and sign in with a Global Administrator or Application Administrator account.

Step 2: Create App Registration

  1. Navigate to Microsoft Entra ID
  2. Select App registrations
  3. Click New registration
Configuration:
  • Name: LowerPlane Read-Only
  • Supported account types: Single tenant (this organization only)
  • Redirect URI: Leave blank
Click Register.

Step 3: Create Client Secret

  1. In the app registration, go to Certificates & secrets
  2. Click New client secret
Configuration:
  • Description: lowerplane-integration
  • Expiry: 24 months (recommended)
Click Add. Important: Copy the Value immediately. Azure will not show it again after you leave this page.

Step 4: Note Application IDs

From the app registration Overview page, copy:
  • Application (client) ID — used as Client ID in LowerPlane
  • Directory (tenant) ID — used as Tenant ID in LowerPlane

Step 5: Assign Subscription Reader Role

  1. Navigate to your Subscription
  2. Select Access control (IAM)
  3. Click Add role assignment
Configuration:
  • Role: Reader
  • Assign access to: User, group, or service principal
  • Select: Search for LowerPlane Read-Only (the app registration)
Click Save.

Step 6: Add Entra ID API Permissions

  1. Go back to the App Registration
  2. Select API permissions
  3. Click Add a permission
  4. Select Microsoft Graph
  5. Select Application permissions
  6. Add the following permissions:
PermissionPurpose
Directory.Read.AllRead users, groups, and directory data
SecurityEvents.Read.AllRead security findings and alerts
AuditLog.Read.AllRead audit log entries
  1. Click Grant admin consent for [your organization]

Step 7: Connect in LowerPlane

  1. Go to Integrations in LowerPlane
  2. Find Azure and click Connect
  3. Enter:
    • Tenant ID
    • Client ID
    • Client Secret
  4. Click Connect
LowerPlane will validate the service principal and begin syncing.

Important Notes

  • Set a reminder to rotate the client secret before it expires (Azure does not auto-renew)
  • If your organization uses both Azure AD for identity and Azure for infrastructure, you may need two separate connections
  • The Reader role provides read-only access. LowerPlane never modifies resources in your Azure subscription

Automated Tests

When Azure is connected, LowerPlane automatically creates and runs tests including:
  • MFA is enforced for all users
  • Conditional access policies are configured
  • Network security groups do not allow unrestricted inbound access
  • Storage account encryption is enabled
  • Diagnostic logging is configured
  • Azure Policy compliance is monitored