Connect Azure to Vanta so the cloud resources, identities, security configurations, and vulnerability findings your team manages in Azure automatically power compliance tests, access reviews, and evidence collection.
⚠️ Note: This guide covers the standard Azure connection using Cloud Shell (the recommended method). For the manual Azure Portal path, SCIM provisioning, or advanced configuration, see Azure: Integration Guide.
⚠️ Terminology note: Microsoft Entra ID and Azure Active Directory (Azure AD) are the same product. Microsoft rebranded Azure AD to Entra ID in 2023. Vanta documentation uses Entra ID.
What you'll do (~10 minutes)
Confirm prerequisites and choose your connection type (~2 min)
Run the Cloud Shell script to register the Vanta app in Azure (~5 min)
Complete setup in Vanta and verify the connection (~3 min)
Before you begin
Confirm all of the following before starting:
You have Admin access in Vanta.
You have the Global Administrator or Privileged Role Administrator role in Microsoft Entra ID. Owner or Contributor roles on a subscription are not sufficient. The script requires the ability to grant admin consent to the app registration, which is a directory-level permission, not a subscription-level one.
You have a calendar reminder ready. The client secret the script creates expires in 1 year. An expired secret is the most common cause of the integration showing as broken or disconnected.
You know which connection type you need (see below).
Choose your connection type before starting
Type | Use when |
Subscription | You have one subscription, or a small number of subscriptions to connect individually. |
Tenant | You have many subscriptions under a single tenant and want to connect them all at once. |
💡 Tip: If you're unsure, start with Subscription. You can reconnect later.
⚠️ Note on License requirements: A basic Azure connection does not require an Entra license. However, a Microsoft Entra ID P1 license (included with M365 Business Premium, E3, E5, or available as a standalone add-on) is required to use group-based scoping and Conditional Access MFA detection with Vanta. M365 Business Standard does not include Entra P1 and will not support these features. Entra P2 is not required unless your organization uses risk-based Conditional Access policies.
Setup guide
Follow these steps to connect the integration.
Follow these steps to connect the integration.
Step 1: Start the connection flow in Vanta
To connect, go to the Integrations page and search for Azure. For help navigating the Integrations page, see Integrations Page.
Click Connect.
Step 2: Choose your connection type
Select either:
Subscription: Use this option if you have one or a few subscriptions as each will need to be linked individually.
Tenant: Use this option if you have many subscriptions under one tenant.
When prompted to choose a setup method, select Cloud Shell. This is the default recommended option.
Click Next.
Step 3: Select products
You’ll see toggles for products that extend what Vanta monitors in your Azure environment:
Azure Kubernetes Monitoring: Provides automated scanning and configuration checks for your Azure Kubernetes Service (AKS) clusters to detect vulnerabilities and strengthen container security.
Microsoft Defender for Cloud: Enables continuous assessment of your Azure resources against Microsoft’s built-in security recommendations and compliance benchmarks.
Microsoft Azure: Monitors your Azure infrastructure for continuous evidence collection and compliance tracking. Enable this for all Azure connections.
Azure Key Vault: Monitors your key vaults for access controls and configuration. Enable this option if you use the Azure Key Vault service to manage keys and secrets. (Note: enabling this requires one more manual step after setup — see Key Vault requires an additional role assignment below).
Enable any products relevant to your environment, then click Next.
Step 4: Enter your Azure identifiers
If connecting a subscription:
Enter your Subscription ID.
Select your environment: Global, US Government, or US Government DoD IL5.
If connecting a tenant:
Enter your Tenant ID (Directory ID).
Enter a Tenant Name (this is the display name used in Vanta).
Click Next.
Step 5: Download the Vanta setup script
Vanta provides a setup script and generates a customized command with the right flags based on your selections.
Click Copy or open the collapsible section titled View script contents and download the script.
Keep this Vanta browser tab open because you’ll return to it shortly to enter credentials.
Step 6: Open Azure Cloud Shell in Bash mode
In a new browser tab, open the Azure Portal.
Click the Cloud Shell icon in the top navigation bar.
If prompted to set up Cloud Shell storage, follow the Azure prompts to complete that setup.
Once Cloud Shell is open, confirm it’s set to Bash mode. If it shows PowerShell, click the dropdown at the top-left of the Cloud Shell pane and switch to Bash.
Step 7: Upload and run the script
Drag and drop the downloaded vanta-azure-connection-script.sh file directly into the Cloud Shell window. Azure uploads it automatically.
Return to Vanta and copy the command shown on screen. It will look like one of the following:
Subscription connection: bash ./vanta-azure-connection-script.sh --type subscription --id YOUR_SUBSCRIPTION_ID
Tenant connection: bash ./vanta-azure-connection-script.sh --type tenant --id YOUR_TENANT_ID
If you selected Azure US Government, the command includes --cloud gov.
If you selected Azure US Government DoD IL5, it includes --cloud gov-dod-il5.
If you enabled Azure Key Vault, the command includes --key-vault.
What to expect while the script runs:
What to expect while the script runs:
The script creates the vanta-scanner app registration in your Microsoft Entra ID.
It pauses briefly after creating the app — this is expected and allows Azure to propagate the new registration across its servers.
It assigns the required Microsoft Graph permissions and the Azure Reader RBAC role scoped to your subscription or management group.
Total runtime is typically 2–4 minutes.
ℹ️ Note: If the script encounters an error, it automatically removes any partially created app registration. You can safely re-run the script after resolving the issue.
