Skip to main content
Applies to BloodHound Enterprise only To complete the configuration process, you must have the following information:
ItemDescription
Directory (tenant) IDIdentifies the Microsoft Entra ID instance where you must register the AzureHound Enterprise application.
Application (client) IDIdentifies the AzureHound Enterprise app registration that you must create in the Microsoft Entra admin center.
AzureHound token IDIdentifies the AzureHound Enterprise collector client that you must create in BloodHound Enterprise.
AzureHound tokenProvides the authentication key for the AzureHound Enterprise collector client that you must create in BloodHound Enterprise.
Configuring AzureHound Enterprise involves the following steps: Follow the steps below to create your AzureHound Enterprise configuration file using the AzureHound Enterprise CLI tool.
1

Download AzureHound Enterprise

  1. Login to your BloodHound Enterprise tenant.
  2. In the left menu, click Download Collectors.
  3. Download the AzureHound Enterprise ZIP archive.
    Choose the option suitable for your system’s architecture (ARM64 or AMD64).
  4. Extract the contents of the ZIP archive to a working directory on the system where you plan to run the AzureHound Enterprise binary.
2

Configure connection to Azure

  1. Start the AzureHound Enterprise CLI tool with the configure command.
    To see all available options, run azurehound.exe -h.
  2. Select the Azure region where your organization’s tenant is hosted.
    Most organizations use the cloud region.
  3. Enter the Azure Directory (tenant) ID.
  4. Enter the Azure Application (client) ID that you created when registering the AzureHound Enterprise application.
3

Configure AzureHound authentication

  1. Select a method for authenticating AzureHound Enterprise to BloodHound Enterprise.
    We highly recommend certificate-based authentication.
  2. If using Certificate authentication, press Enter or type Y to create a new certificate and key.
    • The certificate generated by AzureHound expires after one year.
    • If using a certificate issued by another authority, AzureHound Enterprise supports certificates with the following characteristics:
      • PEM encoded
      • RSA 256
      • PKCS#8 or PKCS#5
  3. If using Certificate authentication, enter an optional passphrase for the private key.
  4. Press Enter (or enter Y) to connect to BloodHound Enterprise.
  5. Enter the URL of your BloodHound Enterprise tenant.
4

Configure AzureHound collector client

  1. Create an AzureHound collector client. Continue to the next step when you have the Token ID and Token.
  2. Enter the collector client’s Token ID.
  3. Enter the collector client’s Token.
  4. (Optional) Enter y if you want to use a proxy URL.
    Most organizations do not use a proxy.
5

Configure AzureHound logging

  1. Press Enter (or type y) to set up local logging.
  2. Select the logging verbosity, as a start we recommend Default.
  3. Enter a name for the log file.
    You can also enter a full path as a file name. If you do not specify a full path, AzureHound Enterprise writes logs to the specified file name and stores it in the same directory as the AzureHound binary.
  4. If you want AzureHound Enterprise to generate JSON-structured logs, press Enter or type y.
6

Review configuration summary

When configuration is complete, the AzureHound Enterprise CLI tool displays a configuration summary.
If you are using Certificate authentication, the summary also includes the location of the certificate to complete the configuration in Azure.