Log into the Azure portal as a Global Admin or a Privileged Role Admin.
From the Azure portal menu, search for or select Microsoft Entra ID
In the left menu, select App registrations
Click New registration
In the Name field, give the application an identifying name in your organization. Make sure the supported account type is set to the “Accounts in this organizational directory only (Single tenant)” option. A URI is not required. Then click “Register”
Click on the hamburger menu button, then select Microsoft Entra ID to return to the tenant view.
Select Roles and administrators
Search for the role “Directory Readers” and click the role name or description
_Note: Clicking the checkbox sometimes prevents clicking on the role itself.
_
4. In the “Directory readers” role, select Add assignments
Click “No member selected” to open the search window.
Search for the previously created service principal with either its name, application ID, or object ID. Select it by clicking on it
Click Select
Validate that your principal is displayed and click Next
Ensure that the Assignment type is “Active” and the “Permanently assigned” box is checked. Provide a justification and click “Assign”.
Confirm the service principal is a Directory Reader by refreshing this view.
Continue to the next section to provide Directory Reader permissions on your subscriptions.
Note: If you do not have any management groups, you may either create your Tenant Root Group following the prompts in the middle of the screen to ensure future visibility if another administrator begins use of subscriptions, or you may skip this section altogether. If you skip this section, you will see a warning in the logs for each collection indicating the lack of ability to collect this data accordingly.
Search for and select the “Management groups” item in the top search bar
Select Tenant Root Group
Select Access control (IAM)
Select Role assignments
Click Add, then Add role assignment
Find the “Reader” role and select it
Click “Members”.
Click Select members
Search for and click on your previously created service principal.
Validate the principal selected, then click Select
Click the tab Review + Assign
Click Review + Assign at the bottom of the page
Confirm the role is present by refreshing this view. You may need to alter the filter to see this role.
Continue to the next section: “Add certificate to Azure for Authentication”
This section requires you have authentication material.We highly recommend using certificate-based authentication. If you do not already have a certificate created, follow the article AzureHound Enterprise Local Configuration and then return back here.
Log into the Azure portal as a Global Admin or a Privileged Role Admin.
Search for or click on Microsoft Entra ID
On the left, click “App registrations”.
Search for and click on the Application you created previously.