Skip to main content

Connecting Vanta & Azure Using Cloud Shell

Updated this week

Connect Azure to Vanta so that your infrastructure configuration, user access, and security settings are automatically monitored for compliance with no manual evidence uploads required. The Cloud Shell method is the fastest and preferred way to connect: a script handles the setup in about 5 minutes.

If you prefer to connect manually through the Azure Portal instead, refer to Connecting Vanta & Azure.

When to use this method

Use the Cloud Shell method if:

  • You want the fastest path to connecting Azure (~5 minutes)

  • You prefer a script-based setup over manual Azure Portal steps

  • You are connecting either a single subscription or an entire tenant

Prerequisites

Before starting, confirm the following:

  • You have admin access in Vanta.

  • Your Azure account has tenant-level admin permissions (specifically, the ability to create app registrations, assign Microsoft Graph API permissions, and assign RBAC roles in Microsoft Entra ID).

  • You have access to Azure Cloud Shell in the Azure Portal (Cloud Shell requires a storage account; Azure will prompt you to create one on first use if not already configured).

  • You know which connection type you need:

    • Subscription: connects a single Azure subscription (you’ll need your Subscription ID).

    • Tenant: connects all subscriptions under your Azure tenant (you’ll need your Tenant ID/Directory ID and a display name for the tenant).

  • You know your Azure environment type: Global, US Government, or US Government DoD IL5.

Setup guide

Step 1: Start the connection flow in Vanta

  • In Vanta, go to Integrations.

  • Search for Microsoft Azure and click View Details.

  • Click Connect.

Step 2: Choose your connection type

  • Select either:

    • Subscription: Use this option if you have one or a few subscriptions as each will need to be linked individually.

    • Tenant: Use this option if you have many subscriptions under one tenant.

  • When prompted to choose a setup method, select Cloud Shell. This is the default recommended option.

  • Click Next.

Step 3: Select products

  • You’ll see toggles for products that extend what Vanta monitors in your Azure environment:

    • Azure Kubernetes Monitoring: Provides automated scanning and configuration checks for your Azure Kubernetes Service (AKS) clusters to detect vulnerabilities and strengthen container security.

    • Microsoft Defender for Cloud: Enables continuous assessment of your Azure resources against Microsoft’s built-in security recommendations and compliance benchmarks.

    • Microsoft Azure: Monitors your Azure infrastructure for continuous evidence collection and compliance tracking. Enable this for all Azure connections.

    • Azure Key Vault: Monitors your key vaults for access controls and configuration. Enable this option if you use the Azure Key Vault service to manage keys and secrets. (Note: enabling this requires one more manual step after setup — see Key Vault requires an additional role assignment below).

  • Enable any products relevant to your environment, then click Next.

Step 4: Enter your Azure identifiers

  • If connecting a subscription:

    • Enter your Subscription ID.

    • Select your environment: Global, US Government, or US Government DoD IL5.

  • If connecting a tenant:

    • Enter your Tenant ID (Directory ID).

    • Enter a Tenant Name (this is the display name used in Vanta).

  • Click Next.

Step 5: Download the Vanta setup script

Vanta provides a setup script and generates a customized command with the right flags based on your selections.

  • Click Copy or open the collapsible section titled View script contents and download the script.

  • Keep this Vanta browser tab open because you’ll return to it shortly to enter credentials.

Step 6: Open Azure Cloud Shell in Bash mode

  • In a new browser tab, open the Azure Portal.

  • Click the Cloud Shell icon in the top navigation bar.

  • If prompted to set up Cloud Shell storage, follow the Azure prompts to complete that setup.

  • Once Cloud Shell is open, confirm it’s set to Bash mode. If it shows PowerShell, click the dropdown at the top-left of the Cloud Shell pane and switch to Bash.

Step 7: Upload and run the script

  • Drag and drop the downloaded vanta-azure-connection-script.sh file directly into the Cloud Shell window. Azure uploads it automatically.

  • Return to Vanta and copy the command shown on screen. It will look like one of the following:

    • Subscription connection: bash ./vanta-azure-connection-script.sh --type subscription --id YOUR_SUBSCRIPTION_ID

    • Tenant connection: bash ./vanta-azure-connection-script.sh --type tenant --id YOUR_TENANT_ID

    • If you selected Azure US Government, the command includes --cloud gov.