ℹ️ Note: The script will prompt you to log in to Azure in your browser. Complete the login and return to Cloud Shell.
Step 8: Copy the output credentials
When the script completes successfully, it displays three values in the Cloud Shell output:
APP ID (Application / Client ID)
APP SECRET (Client Secret)
TENANT ID (shown for subscription connections)
Copy all three values immediately.
⚠️ Note: Copy the APP SECRET before closing Cloud Shell. It is displayed only once. If you close Cloud Shell without copying it, you must re-run the script to generate a new one.
Step 9: Enter credentials in Vanta
Return to the Vanta browser tab.
Paste the APP ID, APP SECRET, and TENANT ID into the corresponding fields.
Click Connect.
Vanta validates the credentials by confirming access to your Azure directory and resource groups. If validation succeeds, you’ll see a confirmation screen. If validation fails, check the following:
Confirm you copied all three values (APP ID, APP SECRET, TENANT ID) without extra spaces or line breaks.
Confirm the APP SECRET was copied before closing Cloud Shell. If not, re-run the script to generate a new one.
Review the Troubleshooting section below for additional help.
If the error persists, contact Vanta Support.
💡 Tip: The client secret expires in 1 year. Set a calendar reminder to renew it before it expires. See Credential expiry (annual renewal required) below.
Initial data collection begins automatically and may take up to a few hours to fully populate in Vanta.
Key Vault requires an additional role assignment
If you enabled the Azure Key Vault product during setup, one more step is required. The standard setup script does not assign the Key Vault Reader RBAC role.
The starting point depends on your connection type:
Subscription connection: In the Azure Portal, go to the Subscription page for the subscription you are connecting.
Tenant connection: In the Azure Portal, go to the Tenant Root Group.
To assign the Key Vault Reader role:
Go to Access Control (IAM).
Click Add role assignment.
On the Role tab, search for Key Vault Reader. This role is listed under the Security category. If you are browsing by page rather than searching, look in that category to locate it. Select the role and click Next.
On the Members tab, under Assign access to, select User, group, or service principal.
Click + Select members and search for vanta-scanner. Select the application and click Select.
Click Review + assign to complete the assignment.
Optional products
Enable additional monitoring during setup or at any time from Integrations > Azure > Configure.
Enables node-level security tests for AKS clusters. Required for AKS-related controls in SOC 2, CIS v8, and other frameworks.
ℹ️ Note: Private clusters are not supported for node-level scanning. Vanta will still list private clusters in your inventory, but node security tests will not apply to them.
Microsoft Defender for Cloud
Required for container and server vulnerability data to appear in Vanta. Without this enabled and configured in Azure, the Vanta Vulnerabilities page will show "No vulnerability data received."
To use Defender for Cloud with Vanta:
Toggle Defender for Cloud on in Vanta integration settings.
Enable the appropriate Defender plan in Azure (Defender for Containers or Defender for Servers).
Set monitoring coverage to Full in Azure.
Allow time for a scan to complete before expecting data in Vanta.
If you see "No vulnerability data received" after setup, see No vulnerability data received (Azure).
Azure Key Vault
Enables monitoring of Key Vault secrets and access policies.
⚠️ Note: After the setup script runs, you must manually assign the Key Vault Reader role to the Vanta app registration on each Key Vault you want monitored. This step is not automated by the script.
Verify your connection
After connecting, Vanta will run an initial sync. Allow a few hours for data to fully populate.
Azure should appear as Connected on your Integrations page.
Cloud resources will appear under Inventory.
Users and groups that the Azure integration reads from Entra ID will appear in the People section.
Compliance tests powered by Azure data will populate under Tests.
If Defender for Cloud is enabled, vulnerability data will appear under Vulnerabilities after the first scan completes.
Troubleshooting
The script fails immediately
Likely cause: Cloud Shell is in PowerShell mode, or the account running the script doesn't have the required role.
Fix: Confirm Cloud Shell is in Bash mode. Confirm the signed-in account has Global Administrator or Privileged Role Administrator role in Entra ID.
"Insufficient permissions" error during setup
Likely cause: The account used for setup cannot grant admin consent. This requires Global Administrator or Privileged Role Administrator. Subscription-level roles (Owner, Contributor) are not sufficient.
Fix: Re-run setup using an account with the correct Entra ID role. Note that admin consent and app assignment are different things. Granting app assignment alone will not resolve this error.
Integration shows as broken or disconnected
Likely cause: The client secret created by the setup script has expired. Secrets expire after 1 year.
Fix: In the Azure Portal, navigate to your Vanta app registration > Certificates & secrets, create a new client secret, and update it in Vanta under Integrations > Azure.
Azure users or groups not appearing in Vanta
Likely cause: Directory.Read.All was not granted with admin consent, or the initial sync hasn't completed yet.
Fix: Confirm the permission is granted as Application type (not Delegated) with admin consent status showing Granted. Allow up to a few hours for the initial sync.
MFA not showing as enforced
Likely cause: MFA enforcement via Conditional Access requires a Microsoft Entra ID P1 license. P1 is included with M365 Business Premium, E3, and E5 — but not M365 Business Standard, which uses the Entra ID Free tier. Per-user legacy MFA and Security Defaults are not detectable by Vanta as Conditional Access policies.
Fix: Confirm your tenant has an Entra P1 or P2 license and that MFA is enforced via Conditional Access policies, not per-user settings.
Additional resources
Azure: Integration Guide — manual connection, SCIM setup, user scoping, government cloud variants, advanced troubleshooting