    • If you selected Azure US Government DoD IL5, it includes --cloud gov-dod-il5.

    • If you enabled Azure Key Vault, the command includes --key-vault.

What to expect while the script runs:

  • The script creates the vanta-scanner app registration in your Microsoft Entra ID.

  • It pauses briefly after creating the app — this is expected and allows Azure to propagate the new registration across its servers.

  • It assigns the required Microsoft Graph permissions and the Azure Reader RBAC role scoped to your subscription or management group.

  • Total runtime is typically 2–4 minutes.

Important: If the script encounters an error, it automatically removes any partially created app registration. You can safely re-run the script after resolving the issue.

Note: The script will prompt you to log in to Azure in your browser. Complete the login and return to Cloud Shell.

Step 8: Copy the output credentials

When the script completes successfully, it displays three values in the Cloud Shell output:

  • APP ID (Application / Client ID)

  • APP SECRET (Client Secret)

  • TENANT ID (shown for subscription connections)

Copy all three values immediately.

⚠️ Warning: Copy the APP SECRET before closing Cloud Shell. It is displayed only once. If you close Cloud Shell without copying it, you must re-run the script to generate a new one.

Step 9: Enter credentials in Vanta

  • Return to the Vanta browser tab.

  • Paste the APP ID, APP SECRET, and TENANT ID into the corresponding fields.

  • Click Connect.

Vanta validates the credentials by confirming access to your Azure directory and resource groups. If validation succeeds, you’ll see a confirmation screen. If validation fails, check the following:

  • Confirm you copied all three values (APP ID, APP SECRET, TENANT ID) without extra spaces or line breaks.

  • Confirm the APP SECRET was copied before closing Cloud Shell. If not, re-run the script to generate a new one.

  • Review the Troubleshooting section below for additional help.

  • If the error persists, contact Vanta Support.

Note: The client secret expires in 1 year. Set a calendar reminder to renew it before it expires. See Credential expiry (annual renewal required) below.

Initial data collection begins automatically and may take up to a few hours to fully populate in Vanta.

Key Vault requires an additional role assignment

If you enabled the Azure Key Vault product during setup, one more step is required. The standard setup script does not assign the Key Vault Reader RBAC role.

The starting point depends on your connection type:

  • Subscription connection: In the Azure Portal, go to the Subscription page for the subscription you are connecting.

  • Tenant connection: In the Azure Portal, go to the Tenant Root Group.

To assign the Key Vault Reader role:

  • Go to Access Control (IAM).

  • Click Add role assignment.

  • On the Role tab, search for Key Vault Reader. This role is listed under the Security category. If you are browsing by page rather than searching, look in that category to locate it. Select the role and click Next.

  • On the Members tab, under Assign access to, select User, group, or service principal.

  • Click + Select members and search for vanta-scanner. Select the application and click Select.

Click Review + assign to complete the assignment.

Credential expiry (annual renewal required)

The client secret created by the script is valid for 1 year. When it expires, Vanta will lose access to your Azure environment and the integration will stop syncing.

Renew the secret before it expires:

  • In the Azure Portal, go to Microsoft Entra ID > App Registrations > vanta-scanner > Certificates & secrets.

  • Create a new client secret and copy the value.

  • In Vanta, go to the Azure integration settings and update the credentials with the new secret.

Troubleshooting

The script fails immediately

  • Likely cause: Cloud Shell is in PowerShell mode, or the Azure account does not have tenant-level admin permissions.

  • Fix:

    • Confirm Cloud Shell is set to Bash mode before running the script.

    • Confirm your Azure account has the Global Administrator or Privileged Role Administrator role. If not, ask an Azure tenant admin to run the script.

Azure users and groups are not appearing in Vanta

  • Likely cause: The Directory.Read.All Microsoft Graph permission was not granted, or the initial sync has not finished.

  • How to confirm: In the Azure Portal, go to Microsoft Entra ID > App Registrations > vanta-scanner > API Permissions. Confirm Directory.Read.All (Application type) is listed with admin consent granted.

  • Fix: If the permission is missing, re-run the setup script. If it’s correctly assigned, allow up to a few hours for the initial sync to complete.

Cloud Shell was closed before copying the credentials

  • Fix: Re-run the script to create a new app registration. You may want to manually delete the old vanta-scanner app registration first to avoid duplicates.